I know passport uses oAuth, but my question is.. is it better to use Passport for Auth (Login and Register) or should i use jwt for login and register and Passport for external API requests... or use passport for both (User API and Login/AUTH)
Now i'm programming a SPA website with laravel and VueJs 2, i'm stuck in this.
Laravel Passport does, in fact, use JWT so comparing "JWT vs Passport" is kind of wrong.
You can use Laravel Passport for everything you mentioned - logging in, registering (not built-in in Passport but easy to add) and protecting external API requests.
Related
I am developing apis in laravel which will be used by some external companies.
Here I am confused that should I use Laravel Sanctum or Passport (Personal access token) for third party companies authorization and give them access to private apis?
I does not really matter. Both packets can issue tokens or cookies. Passport is overkill of you only use tokens and that's it.
I'm currently using Santum SPA autentication and noticed that I can login from mozilla and chrome at the same time. This means that users can login from different devices. How do I prevent this with Sanctum SPA Authencation?
The thing is I think I should be able to do this if I use Sanctum Tokens since I can easily check if the user has an existing token.
$tokens = $user->tokens;
However, the documentation says:
You should not use API tokens to authenticate your own first-party SPA. Instead, use Sanctum's built-in SPA authentication features.
The things I'll lose if I use sanctum tokens for SPA:
This approach to authentication provides the benefits of CSRF
protection, session authentication, as well as protects against
leakage of the authentication credentials via XSS.
or is this outside the scope of Laravel Sanctum?
You Can delete User's other Tokens whenever he logs in from a new device using a new token.
$user->tokens()->where('id', '!=' ,$user->currentAccessToken()->id)->delete();
After googling I'm convinced that this functionality is not included in Laravel SPA Sanctum out-of-the-box.
But I found this youtube video that made this possile.
the more I read about Laravel Spa (Vue) authentication, the more I ask myself about the "best way" to authenticate with Sanctum.
Official Laravel documentation says:
For this feature, Sanctum does not use tokens of any kind. Instead,
Sanctum uses Laravel's built-in cookie based session authentication
services. This approach to authentication provides the benefits of
CSRF protection, session authentication, as well as protects against
leakage of the authentication credentials via XSS.
But a lot of videos on YouTube or other tutorials on the internet all using (bearer) tokens which sounds contradictory to me. I mean, just using a single token for authentication seems to be a bit unsafe to me.
Also, some of those people defined "login" and "register" routes directly into Laravels route file, instead of using Vue router.
I'm using Laravel 8, VueJS 3 and Vuex 4.
So, what do you think: Am I on the right way by using Vue routes and sanctum authentication using cookies or not? And why?
Thank you, I appreciate that.
I am newbie with laravel.
I understand that in order to protect routes, you have to first check if a user is authenticated and a session is made. thus, we apply auth middleware in the web routes.
However, I am trying to implement laravel passport and now I am not able to proceed to my routes anymore since I have been authenticated using the passport.
My question is that is it possible to secure the web routes with passport token instead of laravel session? and if so, how one should do it?
Thanks, sorry for english, not native speaker.
Laravel passport is for API routes not for web routes you can use laravel session for web
for more details read it's documentation
https://laravel.com/docs/8.x/passport
I am kind of confused about recognizing the discrepancy between Laravel Passport and tymondesigns/jwt-auth package. Do they actually serve the same purpose of API authentication via tokens?
As long as Laravel Passport was introduced in 5.3+, is one supposed to use Passport instead of tymondesigns/jwt-auth package in the latest versions?
The "tymondesigns/jwt-auth" is a PHP Laravel implementation of the JWT protocol. On the other hand, Passport also uses JWT by default plus a huge extra, a complete Oauth2 implementation. Regarding the functionality, as I said they both use JWT thus you can use whichever you like to authentication via tokens. They both do their job and you'll have a secure API tokens implementation.
The difference comes if you would like a lightweight API tokens implementation or the plus of the Oauth2 server to allow more and other apps to communicate with your app. One of the most common cases would be how some random apps ask Google or Facebook for your user information. If you implement the Oauth2 server your app would allow any other app with a proper token to ask for data from your app.
"[...] Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes. Passport is built on top of the League OAuth2 server that is maintained by Alex Bilbie." from https://laravel.com/docs/master/passport
For more details, I have made an explanation of Laravel Passport, JWT, Oauth2, and Auth0.
2021, Dec.
Laravel Passport does not sopport PHP 7.4. "psr/log" demands PHP 8. In case of PHP 7.4, use other solutions than Laravel Passport.