Building a Full OAuth2 Server with Laravel Passport

Overview of OAuth2 Implementation

External applications often need secure access to your user data without handling raw credentials.

Laravel Passport
provides a complete, industry-standard
OAuth2
 server implementation that mirrors the functionality of giants like GitHub or Google. By issuing access tokens through a series of authorized handshakes, you allow third-party developers to build on top of your platform safely. This architectural choice shifts the burden of security from custom scripts to a battle-tested framework.

Prerequisites and Toolkit

Before integrating Passport, ensure you have a solid grasp of

Laravel
and the
PHP
 environment. You should understand API authentication flows and database migrations.

Key Libraries & Tools:

  • Laravel Passport: The core package for issuing and managing OAuth2 tokens.
  • Laravel Sanctum: A lighter alternative for first-party SPA or mobile authentication.
  • Artisan CLI: Used for generating keys and running migrations.

Code Walkthrough: The Server Setup

To transform your user model into an OAuth2 provider, use the HasApiTokens trait. This adds the necessary methods to manage tokens and scopes directly on the user object.

use Laravel\Passport\HasApiTokens;

class User extends Authenticatable { use HasApiTokens, Notifiable; }


Passport manages state through several dedicated database tables created via migrations. These track `oauth_access_tokens` and `oauth_clients`. You must register a client—representing the third-party app—which generates a **Client ID** and **Client Secret**. 

## The Client-Side Handshake
The consumer application, like a movie-tracking tool, must store these credentials in its `.env` file. During the flow, the client redirects the user to the main server's login page. Once authenticated, the server asks the user to grant specific permissions (scopes).

```javascript
// Typical environment configuration
OAUTH_CLIENT_ID=9
OAUTH_CLIENT_SECRET=your-secret-here
OAUTH_REDIRECT_URI=https://client-app.test/callback

Practical Use Cases

Consider an application named Sintop that stores movie watchlists. A third-party developer creates Cinema Wrapped to generate year-end statistics. By using Passport, the developer can request access to the user's movie list without ever seeing the user's password. This ecosystem encourages innovation while maintaining strict user privacy.

Tips and Syntax Notes

Always use

Laravel Sanctum
if you control both the frontend and the backend. It's lighter and simpler. Reserve Passport for true third-party access. Ensure you include the redirect URI precisely as it appears in the database; even a trailing slash mismatch will cause the OAuth2 handshake to fail.

2 min read