Passport v9.1.0 Breaking Changes

May, 8 2020

After the v9.0.0 release for Passport on Tuesday, we discovered an incompatibility with Personal Access Clients and the new client secret hashing feature. The fix that required for this introduces a breaking change for anyone who has already hashed the secret key of their Personal Access Client.

These steps are only necessary if you have already upgraded to v9 and already hashed your client secrets.

When using the client secret hashing is to generate a new Personal Access Client for your application using the passport:client command, your plain-text client secret will be displayed once:

php artisan passport:client --personal 

After copying your client ID and secret you should place them in your .env file using the following environment variables:

PASSPORT_PERSONAL_ACCESS_CLIENT_ID=client-id-value
PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET=unhashed-client-secret-value

Finally, you should register them in the "boot" method of your "AppServiceProvider":

Passport::personalAccessClientId(
    config('passport.personal_access_client.id')
);

Passport::personalAccessClientSecret(
    config('passport.personal_access_client.secret')
);

Your new Personal Access Client will now be used to issue new personal access tokens. Any previously issued tokens will be invalid and will need to be re-generated.

For full details regarding upgrading to Passport v9 please see the upgrade guide.

By Dries Vints
Follow the RSS Feed.