How To Get An Authorization Code From The Authorization Code Grant In Laravel Passport?

I'm trying to use the authorization code grant to log third-party clients in and give access to my API. The first step is to request permission at /oauth/authorize , with the required parameters. When i do this I get an error response saying "Call to a member function getKey() on null" . I notice I get this same error even when there are no parameters.

authorization code grant permission request

This is the code in my web.php that handles the /redirect route.

Route::get('/redirect', function (Request $request) {
    $request->session()->put('state', $state = Str::random(40));
    $query = http_build_query([
        'client_id' => '6',
        'redirect_uri' =>  '',
        'response_type' =>  'code',
        'scope' => '',
        'state' => $state,
    return redirect('' . $query);

If I try to directly make a request to I get the error response shown below.

Unsupported grant type



The request your sending in step 1 isn't working because that isn't how the oauth flow is meant to work. The flow your implementing is meant to be a 3 step process that a user completes in a browser or app to sign in to your application and request that the app or site they came from be allowed to access your api on their behalf. By making your request via a postman post request, you can't access the login flow so it tries to return a key for the already authenicated user (which is no one) thus $user->getKey() doesn't work because $user is null.

For the second error

/oauth/authorize doesn't accept that grant type because it doesn't return grants. There are 3 steps to an oauth login flow

  1. The third party application redirects the user to your server to login, passing a callback url to redirect back to

  2. The user logins in and your app redirects them back to the third party site, passing back an authorization code the third party app uses to request an access token.

  3. The third party app uses the authorization code they got back in 2 to make a request to /oauth/token and request an actual access token, which they can then use to access your API on the users behalf.

So the reason your Postman call to /oauth/authorize is failing with an unsupported type is that you are trying to perform step 3 on the URL to step 2. You need to get an authorization code in step 2 and then make a request to /oauth/token to get the access token.

If you are trying to provide user authentication to third party apps then you need to implement this flow through a browser so the user has the chance to login through your server. In that case the 'redirect_uri' in your code snippet needs to be something that you acccept from the request, not something hardcoded as that URL is where the user will be redirected back to after authenticating with your application. Once you have an auth code, you can then make a REST call behind the scenes to get an actual access token.

If you are trying to authenticate purely on REST/API calls then you have to use a different grant type, most likely client credentials grants