crynobone
commented
5 months ago Shouldn't you be able to use userFromToken()? https://laravel.com/docs/11.x/socialite#retrieving-user-details-from-a-token-oauth2
Closed toitzi closed 5 months ago
crynobone
commented
5 months ago Shouldn't you be able to use userFromToken()? https://laravel.com/docs/11.x/socialite#retrieving-user-details-from-a-token-oauth2
toitzi
commented
5 months ago How the hell did i read through the docs and the code a bazillion times and miss that, my god, yeah i should be able to just use that im sorry lmao
Currently when you load the user via socialite, you have no way to pass an access token (See Contract). It always expects to be called from the callback url. What do you think of adding this possibility?
Here is why i think that would be great:
Oauth 2 Providers in Socialite seem to already support the "refreshToken" method, which is great, however in our case (and i think it is usual for oauth login providers) we do not call an resource server, pretty much the only thing we call / need to call is the userInfo endpoint - which socialite does. Now i have refreshed the access token which is great, but i cannot really do much with it yet. To query the userinfo endpoint i would have to do everything the Provider already does but i would need to code it almost 1:1 again in my app, since i cannot provide an access token to the provider. In some cases, this involves: Configuring the request client, parametrs, headers, etc... and verifying JWT Signatures/JWT data from the response, but also can be just the user mapping.
Here are solutions i thought of as right now:
Don't change anything, some should just write a custom provider, and make the functions for parsing and validating the userInfo tokens public and static in the provider, to be able to call them from the Laravel app (what we do right now - idk how to feel about this tho)
Change the signature of
->user()to allow passing access tokens. (Could be a problem afaik it would break existing providers, since they would need to update their method signature)Add a new method like
->setAccessToken()which set's one in a protected property, and when the->user()method is called, check if one exists, and then just skip the state checks/call to get an access token and grab the user object from the UserInfo endpoint with that token. (Probably non-breaking change)I hope i did not miss anything or an existing Issue, i would love to here your thoughts on this. If you would like to have this implemented in one way or another, i would be happy to open a PR for it, just let me know.