I have recently followed the official documentation on how to properly install and setup Laravel Passport in a demo application (blog).
My routes are set up following these instructions:
Next, you should call the Passport::routes method within the boot method of your AuthServiceProvider. This method will register the routes necessary to issue access tokens and revoke access tokens, clients, and personal access tokens:
While using Postman to run some sample requests I noticed that oauth/token/refresh route requires a CSRF token.
Running artisan route:list I got:
| | POST | oauth/token | | \Laravel\Passport\Http\Controllers\AccessTokenController@issueToken | throttle |
| | POST | oauth/token/refresh | | \Laravel\Passport\Http\Controllers\TransientTokenController@refresh | web,auth |
Any ideas on how to properly refresh the token?
CSRF can be disabled for desired URI-s, as stated on https://laravel.com/docs/5.3/csrf. For an example, I've added one value as URL path in $except property in VerifyCsrfToken class:
protected $except = [
'oauth/authorize',
];
and it works.