The Redirect Flow enables websites to authorize users using a server-side integration.
To view a demonstration, click here.
Each website must be defined in the MM Auth database as a unique client in the oauth_clients table.
The simplest way to create a client is by using the passport:client Artisan command. When you run the client command, Laravel Passport will prompt you for more information about the client and creates a Client ID and Client Secret. These values should be stored in the website's config.ini as they are needed to make MM Auth requests.
php artisan passport:client
You will be prompted to answer three questions:
Which user ID should the client be assigned to?:
>
What should we name the client?:
> Trace Website
Where should we redirect the request after authorization?:
> https://staging.traceplay.tv
NOTE: For the user ID, do not enter a value; just press enter.
You will be issued a Client ID and Client Secret:
New client created successfully.
Client ID: 10
Client secret: 52T096l5BW6dA3vxoKKxofAj8KWWiHdJpLfwUNrg
Once a client has been created, the website should make a redirect request to MM Auth's /oauth/authorize route like so:
$request->session()->put('state', $state = Str::random(40));
$query = http_build_query([
'client_id' => '52T096l5BW6dA3vxoKKxofAj8KWWiHdJpLfwUNrg',
'redirect_uri' => 'https://staging.traceplay.tv/login',
'response_type' => 'code',
'scope' => '',
'state' => $state,
]);
return redirect('https://auth.traceplay.tv/oauth/authorize?'.$query);
When receiving authorization requests, MM Auth will automatically display a template to the user allowing them to approve or deny the authorization request. If they approve the request, they will be redirected back to the redirect_uri that was specified by the consuming application. The redirect_uri must match the redirect URL that was specified when the client was created.
If the user approves the authorization request, they will be redirected back to the website. The website should first verify the state parameter against the value that was stored prior to the redirect. If the state parameter matches, the website should issue a POST request to MM Auth's /oauth/token route to request an access token. The request should include the authorization code that was issued by MM Auth when the user approved the authorization request.
$state = $request->session()->pull('state');
$response = $http->post('https://auth.traceplay.tv/oauth/token', [
'form_params' => [
'grant_type' => 'authorization_code',
'client_id' => 10,
'client_secret' => '52T096l5BW6dA3vxoKKxofAj8KWWiHdJpLfwUNrg',
'redirect_uri' => 'https://staging.traceplay.tv/login',
'code' => $request->code,
],
]);
return json_decode((string) $response->getBody(), true);
The /oauth/token route will return a JSON response containing access_token, refresh_token and expires_in attributes. The expires_in attribute contains the number of seconds until the access token expires.
If the user approves the authorization request, they will be redirected back to the website. The website should first verify the state parameter against the value that was stored prior to the redirect. If the state parameter matches, the website should issue a POST request to MM Auth's /oauth/token route to request an access token. The request should include the authorization code that was issued by MM Auth when the user approved the authorization request.
$state = $request->session()->pull('state');
$response = $http->post('https://auth.traceplay.tv/oauth/token', [
'form_params' => [
'grant_type' => 'authorization_code',
'client_id' => 10,
'client_secret' => '52T096l5BW6dA3vxoKKxofAj8KWWiHdJpLfwUNrg',
'redirect_uri' => 'https://staging.traceplay.tv/login',
'code' => $request->code,
],
]);
return json_decode((string) $response->getBody(), true);
The /oauth/token route will return a JSON response containing access_token, refresh_token and expires_in attributes. The expires_in attribute contains the number of seconds until the access token expires.
Once you have an access token, you can make a request to MM Auth's /api/user route:
$response = $client->request('GET', 'https://auth.traceplay.tv/api/user', [
'headers' => [
'Accept' => 'application/json',
'Authorization' => 'Bearer '.$accessToken,
],
]);