Passport 12.0 no longer automatically loads migrations from its own migrations directory. Instead, you should run the following command to publish Passport's migrations to your application:
php artisan vendor:publish --tag=passport-migrations
The password grant type is disabled by default. You may enable it by calling the enablePasswordGrant
method in the boot
method of your application's App\Providers\AppServiceProvider
class:
public function boot(): void
{
Passport::enablePasswordGrant();
}
PHP 8.0 is now the minimum required version.
Laravel 9.0 is now the minimum required version.
PR: #1412
Customizing model database connections through the migration files has been reverted. This was first introduced in this PR.
If you need to customize the database connection for a model you should override the models as explained in the documentation.
PR: #1425
Timestamps are now allowed on the Token
model. If you specifically didn't want these model's timestamps to be updated then you may override the Token
model as explained in the documentation.
PR: #1464
Passport's routes have been moved to a dedicated route file. You can remove the Passport::routes()
call from your application's service provider.
If you previously relied on overwriting routes using routes($callback = null, array $options = [])
you may now achieve the same behavior by simply overwriting the routes in your application's own web.php
route file.
PR: #1519
Previously, a stubbed client created via Passport::actingAsClient(...)
wasn't retrieved when calling the ->client()
method on the API guard. This has been fixed in Passport v11 to reflect real-world situations and you may need to accommodate for this behavior in your tests.
PR: #1551
Previously, scopes weren't inherited when using Passport::actingAs(...)
. This has been fixed in Passport v11 to reflect real-world situations and you may need to accommodate for this behavior in your tests.
PHP 7.3 is now the minimum required version.
Laravel 8.0 is now the minimum required version.
PR: #1325
The personal client configuration methods have been removed from the Passport
class since they are no longer necessary. You should remove any calls to these methods from your application's service providers.
PR: #1220
Passport now has support for multiple guard user providers. Because of this change, you must add a provider
column to the oauth_clients
database table:
Schema::table('oauth_clients', function (Blueprint $table) {
$table->string('provider')->after('secret')->nullable();
});
If you have not previously published the Passport migrations, you should manually add the provider
column to your database.
PR: #1145
Client secrets may now be stored using a Bcrypt hash. However, before enabling this functionality, please consider the following. First, there is no way to reverse the hashing process once you have migrated your existing tokens. Secondly, when hashing client secrets, you will only have one opportunity to display the plain-text value to the user before it is hashed and stored in the database.
Before you continue, you should set your personal access client ID and unhashed secret in your .env
file:
PASSPORT_PERSONAL_ACCESS_CLIENT_ID=client-id-value
PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET=unhashed-client-secret-value
Next, you should register these values by placing the following calls within the boot
method of your AppServiceProvider
:
Passport::personalAccessClientId(config('passport.personal_access_client.id'));
Passport::personalAccessClientSecret(config('passport.personal_access_client.secret'));
Make sure you follow the instructions above before hashing your secrets. Otherwise, irreversible data loss may occur.
You may enable client secret hashing by calling the Passport::hashClientSecrets()
method within the boot
method of your AppServiceProvider
. For convenience, we've included a new Artisan command which you can run to hash all existing client secrets:
php artisan passport:hash
Again, please be aware that running this command cannot be undone. For extra precaution, you may wish to create a backup of your database before running the command.
PR: #1132
After a lengthy debate, it was decided to revert the change made in a previous PR that introduced an exception when the client credentials middleware was used to authenticate first party clients.
PR: #1134
Internally, Passport will now use the getAuthIdentifier
method to determine a model's primary key. This is consistent with the framework and Laravel's first party libraries.
PR: #1235
The deprecated revokeOtherTokens
and pruneRevokedTokens
methods and the revokeOtherTokens
and pruneRevokedTokens
properties were removed from the Passport
object.
Commit: https://github.com/laravel/passport/commit/97e3026790d953d7a67fe487e30775cd995e93df
The minimum Laravel version is now v6.0 and the minimum PHP version is now 7.2. The underlying league/oauth2-server
has also been updated to v8.
PR: #1065
Passport now supports public clients and PCKE. To leverage this feature, you should update the secret
column of the oauth_clients
table to be nullable
:
Schema::table('oauth_clients', function (Blueprint $table) {
$table->string('secret', 100)->nullable()->change();
});
PR: #1066
OAuth exceptions can now be rendered. They will first be converted to Passport exceptions. If you are explicitly handling League\OAuth2\Server\Exception\OAuthServerException
in your exception handler's report method you will now need to check for an instance of Laravel\Passport\Exceptions\OAuthServerException
instead.
PR: #1040
In the previous versions of Passport, you could pass tokens granted by a different client type to the CheckClientCredential
and CheckClientCredentialForAnyScope
middleware. This behavior has been corrected and an exception will be thrown if you attempt to pass a token generated by a different client type.