feat: add the foundation for OAuth2 with Laravel Passport

[m1guelpf]

How to test this PR

Adds OAuth2 authentication using Laravel Passport!

Current state of things:

• The end-to-end flow works!
• The end-to-end flow for device authentication works!
• There is no UI to create clients, use php artisan passport:client and php artisan passport:client --device for testing.
• There is no UI to revoke authorizations
• All the routes are disabled in production

edited by @wescopeland to update the current state of things and directly link to my comment

[wescopeland]

I collaborated heavily on this PR.

How to test this PR

sail artisan migrate
sail artisan passport:keys # this is already done on stage and prod

There are two authorization flows you can test-drive. The first is a standard client authorization flow where some app wants to log in on behalf of a user:

# Create a test OAuth client
# name: "SampleApp"
# redirect: [default] "http://localhost:64000/auth/callback"
# device auth? "no"
sail artisan passport:client

You'll receive a Client ID and Client Secret.

Navigate to:
http://localhost:64000/oauth/authorize?client_id={CLIENT_ID}&redirect_uri=http://localhost:64000/auth/callback&response_type=code

In the real world, clicking Authorize and Reject will direct back to the consumer app. In our demo, we have an /auth/callback dummy route set up to simulate an end-to-end authorization flow.

The other supported authorization flow is the device flow:

# This time, on the device auth question, answer "yes"
sail artisan passport:client

# Now, initiate the device flow.
curl -X POST http://localhost:64000/oauth/device/code \
  -d "client_id={CLIENT_ID}"

In the response, you'll see an 8-character user_code. Copy that value, and navigate to http://localhost:64000/oauth/device.

Here, you can enter the 8-character code. Upon doing that, you'll see an Approve and Reject button again. Click either, and you'll see a confirmation. In the real-world, the user's app is going to be polling for the approve/reject status.

[Jamiras]

As long as the user is logged in, things seem to work appropriately. Left a couple comments regarding the flow when not logged in, and a general question on what the next steps would look like.

[Jamiras]

Entering the correct credentials opens the form in a popup window where the code has to be entered again.

[wescopeland]

Check in latest if you're still seeing this - I wasn't while authenticated.

[Jamiras]

I'm not. And if it wasn't clear - this was hitting the page in an incognito mode, which would require logging in after entering the code. Then it would prompt to enter the code again after logging in. Putting the login before the code addresses the issue.

[Jamiras]

Appears to be fixed.

Similar to other comment: "Entering the correct credentials" implies doing this while not authenticated.

[Jamiras]

I'm not. And if it wasn't clear - this was hitting the page in an incognito mode, which would require logging in after entering the code. Then it would prompt to enter the code again after logging in. Putting the login before the code addresses the issue.

[Jamiras]

Appears to be fixed.

Similar to other comment: "Entering the correct credentials" implies doing this while not authenticated.