Redirect Flow

The Redirect Flow enables websites to authorize users using a server-side integration.

To view a demonstration, click here.

Step 01 - Register A Client

Each website must be defined in the MM Auth database as a unique client in the oauth_clients table.

The simplest way to create a client is by using the passport:client Artisan command. When you run the client command, Laravel Passport will prompt you for more information about the client and creates a Client ID and Client Secret. These values should be stored in the website's config.ini as they are needed to make MM Auth requests.


php artisan passport:client
        

You will be prompted to answer three questions:


Which user ID should the client be assigned to?:
>

What should we name the client?:
> Trace Website

Where should we redirect the request after authorization?:
> https://staging.traceplay.tv
        

NOTE: For the user ID, do not enter a value; just press enter.

You will be issued a Client ID and Client Secret:


New client created successfully.
Client ID: 10
Client secret: 52T096l5BW6dA3vxoKKxofAj8KWWiHdJpLfwUNrg
        
Step 02 - Redirecting For Authorization

Once a client has been created, the website should make a redirect request to MM Auth's /oauth/authorize route like so:


$request->session()->put('state', $state = Str::random(40));

$query = http_build_query([
    'client_id' => '52T096l5BW6dA3vxoKKxofAj8KWWiHdJpLfwUNrg',
    'redirect_uri' => 'https://staging.traceplay.tv/login',
    'response_type' => 'code',
    'scope' => '',
    'state' => $state,
]);

return redirect('https://auth.traceplay.tv/oauth/authorize?'.$query);
        
Step 03 - Approving The Request

When receiving authorization requests, MM Auth will automatically display a template to the user allowing them to approve or deny the authorization request. If they approve the request, they will be redirected back to the redirect_uri that was specified by the consuming application. The redirect_uri must match the redirect URL that was specified when the client was created.

Step 04 - Converting Authorization Codes To Access Tokens

If the user approves the authorization request, they will be redirected back to the website. The website should first verify the state parameter against the value that was stored prior to the redirect. If the state parameter matches, the website should issue a POST request to MM Auth's /oauth/token route to request an access token. The request should include the authorization code that was issued by MM Auth when the user approved the authorization request.


$state = $request->session()->pull('state');

$response = $http->post('https://auth.traceplay.tv/oauth/token', [
    'form_params' => [
        'grant_type' => 'authorization_code',
        'client_id' => 10,
        'client_secret' => '52T096l5BW6dA3vxoKKxofAj8KWWiHdJpLfwUNrg',
        'redirect_uri' => 'https://staging.traceplay.tv/login',
        'code' => $request->code,
    ],
]);

return json_decode((string) $response->getBody(), true);
        

The /oauth/token route will return a JSON response containing access_token, refresh_token and expires_in attributes. The expires_in attribute contains the number of seconds until the access token expires.

Step 04 - Converting Authorization Codes To Access Tokens

If the user approves the authorization request, they will be redirected back to the website. The website should first verify the state parameter against the value that was stored prior to the redirect. If the state parameter matches, the website should issue a POST request to MM Auth's /oauth/token route to request an access token. The request should include the authorization code that was issued by MM Auth when the user approved the authorization request.


$state = $request->session()->pull('state');

$response = $http->post('https://auth.traceplay.tv/oauth/token', [
    'form_params' => [
        'grant_type' => 'authorization_code',
        'client_id' => 10,
        'client_secret' => '52T096l5BW6dA3vxoKKxofAj8KWWiHdJpLfwUNrg',
        'redirect_uri' => 'https://staging.traceplay.tv/login',
        'code' => $request->code,
    ],
]);

return json_decode((string) $response->getBody(), true);
        

The /oauth/token route will return a JSON response containing access_token, refresh_token and expires_in attributes. The expires_in attribute contains the number of seconds until the access token expires.

Step 05 - Get User Details

Once you have an access token, you can make a request to MM Auth's /api/user route:


$response = $client->request('GET', 'https://auth.traceplay.tv/api/user', [
    'headers' => [
        'Accept' => 'application/json',
        'Authorization' => 'Bearer '.$accessToken,
    ],
]);