Laravel — Implementing Social Auth for API (via mobile app) with Socialite & Passport

While I was developing an API for a mobile app, I faced the issue of how I could implement a social authentication (Facebook, Google) between our mobile app and our API.

I knew about Laravel’s Socialite package for implementing that in the web (with redirects and callbacks…) but I was not familiar of doing that using an API.

After some search and testing I figured out the best way of doing this, with best practises and security in mind.

This is a clear and complete implementation flow and example, of how I achieved that easily with Laravel, Laravel Passport and Laravel Socialite.

TL;DR

The flow is simple:

  • In the mobile app, you use the specific SDK’s for user authentication.
Socialite::driver('facebook')->userFromToken($access_token);
  • If the access_token exists and is correct, you get the user’s info (provider’s user), and continue your logic (e.g create or login the user).

Complete Example (Laravel 8)

Notice: I included only the necessary files and changes. I skipped the setup process of Laravel, Passport, Socialite and extra checks, try-catch blocks etc. I tried to make the example for begginers too. The example shows the implementation for Facebook auth, but it is the same for other providers like Google.

config/services.php

'facebook' => [
'client_id' => env('FACEBOOK_CLIENT_ID'),
'client_secret' => env('FACEBOOK_CLIENT_SECRET'),
'redirect' => env('FACEBOOK_REDIRECT_URI')
],

.env file

FACEBOOK_CLIENT_ID={the_facebook_client_id}
FACEBOOK_CLIENT_SECRET={the_facebook_client_secret}
FACEBOOK_REDIRECT_URI=

Notice: Apparently the redirect URI is not needed!

Database setup

In the create_users_table migration file

  • we make the user email and password nullables
Schema::create('users', function (Blueprint $table) {
...
$table->string('email')->unique()->nullable();
$table->string('password')->nullable();
...
$table->string('provider_name')->nullable();
$table->string('provider_id')->nullable();
...
});

Route

use App\Http\Controllers\AuthController;...Route::get('social/login', [AuthController::class, 'socialLogin']);

App\Http\Controllers\AuthController.php

/**
* Social Login
*/
public function socialLogin(Request $request)
{
$provider = "facebook"; // or $request->input('provider_name') for multiple providers
$token = $request->input('access_token');
// get the provider's user. (In the provider server)
$providerUser = Socialite::driver($provider)->userFromToken($token);
// check if access token exists etc.. // search for a user in our server with the specified provider id and provider name
$user = User::where('provider_name', $provider)->where('provider_id', $providerUser->id)->first();
// if there is no record with these data, create a new user
if($user == null){
$user = User::create([
'provider_name' => $provider,
'provider_id' => $providerUser->id,
]);
}
// create a token for the user, so they can login
$token = $user->createToken(env('APP_NAME'))->accessToken;
// return the token for usage
return response()->json([
'success' => true,
'token' => $token
]);
}

I hope this helps! Thanks for reading!

John Stavropoulos

Connect with me here:

Freelance Software Engineer — Full Stack Developer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store