Add ability to set encryption keys from config

[reinink]

Currently the only way to set encryption keys in Passport is with local files (/storage/oauth-private.key and /storage/oauth-public.key). However, this can be problematic in multi-server setups, where the same keys must be shared across multiple systems. In those situations, it's better to use environment variables. This PR adds the ability to do that.

The PHP League's OAuth 2.0 Server library supports passing either a file path or text version of the key to their CryptKey class. It does this by doing a regular expression to check if the string provided matches a RSA key pattern. If yes, it automatically saves the key to a temporary file, otherwise it treats the string as a file path. Unfortunately there was a bug with this regular expression in version 6 of the League's library, which is why this also includes an upgrade to version 7.

One gnarly thing here is dealing with line returns in the environment variables. Many services allow line returns (ie. Heroku), but the vlucas/phpdotenv library does not. To support this functionality locally, this PR automatically converts all \n instances to proper line returns. Here is how you would define this in the .env file:

PASSPORT_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIJJwIBAAKCAgEAw3KPag...\n-----END RSA PRIVATE KEY-----"
PASSPORT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOC...\n-----END PUBLIC KEY-----\n"

[taylorotwell]

Can you summarize the breaking changes? Is it just the default null value change?

[reinink]

Yes, that is correct, just the signature change on Bridge/ClientRepository@getClientEntity, which was required when I updated to v7 of the League's library.

If you're going to publish this as a breaking release, you may also consider changing PassportServiceProvider@CryptKey to a pubic method to avoid some of the hackery required in the tests.

[JuanDMeGon]

Hello,
It is not equivalent to having the key files on every system?
I mean, at the end you will repeat the keys in the .env file of every system as well.
Or maybe am I misunderstanding something?

[reinink]

@JuanDMeGon Many cloud based hosting services, like Heroku, provide a web based interface where you can setup environment variables. Those variables are then available automatically on all instances (servers). No need to use the .env file at all.

[Sephster]

When moving from v6 to v7, there were two main changes:

• support for PHP 5.6 dropped
• update the getClientEntity() function to allow null values for the $grantType so you can get a client without having to specify a grant.

I've updated the upgrade guide to reflect this. Most other changes are listed in the changelog.

[reinink]

@Sephster Awesome! Thanks for jumping in on this discussion. 👍

[joelharkes]

I have tried this in v6.0.6 but why doesn't it work?

I have tried even copying the passport.php config in my laravel project?

Or is this for a v7?

[joelharkes]

Nevermind, Found that in dotEnv file i need to escape backslash (contrary to .yml files for docker compose).

after escaping \n => \n it works.

[warren32]

Anybody having issues after updating vlucas/phpdotenv to 2.5.* will need to escape the backslash when defining the keys in the .env. Here is the updated example of what your keys would look like:

PASSPORT_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\\nMIIJJwIBAAKCAgEAw3KPag...\\n-----END RSA PRIVATE KEY-----"
PASSPORT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\\nMIICIjANBgkqhkiG9w0BAQEFAAOC...\\n-----END PUBLIC KEY-----\\n"

[joelharkes]

You know there should just be a default public and private key configured. way handier for first time laravel users.

maybe just add warning or fail when the app env is not local or when it is production.

but i'm probably not the first to offer this idea?

[pqt]

Just wanted to chime in @reinink, thank you for this. I love this contribution and it has been a life saver more times than I can count now. ❤️

[samuthojo]

@reinink I have added the keys in Config Vars on heroku. But then how to tell laravel to load the keys from env instead of looking them up from the file system.

[taylorotwell]

Export the configuration using vendor:publish and make sure your env vars match the vars in the configuration file.

[J5Dev]

Maybe a stupid question, but I am fine with publishing the config file and then having the keys set as env vars, however, at which point should the keys be generated, and where?

Example, we have an app that can be deployed per client, so each deployment will need its own keys (Password grant). We can have the config file in our source control, but do we need to just run the install command locally to get keys each time we want a new set (for a new client).

or... can this be somehow incorporated into our deployment scripts.

(We are running the app as a stateless instance, with no file storage at all)

[driesvints]

@J5Dev it's best that you ask this on a support channel:

• Laracasts Forums
• Laravel.io Forums
• Discord
• Larachat
• IRC
• StackOverflow

My suggestion would be to do it in your first deploy manually or if you have a dynamic deploy incorporate it by adding an if check around the bash script (if you're using that) that checks if the files exist already.

[joelharkes]

@J5Dev you should generate them once for a single environment. if you change keys, than after update you wont be able to decrypt the encrypted cookies and access token anymore. so everybody will be logged out..

[lkmadushan]

I’m getting this error when i’m configuring passport encryption keys from .env It was not possible to parse your key, reason: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode
does anyone have any idea about it?

[lkmadushan]

PASSPORT_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\n∂MIIJKQIBAAKCAgEA5pgwnp9gEr5l8JWs8kHzTzpb9RT6/+U3X043EtTIVDG+gbtH∂YbroP65LpVDGFuerj9KreDcKdG7DZ7ngds3doXabWi0+sd+prCb/wtmtSE+ePW1x∂J1RKjJJx1L8Z+s95qLKpIE4BE1maBV+cvdNioZ34n4hng+FmJZ66r4Fn++l9rTAZUSxAJxrkgEbhxq3ecbYHSCBDnqMmwT4VAiKNnWWS/DjvTYYLISvp8pvgeOCo829JHqxsH5PuMKr8Rcn4zQsCrVfTNtnQdVkyorwAPPgNi1KbsZPJVTawSRrOgAHfhniXpxCzF4zQ17IBX0sV+xO2TDVaR4purRaqxRAE+YZ0sVAVkwsZRPFHUsG6HZBlnUz+RHp/+eG+fVPA+VsH6EWb2U+Mg/S7h1YTI2f+virMY19wQNcHQmltUzYjo2KTXigTBKyyrBP+zu8B50OV+RKb4E/iZkSGdM7MQnQhbCGSs3uDBibzH7cpgsQ5fXQwj5j2IVb5C7Tk9rNeIjJEpG0rJvZGqmiMkCdcCiclKEkilWTu8rb63pajhuKf+VkUdo5RocRw+uWSZD/t5tdue4emD9WDUwFQtZk55ZuuE9BwhB2YP/isoFIxcGclb0n4E3/bIa0sDxSasYw3yKOdCzUmC8seqN319UZTe6HF0NEB4lbSOygmW/HgeqWh4WcCAwEAAQKCAgEAmGYC1AK+6wRcuPki2OUPWdBXEA2yqUajJuC5cz+fuk05++F7FrMBZXzaz8IneOHZt+7ilkvCJBtEF5x4Jex+yoRpvdpjMgmAyJ7pr6xPYpgEG9Ll0rlZn7f1dUZrdCCE5iJVtlz3RwOT0HNVUvuOlwOhWkY7K6Te7oQOG4np4Ep7XeeJA+W77FxQohq2gqlMd1h3TYrNRd3L8jEGj2eoslp8Hye9uD2bw2uTbVzpqNnJr0FgUN5hgykwZYfLvI/0WAcr2MZPeFPR+oxd88FOYv0JbofFEEJ88E15iocl7OHQCb5PdAGMa0cMi1FAqOsl9s8bTxh/twJdjRWK/TxOHB4pzrv6I+HCcuOHcfKUPIUNX0e3hWSfu7c4FG2DCQHUJN2EEQFk1eBSCewFkgaljBLK2MGZly3RQ5we4sQwON20Y35RqqbGXRB2PqSe8925AAIaPlBr2oLQA3ASXhlzb4rsFYvxuJ9sf4hYMGpt6GZqdwWHbUQ/yH+oDuSDmAEJgzMqQx3mvjpMTBqtPzWqDmDMhqIktjMeXcHL7D/MpyHkdfxvS6ZTW1eX3GFrfoVSbx66iE6y2bSn7VfwA0k2hEym6FF7hy0RfHoxbDQ4SAJDvHc2TbqcmvQ8+AfMXmlpTTL8isltyGYZwMVJC7AxHLQjRvdOzplD9DcUz155CNkCggEBAPj5INKfgTbWuI51hNIy1DI4Czr1M8F59FxE9QI/NCFmXM165Wl32SV+u83jyOJoKIt/kpZrm+5teVH19hf7jnJg+1vyo7Hn8Nms1ueZNEVm5QjiHiVeYjmuZkgyi39kylvNWVBdx8opb1gA/Sm1JBnivwWUBenKamWlRXhD9ezL9F8LIT5vNw5LtCt18+Sy9eAdLDJZAWU+3PBykNK75Ga+2M8xm+/NSazGahTbogBXdQLNDyH6Uujk3gdtGB7hK7f0+BXy4cTpsoJxeHhYWEM7zB0guv/eOOfTb1xZ9kzbo6uvGCBVZVIVrOIAEJPIE2v9Ly/C6VVXT24vm66QtqMCggEBAO0aRdkcEN9K94r6rCg+hC/n1kJLqGt+xTc+ubbtglxfMhrit+Yd/IbVtAmagRAMn8A0P5kQgf45eNHBW4cGqef0xKWYX478JNA7PhSgjl4flSbJMC96v6L4aL4c2WKyqTe1i3w8SQAcbIU/ObQhi3c2fU2ejf8zLT/ClQ1jSEb/yyyez93t8e/PBXg9t1gKlhFE3nmalJE9L7JYViBjO+xETJu7R0SDPutu+egSMUKJXF4TupoQ5zohfQioSViL+iUr0KLhHOxpjDO7XigMCnyrIlnaGuxLuqmhqRVqMCOnwVzOhEdW2BtMbukBTF881CkFdi7DNIfg6FAHAeZzSm0CggEAQkL7i1LMLu4inDeGq/K/KsZjpsNPjPSKJmxr0LdFhoYZuM42dEVjU2lRTlCLTEZwVAAV4VauX1xfZ4LQhj17AdHx09zV2Clknmozn9vUX4ws9JpJb6SY+8UAj8J0AemvOZODa7Ip1BIHAiLxPcJp40HHmRJ2KGyouHit7n4X23fEh+8MX/N1caaQQujXikxex9C7zIKHrox2fL/g71T2SqoMRchsOfwm2YbNANQbX3/nMmGk32Qh4L3YoZ1VSBKhcgoOZLkJgUC5M6JDb7QDeZFWl4H4gtR/zKMnBisjM/1Yp/6nqyNPHfOK2XMu9kXPdXQitNFpDD96clbVVjZJhQKCAQBR5L0zXApH1bDig+pqjA1ELqNGirNFTaf4iOXEVQytswOvXZd/F+Rc/fsNRhxF2tZioKlGyPjdQiSE7nAalyagQ16Yg6Sd0mE0uwGaRkpmICp4Fw1ZmOAP/hTPdU9wU5027LGc24WrUCX7b/cSTHPLXTqyUI1jE94RI7gvw5b3TupyIvhRAxqJZcvR2B83fZCPrmXZQpcGA0gyJWi6Dwxncr+zGmBnPZ3B27bdfUseXCtXIyFUjXoQDfkNwHJ07wQbSqLpXy+KSHpwc8r1shL9NG7M8hRSgWWbqYapKuAtsIeM8pelvE0wQJoeSKCEVJJDCOvlAu9l7zzOR11Up4WRAoIBAQC2GAqIzqT+oksUxHXMtxSdbnF6b7Vj1PfKpfhM7bx/XDuNsPpoaZV/MFWamY55vIE6fRX2NPIEIrVkdWRXlLEtwkS20hb7Osf009tzzSg55WJD9VRRBBfjj/aUnOL/CxldqIZ6V4uIUmmQeDEA7o2rGw/6Aadmqqpa67j7+mqkAZ4JER7kWRsnHMG+zof+c0xKVrOKmS3aq2ZjdRB8oeOvPDViKt6oV9A5Ekqp0zmR+5gcQuxqGIDK2G0FhJ9ZL4Du0Zfi2ApG0YvHxxkoN0wq3BDVJTJf9qHz4oG3MtLYZxgYuoAPCsQ2WZpA69luD0IC84Ir4Gt9zOW5zZxldhtk\n-----END RSA PRIVATE KEY-----"
PASSPORT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5pgwnp9gEr5l8JWs8kHzTzpb9RT6/+U3X043EtTIVDG+gbtHYbroP65LpVDGFuerj9KreDcKdG7DZ7ngds3doXabWi0+sd+prCb/wtmtSE+ePW1xJ1RKjJJx1L8Z+s95qLKpIE4BE1maBV+cvdNioZ34n4hng+FmJZ66r4Fn++l9rTAZUSxAJxrkgEbhxq3ecbYHSCBDnqMmwT4VAiKNnWWS/DjvTYYLISvp8pvgeOCo829JHqxsH5PuMKr8Rcn4zQsCrVfTNtnQdVkyorwAPPgNi1KbsZPJVTawSRrOgAHfhniXpxCzF4zQ17IBX0sV+xO2TDVaR4purRaqxRAE+YZ0sVAVkwsZRPFHUsG6HZBlnUz+RHp/+eG+fVPA+VsH6EWb2U+Mg/S7h1YTI2f+virMY19wQNcHQmltUzYjo2KTXigTBKyyrBP+zu8B50OV+RKb4E/iZkSGdM7MQnQhbCGSs3uDBibzH7cpgsQ5fXQwj5j2IVb5C7Tk9rNeIjJEpG0rJvZGqmiMkCdcCiclKEkilWTu8rb63pajhuKf+VkUdo5RocRw+uWSZD/t5tdue4emD9WDUwFQtZk55ZuuE9BwhB2YP/isoFIxcGclb0n4E3/bIa0sDxSasYw3yKOdCzUmC8seqN319UZTe6HF0NEB4lbSOygmW/HgeqWh4WcCAwEAAQ==\n-----END PUBLIC KEY-----\n"

[YassineChe]

Hello, can anyone help

Trying to generate tokens via Laravel 8 Passport by sending an Http Request to the endpoint, (using laravel valet to deploy apps)

https://project.test/oauth/token

my composer :

    "php": "^7.3|^8.0",
    "fideloper/proxy": "^4.4",
    "fruitcake/laravel-cors": "^2.0",
    "guzzlehttp/guzzle": "^7.0.1",
    "laravel/framework": "^8.12",
    "laravel/jetstream": "^1.6",
    "laravel/passport": "^10.1",
    "laravel/sanctum": "^2.6",
    "laravel/socialite": "^5.1",
    "laravel/tinker": "^2.5",
    "livewire/livewire": "^2.0"

I get this exception: It was not possible to parse your key, without specifying the reason why, I tried to google it i found nothing, stick with this for days.

{
    "message": "It was not possible to parse your key, reason: ",
    "exception": "Lcobucci\\JWT\\Signer\\InvalidKeyProvided",
    "file": "/Users/yassine/Desktop/apps/project/vendor/lcobucci/jwt/src/Signer/InvalidKeyProvided.php",
    "line": 17,
    "trace": [
        {
            "file": "/Users/yassine/Desktop/apps/project/vendor/lcobucci/jwt/src/Signer/OpenSSL.php",
            "line": 85,
            "function": "cannotBeParsed",
            "class": "Lcobucci\\JWT\\Signer\\InvalidKeyProvided",
            "type": "::"
        },
        {
            "file": "/Users/yassine/Desktop/apps/project/vendor/lcobucci/jwt/src/Signer/OpenSSL.php",
            "line": 42,
            "function": "validateKey",
            "class": "Lcobucci\\JWT\\Signer\\OpenSSL",
            "type": "->"
        },
        {
            "file": "/Users/yassine/Desktop/apps/project/vendor/lcobucci/jwt/src/Signer/OpenSSL.php",
            "line": 18,
            "function": "getPrivateKey",
            "class": "Lcobucci\\JWT\\Signer\\OpenSSL",
            "type": "->"
        },
        {
            "file": "/Users/yassine/Desktop/apps/project/vendor/lcobucci/jwt/src/Signer/BaseSigner.php",
            "line": 38,
            "function": "createHash",
            "class": "Lcobucci\\JWT\\Signer\\OpenSSL",
            "type": "->"
        },
        {
            "file": "/Users/yassine/Desktop/apps/project/vendor/lcobucci/jwt/src/Builder.php",
            "line": 568,
            "function": "sign",
            "class": "Lcobucci\\JWT\\Signer\\BaseSigner",
            "type": "->"
        },
        {
            "file": "/Users/yassine/Desktop/apps/project/vendor/lcobucci/jwt/src/Builder.php",
            "line": 529,
            "function": "createSignature",
            "class": "Lcobucci\\JWT\\Builder",
            "type": "->"
        },

[erikverheij]

@YassineChe; I've experienced a similar error a while ago when I tried to run my Laravel in PHP 8. Switching back to 7.x fixed it for me for the moment.

[driesvints]

@YassineChe please make sure you're running the very latest versions of Passport, lcobucci/jwt and OAuth2 Server. If that doesn't helps please open an issue.

[joelharkes]

i have been experiencing some issues on with lcobucci/jwt as well reverting back to "lcobucci/jwt": "3.3.3", does the trick.

[driesvints]

Which issues? All should be resolved in the latests versions.