DEV Community

Laravel API Authentication via Sanctum & Socialite and test on Postman

Philip-Droubi on August 18, 2022

Laravel Sanctum with Socialite API (Updated on 23/9/2022 : Flutter app updated) Hello everyone, this is my first post on DEV.to. In this post, I ...

Read full post

Lorem • Aug 24 '22

Great article, I really need this.
Also, thanks for sharing the Flutter app.

Lorem • Aug 24 '22 • Edited

@philipdroubi , Do I need to create a Google app to get client_id and client_secret ?
And does this work with Facebook, Github and other providers??

Philip-Droubi • Aug 24 '22

@rober You're welcome.
1- As a backend you don't need to create any google app, frontend should do.
2- Yes it works, But you need to edit your config/services.php file to be like this :

'google' => [
        'client_id' => env('GOOGLE_CLIENT_ID'),
        'client_secret' => env('GOOGLE_CLIENT_SECRET'),
        'redirect' => 'GOOGLE_REDIRECT_URI',
    ],
'facebook' => [
        'client_id' => env('FACEBOOK_CLIENT_ID'),
        'client_secret' => env('FACEBOOK_CLIENT_SECRET'),
        'redirect' => 'FACEBOOK_REDIRECT_URI',
    ],

And the validateProvider function in SocialiteController to be like this :

protected function validateProvider($provider)
    {
        if (!in_array($provider, ['google','facebook'])) {
            return response()->json(["message" => 'You can only login via google or Facebook accounts'], 400);
        }
    }

Suphasit Thongniam • Aug 4 '23

You saved my day.
Cheers mate!

Philip-Droubi • Aug 8 '23

My pleasure! 😃

229okpe • Jul 6 '23

where can i find the access_provider_token ?
The redirect is not obligatory?

Philip-Droubi • Jul 9 '23 • Edited

@229okpe

You can get the access_provider_token for testing purpose through this flutter app or through this website.
And remember that as an API the frontend application must send the access_provider_token through the request.
No need for any redirect.

Ahmed Ali • Mar 1

is there no providers table to know which this user comes from google ,GitHub or Facebook ??
and how mobile developer sends me access_token_provider in callback ??

Philip-Droubi • Mar 1 • Edited

@ahmedali190000
1- Yes, of course, if you want to store from which provider each user came from, you must have a providers_table.

2- Mobile developers can send you the access_token_provider in the request parameters or body, but if you mean the token itself it's better to send it using the request body as it may be too long to be in the request parameters.

Keyver Velásquez Guerra • Mar 4 '23

Bro!, Thank you!

Philip-Droubi • Mar 4 '23

@keyvervelasquez You're welcome.