Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 months ago.
Improve this question
So basically I understand REST API is basically stateless and we should not use session based authentication of API Routes. However, let's say if my application already has a session based authentication because it is a SPA. So I have a few questions.
How do we actually protect these api routes without using session, so that we can actually test these api routes on Postman etc ?
How can we achieve this without effecting the existing authentication system ?
Do we need to use Passport or Sanctum to achieve this?
Thank you.
If your SPA and API are on the same domain, you likely want Sanctum which uses sessions via cookies or tokens to manage authentication. Based on your question it seems like Sanctum would be the best fit for integrating with your existing authentication workflow.
If your SPA is not on the same domain as your API you’ll want to use either Fortify or Passport.
I would avoid Passport unless you require an OAuth workflow.
Either you can create a your custom authentication using JWT token in laravel to authenticate the API. For that you can use tymondesigns/jwt-auth a third-party jwt-auth library.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I'm looking for help in choosing the right, most modern and safest way to authenticate. I'm using Spring as backend along with Angular on frontend. I'll add that I want to use OAuth2. I've really searched quite a few sites and haven't found a straight answer. I'm really confused...
I started with this implementation, but than I stopped after reading this recommendations. So far I know that I should use Authorization Code Grant with PKCE.
How is it done in applications that are already in production?
The most sensible (as I think) option so far is implementing auth with Keycloak. Is embedded version reliable?
If you want to secure your API with OAuth there are many products out there which you can use (both open-source and paid solutions, if you search for "identity server" you should be able to find a few solutions). Keycloak is a viable option, but there are others.
When it comes to choosing a flow, I would also go with the Authorization Code Grant with PKCE. This currently is the recommended way, especially if you'll be performing OAuth flows directly from your Angular app.
That's another decision you would have to make - whether you want your frontend client contact the Authorization Server directly (then you have to handle tokens in the frontend app), or you want to call your backend and have the backend talk to the Authorization Server (then you would probably have a session cookie, and associate the session with any access tokens).
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I am currently using Laravel Sanctum for my Laravel Project with Vue SPA. I just wanted to ask, do I have to create my own Controllers to handle Login and Register or just use the Laravel default controllers installed when I run php artisan ui vue --auth. I followed some tutorials applying these both scenarios but I can't seem to decide which is a better approach.
This is quite subjective and is really personal preference.
Taking a look at the Laravel Sanctum docs:
...you should make a POST request to the typical Laravel /login route. This /login route may be provided by the laravel/jetstream authentication scaffolding package.
So if you're happy with the login/register functionality provided by the defaults Laravel stubbed out with the --auth option then use them.
If you prefer to customise the logic and write your own implementation then this is fine too.
As far as Sanctum is concerned, it doesn't look like it cares how this is done. When using it with an SPA, once you're authenticated with Laravel, I imagine Sanctum uses a cookie to authenticate the session from there on out.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I need create REST API for android and ios apps. It will be small social network. Which way is better to use? Client Grant Tokens or Personal Access Tokens. Help me please!
use Laravel Sanctum https://laravel.com/docs/7.x/sanctum
Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token based APIs. Sanctum allows each user of your application to generate multiple API tokens for their account. These tokens may be granted abilities / scopes which specify which actions the tokens are allowed to perform.
Laravel Passport is also useful.
Laravel already makes it easy to perform authentication via traditional login forms, but what about APIs? APIs typically use tokens to authenticate users and do not maintain session state between requests. Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes.
https://laravel.com/docs/7.x/passport
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I'm trying to figure out what's the correct way to authenticate users with Passport for a Vue SPA. I can't figure out which grant type I should use considering that implicit grant is not recommended by IETF’s OAuth working group and the other methods require to pass the client_secret with the request, I'm a bit lost...
I was thinking password grant but I receive a refresh token and it’s not really secure to store it in the localstorage.
I also thought about the cookie injected by laravel passport in every request but I can’t find out how to login from my SPA with this approach...
Any lead on what’s the best / more secure way to do this ?
Thanks!
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I'm new in laravel, I want to create basic Laravel API without login authentication to get the token. Is there a way to create a static API token that can access fron header?, any answer would be appreciated.
You should use Laravel Passport definitely.
Documentation of Passport and underlying Oauth2 Server, could be a way better.
But despite this fact, it is a way to go, for building real, good working API.
If you want to use password grant token only (which is the most used scenario) then this post might be helpful to you...
You can do it using Laravel Passport. Read the documentation here https://laravel.com/docs/5.6/passport