一个明显的大缺点是客户端凭据在JWT令牌中似乎没有任何用户信息。这会导致请求的用户解析器在调用时返回null
request()->user()
. 从…起
Laravel\Passport\Guards\TokenGuard::authenticateViaBearerToken
,这是返回的
null
:
// If the access token is valid we will retrieve the user according to the user ID
// associated with the token. We will use the provider implementation which may
// be used to retrieve users from Eloquent. Next, we'll be ready to continue.
$user = $this->provider->retrieveById(
$psr->getAttribute('oauth_user_id')
);
跟踪
$psr->getAttribute
引导我
League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator::validateAuthorization
:
// Return the request with additional attributes
return $request
->withAttribute('oauth_access_token_id', $token->getClaim('jti'))
->withAttribute('oauth_client_id', $token->getClaim('aud'))
->withAttribute('oauth_user_id', $token->getClaim('sub'))
->withAttribute('oauth_scopes', $token->getClaim('scopes'));
所有属性
除了
oauth_user_id
通过令牌上的声明正确设置,
$token
在我的例子中是
Lcobucci\JWT\Token
. 因此,仅使用客户端凭据中间件并不是拥有单个路由集的好解决方案,即使使用具有指定路由的oauth客户端
user_id
.
