[13.x] Make client RFC compatible

.github/workflows/tests.yml

@@ -17,12 +17,10 @@ jobs:
       fail-fast: true
       matrix:
         php: [8.1, 8.2, 8.3]
-        laravel: [9, 10, 11]
+        laravel: [10, 11]
         exclude:
           - php: 8.1
             laravel: 11
-          - php: 8.3
-            laravel: 9
 
     name: PHP ${{ matrix.php }} - Laravel ${{ matrix.laravel }}
 

UPGRADE.md

@@ -10,12 +10,98 @@ PR: https://github.com/laravel/passport/pull/1734
 
 PHP 8.1 is now the minimum required version.
 
+### Minimum Laravel Version
+
+PR: https://github.com/laravel/passport/pull/1744
+
+Laravel 10.0 is now the minimum required version.
+
 ### OAuth2 Server
 
 PR: https://github.com/laravel/passport/pull/1734
 
 The `league/oauth2-server` Composer package which is utilized internally by Passport has been updated to 9.0, which adds additional types to method signatures. To ensure your application is compatible, you should review this package's complete [changelog](https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md#900---released-2024-05-13). 
 
+### Client Secret
+
+PR: https://github.com/laravel/passport/pull/1744
+
+Passport now always hashes clients' secret, you may call the following command if you need to hash your clients' secrets:
+
+    php artisan passport:hash
+
+### Client ID
+
+PR: https://github.com/laravel/passport/pull/1744
+
+Passport now uses UUID to identify clients. If you were already using client with UUIDs you don't have to make any changes, but if you were not using client with UUIDs you must change the type of client ID columns to `char(36)`. Your previous client IDs won't change and you will get UUID for newly created clients from now on:
+
+```php
+Schema::table('oauth_clients', function (Blueprint $table) {
+    $table->char('id', 36)->change();
+});
+
+Schema::table('oauth_auth_codes', function (Blueprint $table) {
+    $table->char('client_id', 36)->index()->change();
+});
+
+Schema::table('oauth_access_tokens', function (Blueprint $table) {
+    $table->char('client_id', 36)->index()->change();
+});
+```
+
+### Clients Table
+
+PR: https://github.com/laravel/passport/pull/1744
+
+The `oauth_clients` table now requires `grant_types`, `scopes` and `redirect_uris` columns as JSON array and `personal_access_client` and `password_client` columns are removed:
+
+```php
+Schema::table('oauth_clients', function (Blueprint $table) {
+    $table->after('name', function (Blueprint $table) {
+        $table->text('grant_types');
+        $table->text('scopes');
+        $table->text('redirect_uris');
+    });
+});
+
+foreach (Passport::client()->cursor() as $client) {
+    Model::withoutTimestamps(fn () => $client->forceFill([
+        'grant_types' => match (true) {
+            (bool) $client->personal_access_client => ['personal_access'],
+            (bool) $client->password_client => ['password', 'refresh_token'],
+            empty($client->secret) && ! empty($client->redirect) => ['authorization_code', 'implicit', 'refresh_token'],
+            ! empty($client->secret) && empty($client->redirect) => ['client_credentials'],
+            ! empty($client->secret) && ! empty($client->redirect) => ['authorization_code', 'implicit', 'refresh_token', 'client_credentials'],
+            default => [],
+        },
+        'scopes' => ['*'],
+        'redirect_uris' => explode(',', $client->redirect),
+    ])->save());
+}
+
+Schema::table('oauth_clients', function (Blueprint $table) {
+    $table->dropColumn(['redirect', 'personal_access_client', 'password_client']);
+});
+```
+
+### Removed functionalities
+
+PR: https://github.com/laravel/passport/pull/1744
+
+The following list of properties and methods have been removed:
+
+* `Passport::$clientUuids` property.
+* `Passport::clientUuids()` method.
+* `Passport::setClientUuids()` method.
+* `'passport.client_uuids'` config property.
+* `Passport::$hashesClientSecrets` property.
+* `Passport::hashClientSecrets()` method.
+* `Passport::$personalAccessClientModel` property.
+* `Passport::usePersonalAccessClientModel()` method.
+* `Passport::personalAccessClientModel()` method.
+* `Passport::personalAccessClient()` method.
+
 ## Upgrading To 12.0 From 11.x
 
 ### Migration Changes

composer.json

@@ -18,15 +18,15 @@
         "ext-json": "*",
         "ext-openssl": "*",
         "firebase/php-jwt": "^6.4",
-        "illuminate/auth": "^9.21|^10.0|^11.0",
-        "illuminate/console": "^9.21|^10.0|^11.0",
-        "illuminate/container": "^9.21|^10.0|^11.0",
-        "illuminate/contracts": "^9.21|^10.0|^11.0",
-        "illuminate/cookie": "^9.21|^10.0|^11.0",
-        "illuminate/database": "^9.21|^10.0|^11.0",
-        "illuminate/encryption": "^9.21|^10.0|^11.0",
-        "illuminate/http": "^9.21|^10.0|^11.0",
-        "illuminate/support": "^9.21|^10.0|^11.0",
+        "illuminate/auth": "^10.0|^11.0",
+        "illuminate/console": "^10.0|^11.0",
+        "illuminate/container": "^10.0|^11.0",
+        "illuminate/contracts": "^10.0|^11.0",
+        "illuminate/cookie": "^10.0|^11.0",
+        "illuminate/database": "^10.0|^11.0",
+        "illuminate/encryption": "^10.0|^11.0",
+        "illuminate/http": "^10.0|^11.0",
+        "illuminate/support": "^10.0|^11.0",
         "lcobucci/jwt": "^5.0",
         "league/oauth2-server": "^9.0",
         "nyholm/psr7": "^1.5",

config/passport.php

@@ -43,19 +43,6 @@
 
     'connection' => env('PASSPORT_CONNECTION'),
 
-    /*
-    |--------------------------------------------------------------------------
-    | Client UUIDs
-    |--------------------------------------------------------------------------
-    |
-    | By default, Passport uses auto-incrementing primary keys when assigning
-    | IDs to clients. However, if Passport is installed using the provided
-    | --uuids switch, this will be set to "true" and UUIDs will be used.
-    |
-    */
-
-    'client_uuids' => false,
-
     /*
     |--------------------------------------------------------------------------
     | Personal Access Client

database/factories/ClientFactory.php

@@ -28,32 +28,16 @@ public function modelName()
      */
     public function definition()
     {
-        return $this->ensurePrimaryKeyIsSet([
+        return [
             'user_id' => null,
             'name' => $this->faker->company(),
+            'grant_types' => [],
+            'scopes' => [],
+            'redirect_uris' => [$this->faker->url()],
+            'provider' => null,
             'secret' => Str::random(40),
-            'redirect' => $this->faker->url(),
-            'personal_access_client' => false,
-            'password_client' => false,
             'revoked' => false,
-        ]);
-    }
-
-    /**
-     * Ensure the primary key is set on the model when using UUIDs.
-     *
-     * @param  array  $data
-     * @return array
-     */
-    protected function ensurePrimaryKeyIsSet(array $data)
-    {
-        if (Passport::clientUuids()) {
-            $keyName = (new ($this->modelName()))->getKeyName();
-
-            $data[$keyName] = (string) Str::orderedUuid();
-        }
-
-        return $data;
+        ];
     }
 
     /**
@@ -64,8 +48,7 @@ protected function ensurePrimaryKeyIsSet(array $data)
     public function asPasswordClient()
     {
         return $this->state([
-            'personal_access_client' => false,
-            'password_client' => true,
+            'grant_types' => ['password', 'refresh_token'],
         ]);
     }
 
@@ -77,8 +60,7 @@ public function asPasswordClient()
     public function asClientCredentials()
     {
         return $this->state([
-            'personal_access_client' => false,
-            'password_client' => false,
+            'grant_types' => ['client_credentials'],
         ]);
     }
 }

database/migrations/2016_06_01_000001_create_oauth_auth_codes_table.php

@@ -12,10 +12,10 @@
     public function up(): void
     {
         Schema::create('oauth_auth_codes', function (Blueprint $table) {
-            $table->string('id', 100)->primary();
-            $table->unsignedBigInteger('user_id')->index();
-            $table->unsignedBigInteger('client_id');
-            $table->text('scopes')->nullable();
+            $table->char('id', 80)->primary();
+            $table->foreignId('user_id')->index();
+            $table->foreignUuid('client_id')->index();
+            $table->text('scopes');
             $table->boolean('revoked');
             $table->dateTime('expires_at')->nullable();
         });
@@ -28,4 +28,14 @@ public function down(): void
     {
         Schema::dropIfExists('oauth_auth_codes');
     }
+
+    /**
+     * Get the migration connection name.
+     *
+     * @return string|null
+     */
+    public function getConnection()
+    {
+        return $this->connection ?? config('passport.connection');
+    }
 };

database/migrations/2016_06_01_000002_create_oauth_access_tokens_table.php

@@ -12,11 +12,11 @@
     public function up(): void
     {
         Schema::create('oauth_access_tokens', function (Blueprint $table) {
-            $table->string('id', 100)->primary();
-            $table->unsignedBigInteger('user_id')->nullable()->index();
-            $table->unsignedBigInteger('client_id');
+            $table->char('id', 80)->primary();
+            $table->foreignId('user_id')->nullable()->index();
+            $table->foreignUuid('client_id')->index();
             $table->string('name')->nullable();
-            $table->text('scopes')->nullable();
+            $table->text('scopes');
             $table->boolean('revoked');
             $table->timestamps();
             $table->dateTime('expires_at')->nullable();
@@ -30,4 +30,14 @@ public function down(): void
     {
         Schema::dropIfExists('oauth_access_tokens');
     }
+
+    /**
+     * Get the migration connection name.
+     *
+     * @return string|null
+     */
+    public function getConnection()
+    {
+        return $this->connection ?? config('passport.connection');
+    }
 };

database/migrations/2016_06_01_000003_create_oauth_refresh_tokens_table.php

@@ -12,8 +12,8 @@
     public function up(): void
     {
         Schema::create('oauth_refresh_tokens', function (Blueprint $table) {
-            $table->string('id', 100)->primary();
-            $table->string('access_token_id', 100)->index();
+            $table->char('id', 80)->primary();
+            $table->char('access_token_id', 80)->index();
             $table->boolean('revoked');
             $table->dateTime('expires_at')->nullable();
         });
@@ -26,4 +26,14 @@ public function down(): void
     {
         Schema::dropIfExists('oauth_refresh_tokens');
     }
+
+    /**
+     * Get the migration connection name.
+     *
+     * @return string|null
+     */
+    public function getConnection()
+    {
+        return $this->connection ?? config('passport.connection');
+    }
 };

database/migrations/2016_06_01_000004_create_oauth_clients_table.php

@@ -12,14 +12,14 @@
     public function up(): void
     {
         Schema::create('oauth_clients', function (Blueprint $table) {
-            $table->bigIncrements('id');
-            $table->unsignedBigInteger('user_id')->nullable()->index();
+            $table->uuid('id')->primary();
+            $table->foreignId('user_id')->nullable()->index();
             $table->string('name');
-            $table->string('secret', 100)->nullable();
+            $table->text('grant_types');
+            $table->text('scopes');
+            $table->text('redirect_uris');
             $table->string('provider')->nullable();
-            $table->text('redirect');
-            $table->boolean('personal_access_client');
-            $table->boolean('password_client');
+            $table->string('secret')->nullable();
             $table->boolean('revoked');
             $table->timestamps();
         });
@@ -32,4 +32,14 @@ public function down(): void
     {
         Schema::dropIfExists('oauth_clients');
     }
+
+    /**
+     * Get the migration connection name.
+     *
+     * @return string|null
+     */
+    public function getConnection()
+    {
+        return $this->connection ?? config('passport.connection');
+    }
 };

src/Bridge/Client.php

@@ -21,15 +21,15 @@ class Client implements ClientEntityInterface
     public function __construct(
         string $identifier,
         string $name,
-        string $redirectUri,
+        string|array $redirectUri,
         bool $isConfidential = false,
         ?string $provider = null
     ) {
         $this->setIdentifier($identifier);
 
         $this->name = $name;
         $this->isConfidential = $isConfidential;
-        $this->redirectUri = explode(',', $redirectUri);
+        $this->redirectUri = is_array($redirectUri) ? $redirectUri : [$redirectUri];
         $this->provider = $provider;
     }
 }