laravel · taylorotwell · Apr 28, 2020 · Apr 14, 2020 · Apr 17, 2020 · Apr 17, 2020
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -36,7 +36,7 @@ jobs:
           coverage: none
 
       - name: Install dependencies
-        run: composer require "illuminate/contracts=${{ matrix.laravel }}" --prefer-dist --no-interaction --no-suggest
+        run: composer require "illuminate/contracts=${{ matrix.laravel }}" --prefer-dist --no-interaction
 
       - name: Execute tests
         run: vendor/bin/phpunit --verbose
diff --git a/database/migrations/2016_06_01_000004_create_oauth_clients_table.php b/database/migrations/2016_06_01_000004_create_oauth_clients_table.php
@@ -18,6 +18,7 @@ public function up()
             $table->unsignedBigInteger('user_id')->nullable()->index();
             $table->string('name');
             $table->string('secret', 100)->nullable();
+            $table->string('provider')->nullable();
             $table->text('redirect');
             $table->boolean('personal_access_client');
             $table->boolean('password_client');

diff --git a/src/Bridge/Client.php b/src/Bridge/Client.php
@@ -16,6 +16,8 @@ class Client implements ClientEntityInterface
      */
     protected $identifier;
 
+    public $provider;
+
     /**
      * Create a new client instance.
      *
@@ -25,13 +27,14 @@ class Client implements ClientEntityInterface
      * @param  bool  $isConfidential
      * @return void
      */
-    public function __construct($identifier, $name, $redirectUri, $isConfidential = false)
+    public function __construct($identifier, $name, $redirectUri, $isConfidential = false, $provider = null)
     {
         $this->setIdentifier((string) $identifier);
 
         $this->name = $name;
         $this->isConfidential = $isConfidential;
         $this->redirectUri = explode(',', $redirectUri);
+        $this->provider = $provider;
     }
 
     /**

diff --git a/src/Bridge/ClientRepository.php b/src/Bridge/ClientRepository.php
@@ -37,7 +37,7 @@ public function getClientEntity($clientIdentifier)
         }
 
         return new Client(
-            $clientIdentifier, $record->name, $record->redirect, $record->confidential()
+            $clientIdentifier, $record->name, $record->redirect, $record->confidential(), $record->provider
         );
     }
 

diff --git a/src/Bridge/UserRepository.php b/src/Bridge/UserRepository.php
@@ -32,7 +32,7 @@ public function __construct(HashManager $hasher)
      */
     public function getUserEntityByUserCredentials($username, $password, $grantType, ClientEntityInterface $clientEntity)
     {
-        $provider = config('auth.guards.api.provider');
+        $provider = $clientEntity->provider ?: config('auth.guards.api.provider');
 
         if (is_null($model = config('auth.providers.'.$provider.'.model'))) {
             throw new RuntimeException('Unable to determine authentication model from configuration.');

diff --git a/src/Client.php b/src/Client.php
@@ -3,6 +3,7 @@
 namespace Laravel\Passport;
 
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Facades\Auth;
 
 class Client extends Model
 {
@@ -49,7 +50,7 @@ class Client extends Model
     public function user()
     {
         return $this->belongsTo(
-            config('auth.providers.'.config('auth.guards.api.provider').'.model')
+            config('auth.providers.'.$this->provider ?: config('auth.guards.api.provider').'.model')
         );
     }
 
@@ -102,4 +103,14 @@ public function confidential()
     {
         return ! empty($this->secret);
     }
+
+    /**
+     * Get the client's provider.
+     *
+     * @return mixed
+     */
+    public function getProvider()
+    {
+        return $this->provider ? Auth::createUserProvider($this->provider) : null;
+    }
 }
diff --git a/src/ClientRepository.php b/src/ClientRepository.php
@@ -109,13 +109,14 @@ public function personalAccessClient()
      * @param  bool  $confidential
      * @return \Laravel\Passport\Client
      */
-    public function create($userId, $name, $redirect, $personalAccess = false, $password = false, $confidential = true)
+    public function create($userId, $name, $redirect, $provider = null, $personalAccess = false, $password = false, $confidential = true)
     {
         $client = Passport::client()->forceFill([
             'user_id' => $userId,
             'name' => $name,
             'secret' => ($confidential || $personalAccess) ? Str::random(40) : null,
             'redirect' => $redirect,
+            'provider' => $provider,
             'personal_access_client' => $personalAccess,
             'password_client' => $password,
             'revoked' => false,
@@ -136,7 +137,7 @@ public function create($userId, $name, $redirect, $personalAccess = false, $pass
      */
     public function createPersonalAccessClient($userId, $name, $redirect)
     {
-        return tap($this->create($userId, $name, $redirect, true), function ($client) {
+        return tap($this->create($userId, $name, $redirect, null, true), function ($client) {
             $accessClient = Passport::personalAccessClient();
             $accessClient->client_id = $client->id;
             $accessClient->save();
@@ -151,9 +152,9 @@ public function createPersonalAccessClient($userId, $name, $redirect)
      * @param  string  $redirect
      * @return \Laravel\Passport\Client
      */
-    public function createPasswordGrantClient($userId, $name, $redirect)
+    public function createPasswordGrantClient($userId, $name, $redirect, $provider = null)
     {
-        return $this->create($userId, $name, $redirect, false, true);
+        return $this->create($userId, $name, $redirect, $provider, false, true);
     }
 
     /**

diff --git a/src/Console/ClientCommand.php b/src/Console/ClientCommand.php
@@ -18,6 +18,7 @@ class ClientCommand extends Command
             {--password : Create a password grant client}
             {--client : Create a client credentials grant client}
             {--name= : The name of the client}
+            {--provider= : The name of the provider}
             {--redirect_uri= : The URI to redirect to after authorization }
             {--user_id= : The user ID the client should be assigned to }
             {--public : Create a public client (Auth code grant type only) }';
@@ -83,8 +84,16 @@ protected function createPasswordClient(ClientRepository $clients)
             config('app.name').' Password Grant Client'
         );
 
+        $providers = array_keys(config('auth.providers'));
+
+        $provider = $this->option('provider') ?: $this->choice(
+            'What provider should be used?',
+            $providers,
+            $providers[0]
+        );
+
         $client = $clients->createPasswordGrantClient(
-            null, $name, 'http://localhost'
+            null, $name, 'http://localhost', $provider
         );
 
         $this->info('Password grant client created successfully.');
@@ -136,7 +145,7 @@ protected function createAuthCodeClient(ClientRepository $clients)
         );
 
         $client = $clients->create(
-            $userId, $name, $redirect, false, false, ! $this->option('public')
+            $userId, $name, $redirect, null, false, false, ! $this->option('public')
         );
 
         $this->info('New client created successfully.');

diff --git a/src/Console/InstallCommand.php b/src/Console/InstallCommand.php
@@ -31,6 +31,6 @@ public function handle()
     {
         $this->call('passport:keys', ['--force' => $this->option('force'), '--length' => $this->option('length')]);
         $this->call('passport:client', ['--personal' => true, '--name' => config('app.name').' Personal Access Client']);
-        $this->call('passport:client', ['--password' => true, '--name' => config('app.name').' Password Grant Client']);
+        $this->call('passport:client', ['--password' => true, '--name' => config('app.name').' Password Grant Client', '--provider' => array_keys(config('auth.providers'))[0]]);
     }
 }
diff --git a/src/Guards/TokenGuard.php b/src/Guards/TokenGuard.php
@@ -82,6 +82,17 @@ public function __construct(ResourceServer $server,
         $this->encrypter = $encrypter;
     }
 
+    /**
+     * Determine if the requested provider matches the client's provider.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return bool
+     */
+    protected function validateProvider(Request $request)
+    {
+        return $this->provider == $this->client($request)->getProvider();
+    }
+
     /**
      * Get the user for the incoming request.
      *
@@ -90,6 +101,10 @@ public function __construct(ResourceServer $server,
      */
     public function user(Request $request)
     {
+        if (!$this->validateProvider($request)) {
+            return;
+        }
+
         if ($request->bearerToken()) {
             return $this->authenticateViaBearerToken($request);
         } elseif ($request->cookie(Passport::cookie())) {

diff --git a/src/Http/Middleware/CheckCredentials.php b/src/Http/Middleware/CheckCredentials.php
@@ -101,7 +101,7 @@ protected function validate($psr, $scopes)
     abstract protected function validateCredentials($token);
 
     /**
-     * Validate token credentials.
+     * Validate token scopes.
      *
      * @param  \Laravel\Passport\Token  $token
      * @param  array  $scopes