How To Use Laravel Passport Token System

I am planning to use Laravel Passport System for the ANGULAR 6 API. Installed as per the documentation.

But I have a bit of confusion. Please try to Resolve It.

1. How to provide a token ?

This is the Correct Method?

OR Coding LIKE is correct Method ?:

            'username' => $request->email,
            'grant_type' => 'password',
            'client_id' => env('PASSWORD_CLIENT_ID'),
            'client_secret' => env('PASSWORD_CLIENT_SECRET'),
            'scope' => '',
// forward the request to the OAuth token request endpoint and Return Token

$res = Route::dispatch(request()->create('oauth/token', 'POST', $this->loginCredentials($request)));
$this->api_response = json_decode($res->getContent());
return response()->json(['token' => $this->api_response,'usersDetail' =>  $user], 200);

Which Method need to use and Why Please Elaborate it.?

2. How to handle Refresh Token System for Angular?

Like in Refresh (Mouse button Refresh) need to Call Laravel API? How It should be? Please elaborate with Laravel and Angular Codes.

please answer this question Detaily. looking for a good Answer!!!



How to provide a token ? This is the Correct Method? OR Coding LIKE is correct Method ?

It uses a different grant. The correct method is according to your application needs. Before you implement OAuth, you need to learn about grant types :

Authorization code grant

The authorization code grant should be very familiar if you’ve ever signed into an application using your Facebook or Google account.

Implicit grant

The implicit grant is similar to the authorization code grant with two distinct differences.

It is intended to be used for user-agent-based clients (e.g. single page web apps) that can’t keep a client secret because all of the application code and storage is easily accessible.

Secondly instead of the authorization server returning an authorization code which is exchanged for an access token, the authorization server returns an access token

Resource owner credentials grant

This grant is a great user experience for trusted first party clients both on the web and in native device applications.

Client credentials grant

The simplest of all of the OAuth 2.0 grants, this grant is suitable for machine-to-machine authentication where a specific user’s permission to access data is not required.

Refresh token grant

Access tokens eventually expire; however some grants respond with a refresh token which enables the client to get a new access token without requiring the user to be redirected.

Which OAuth 2.0 grant should I use?

A grant is a method of acquiring an access token. Deciding which grants to implement depends on the type of client the end user will be using, and the experience you want for your users.

How to handle Refresh Token System for Angular?

Access tokens eventually expire; The client sends a POST request with following body parameters to /oauth/token:

  • grant_type with the value refresh_token
  • refresh_token with the refresh token
  • client_id with the the client’s ID
  • client_secret with the client’s secret
  • scope with a space-delimited list of requested scope permissions. This is optional; if not sent the original scopes will be used, otherwise you can request a reduced set of scopes.
$http = new GuzzleHttp\Client;

$response = $http->post('', [
    'form_params' => [
        'grant_type' => 'refresh_token',
        'refresh_token' => 'the-refresh-token',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'scope' => '',

return json_decode((string) $response->getBody(), true);

Or you can using Angular HTTPInterceptor for token refreshing. HTTP Interceptors are used for adding custom logic for logging, modifying response, error handling, but one common case is to automatically attach authentication informations to request and to refresh token in order to maintain user session active.

Ref :