Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I'm trying to figure out what's the correct way to authenticate users with Passport for a Vue SPA. I can't figure out which grant type I should use considering that implicit grant is not recommended by IETF’s OAuth working group and the other methods require to pass the client_secret with the request, I'm a bit lost...
I was thinking password grant but I receive a refresh token and it’s not really secure to store it in the localstorage.
I also thought about the cookie injected by laravel passport in every request but I can’t find out how to login from my SPA with this approach...
Any lead on what’s the best / more secure way to do this ?
Thanks!
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 months ago.
Improve this question
So basically I understand REST API is basically stateless and we should not use session based authentication of API Routes. However, let's say if my application already has a session based authentication because it is a SPA. So I have a few questions.
How do we actually protect these api routes without using session, so that we can actually test these api routes on Postman etc ?
How can we achieve this without effecting the existing authentication system ?
Do we need to use Passport or Sanctum to achieve this?
Thank you.
If your SPA and API are on the same domain, you likely want Sanctum which uses sessions via cookies or tokens to manage authentication. Based on your question it seems like Sanctum would be the best fit for integrating with your existing authentication workflow.
If your SPA is not on the same domain as your API you’ll want to use either Fortify or Passport.
I would avoid Passport unless you require an OAuth workflow.
Either you can create a your custom authentication using JWT token in laravel to authenticate the API. For that you can use tymondesigns/jwt-auth a third-party jwt-auth library.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I need create REST API for android and ios apps. It will be small social network. Which way is better to use? Client Grant Tokens or Personal Access Tokens. Help me please!
use Laravel Sanctum https://laravel.com/docs/7.x/sanctum
Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token based APIs. Sanctum allows each user of your application to generate multiple API tokens for their account. These tokens may be granted abilities / scopes which specify which actions the tokens are allowed to perform.
Laravel Passport is also useful.
Laravel already makes it easy to perform authentication via traditional login forms, but what about APIs? APIs typically use tokens to authenticate users and do not maintain session state between requests. Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes.
https://laravel.com/docs/7.x/passport
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I have an android client which doesn't implement any username and password login, it user OTP for login. So i have only firebase userID. How can i configure WebSecurityConfigurerAdapter to use this firebase userID to authenticate user and we don't have front-end website for logging in.
you need to configure spring security to use a custom autenticationProvider, and use firebase API to verify your tokens sent as a header of you request, have a look at this example HERE
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I'm new in laravel, I want to create basic Laravel API without login authentication to get the token. Is there a way to create a static API token that can access fron header?, any answer would be appreciated.
You should use Laravel Passport definitely.
Documentation of Passport and underlying Oauth2 Server, could be a way better.
But despite this fact, it is a way to go, for building real, good working API.
If you want to use password grant token only (which is the most used scenario) then this post might be helpful to you...
You can do it using Laravel Passport. Read the documentation here https://laravel.com/docs/5.6/passport
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I am new to Laravel and I noticed that it has an auth library but I would like to know what threats does it protect against. For example, does it use any technique to protect against brute force attacks?
Laravel Auth library/class only autheticate the user (or whatever you may authenticate) in your system and using it with the filters, you can garantee that the user only see what is permited for him to see. It does not really care in secure your system against attacks, for exemple. That's is on you!