OAuth 2.0 Flow Demonstrations

Choose an OAuth 2.0 flow to test with your Laravel Passport server.

Authorization Code Flow with PKCE

The most secure flow for public clients. Uses PKCE (Proof Key for Code Exchange) to prevent authorization code interception attacks.

✓ Most secure for SPAs and mobile apps
✓ No client secret required
✓ Prevents code interception

Start Authorization Code + PKCE Flow

Authorization Code Flow

Traditional server-side flow. Requires client secret and is suitable for confidential clients that can securely store credentials.

✓ Suitable for server-side apps
⚠ Requires client secret
✓ Refresh token support

Start Authorization Code Flow

Implicit Flow

Legacy flow for browser-based applications. Returns access token directly in URL fragment. Not recommended for new applications.

⚠ Less secure than PKCE
✗ No refresh token
⚠ Token in URL fragment

Start Implicit Flow

Password Grant Flow

Direct credential exchange. Only use when you fully trust the client application and other flows are not viable.

⚠ Requires user credentials
✓ Refresh token support
⚠ Use only for trusted clients

Configuration

Make sure your OAuth server is configured with the following settings:

                    OAuth Server URL: https://otrdev.mbpj.gov.my

                    Client ID: ea68c2c1-92a8-4aff-bed3-c970c8fd20d8

                    Redirect URI: https://eaduanadminse.mbpj.gov.my/oauth/callback

                    Scopes: read-user

Update these settings in your .env file to match your OAuth server configuration.