Laravel Passport:应用程序中的CreateFreshApitonk:授权失败
我正在尝试使用PHP7.2.13在Laravel5.7.18上安装 我的应用程序使用JavaScript(Axios with Vue)在自身内部使用API 我在JavaScript web应用程序中遇到了一个未经授权的错误。我已经在web内核中添加了Laravel Passport:应用程序中的CreateFreshApitonk:授权失败,laravel,laravel-5,oauth-2.0,axios,laravel-passport,Laravel,Laravel 5,Oauth 2.0,Axios,Laravel Passport,我正在尝试使用PHP7.2.13在Laravel5.7.18上安装 我的应用程序使用JavaScript(Axios with Vue)在自身内部使用API 我在JavaScript web应用程序中遇到了一个未经授权的错误。我已经在web内核中添加了CreateFreshApiToken。laravel\u令牌cookie实际上正在设置自身。但是,oauth表在数据库中是干净的 Http/Kernel: protected $middlewareGroups = [ 'web'
CreateFreshApiToken
。laravel\u令牌
cookie实际上正在设置自身。但是,oauth表在数据库中是干净的
Http/Kernel:
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];
axios.get("api/users/" + id).then(({ data }) => {
this.user = data;
});
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'passport',
'provider' => 'users',
],
],
Route::middleware('auth:api')->group(function () {
Route::resource('users', 'UserController');
Route::resource('groups', 'GroupController');
// .. plus more resources
});
JavaScript:
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];
axios.get("api/users/" + id).then(({ data }) => {
this.user = data;
});
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'passport',
'provider' => 'users',
],
],
Route::middleware('auth:api')->group(function () {
Route::resource('users', 'UserController');
Route::resource('groups', 'GroupController');
// .. plus more resources
});
Auth.php:
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];
axios.get("api/users/" + id).then(({ data }) => {
this.user = data;
});
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'passport',
'provider' => 'users',
],
],
Route::middleware('auth:api')->group(function () {
Route::resource('users', 'UserController');
Route::resource('groups', 'GroupController');
// .. plus more resources
});
路由(Api.php):
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];
axios.get("api/users/" + id).then(({ data }) => {
this.user = data;
});
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'passport',
'provider' => 'users',
],
],
Route::middleware('auth:api')->group(function () {
Route::resource('users', 'UserController');
Route::resource('groups', 'GroupController');
// .. plus more resources
});
Axios配置:
window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
var token = document.head.querySelector('meta[name="csrf-token"]');
if (token) {
window.axios.defaults.headers.common['X-CSRF-TOKEN'] = token.content;
} else {
console.error('CSRF token not found: https://laravel.com/docs/csrf#csrf-x-csrf-token');
}
浏览器中返回401的标题:
邮递员的工作要求:
如果您在初次登录时使用用户名和密码,那么假设您正在构建一个有权进行用户/密码登录尝试的第一方应用程序 强烈建议,如果您正在使用 Angular、React.js或Vue.js,然后是SPA(单页应用程序) 这种方法将产生一种更加健壮的产品
您应该注意,使用此特定方法,如果您的应用程序 发出一个静态(非ajax请求)并在浏览器中重新加载, 您将失去身份验证令牌。在这种情况下,您不是在扮演主持人 对于一个应用程序来说,这是一个SPA,所以如果你需要在 静态请求重新加载然后您需要将令牌存储在cookie中,I 建议使用cookie而不是localStorage,因为 localStorage并不能100%保证在所有web浏览器中都可以使用 如果应用程序位于同一域上,则不需要使用 护照。相反,本机会话cookie身份验证非常好,好吗 你要做的是确保你正在传递CSRF令牌进行post 请求
对于用户/通行令牌授予,您应遵循以下准则: 根据该指南,当您向
/oauth/token
发出成功请求时,返回的令牌应在应用程序中设置为带有承载令牌的授权
头
令牌请求响应如下所示:
{
"token_type": "Bearer",
"expires_in": 31536000,
"access_token": "eyJ0eXAiOiJKVJhb...nheKL-fuTlM",
"refresh_token": "def502008d6313e...94508f1cb"
}
您应该按如下方式请求和处理该JSON对象:
axios.post('/oauth/token', {
grant_type: "password",
client_id: "1",
client_secret: "zkI40Y.......KvPNH8",
username:"email@address.com",
password:"my-password"
}).then( response => {
axios.defaults.headers.common['Authorization'] = `Bearer ${response.data.access_token}`
} );
client\u id(id)和client\u secret的值来自oauth\u clients表,其中应该已经有一个条目
如果没有,则运行php artisan passport:client--password
别忘了,您必须配置一些标题,看看这篇文章中有一些关于Oauth授权的相关信息:
如果您说数据库中的表是干净的,请尝试再次运行此命令:
php artisan passport:install
此命令将创建生成安全访问令牌所需的加密密钥。此外,该命令将创建“个人访问”和“密码授予”客户端,用于生成访问令牌:
不,只需添加更多访问令牌即可<代码>php artisan passport:安装加密密钥已存在。使用--force选项覆盖它们。已成功创建个人访问客户端。客户端ID:2客户端密码:MUiAhE**********************已成功创建密码授予客户端。客户ID:3客户机密:ZGSEU*********************************您好,谢谢您的建议,但我已经仔细检查了授权标题,所有内容都与文档相匹配。您能粘贴一份登录时的响应标题和登录后请求的请求标题副本吗?是的,我用两张截图更新了我的问题。一个来自浏览器(返回401)和一个来自邮递员(工作)您是否遵循第一方应用程序的教程?我用一个处理oauth令牌请求的小示例更新了我的答案。