OAuth 2.0 ve JWT: Modern Authentication Rehberi

z

zafer ak

Yazar

12 November 2025 2 dakika okuma 2 görüntülenme
OAuth 2.0 ve JWT: Modern Authentication Rehberi
OAuth 2.0 flow'ları, JWT yapısı ve Laravel Passport/Sanctum. Social login implementasyonu.

OAuth 2.0 Nedir?

OAuth 2.0, üçüncü parti uygulamalara sınırlı erişim izni veren authorization framework'üdür. "Login with Google/Facebook" buna örnektir.

OAuth 2.0 Roller

  • Resource Owner: Kullanıcı
  • Client: Sizin uygulamanız
  • Authorization Server: Token veren sunucu
  • Resource Server: Korunan API

Grant Types

Authorization Code (Web Apps)

1. User → Your App: Login isteği
2. Your App → Auth Server: Redirect with client_id
3. User → Auth Server: Login ve consent
4. Auth Server → Your App: Authorization code
5. Your App → Auth Server: Code + client_secret
6. Auth Server → Your App: Access token

Client Credentials (Machine-to-Machine)

POST /oauth/token
{
    "grant_type": "client_credentials",
    "client_id": "xxx",
    "client_secret": "xxx"
}

JWT (JSON Web Token)

// Yapı: header.payload.signature
eyJhbGciOiJIUzI1NiJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4ifQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

// Decoded payload
{
    "sub": "1234567890",
    "name": "John Doe",
    "iat": 1516239022,
    "exp": 1516242622
}

Laravel Sanctum (SPA & Mobile)

# Installation
composer require laravel/sanctum
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

// Token oluşturma
$token = $user->createToken('mobile-app')->plainTextToken;

// Token ile istek
Authorization: Bearer {token}

// Token iptal
$user->currentAccessToken()->delete();

Laravel Passport (Full OAuth Server)

# Installation
composer require laravel/passport
php artisan passport:install

// Personal Access Token
$token = $user->createToken('Personal Token')->accessToken;

// OAuth Client
$client = Passport::client();

Social Login (Socialite)

# Installation
composer require laravel/socialite

// config/services.php
'google' => [
    'client_id' => env('GOOGLE_CLIENT_ID'),
    'client_secret' => env('GOOGLE_CLIENT_SECRET'),
    'redirect' => env('GOOGLE_REDIRECT_URI'),
],

// Controller
public function redirect()
{
    return Socialite::driver('google')->redirect();
}

public function callback()
{
    $googleUser = Socialite::driver('google')->user();

    $user = User::updateOrCreate([
        'google_id' => $googleUser->id,
    ], [
        'name' => $googleUser->name,
        'email' => $googleUser->email,
    ]);

    Auth::login($user);
    return redirect('/dashboard');
}

Güvenlik Best Practices

  • HTTPS zorunlu
  • Token expiration kısa tut
  • Refresh token rotation
  • Scope-based access control
  • Token revocation endpoint

Sonuç

OAuth 2.0 ve JWT, modern API authentication'ın standardıdır. Laravel Sanctum çoğu proje için yeterlidir.

PAYLAŞ

Facebook Twitter LinkedIn WhatsApp

İlgili Yazılar