-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not enough integration with Passport #52
Comments
Also, is it possible to use airlock with things like telescope? |
If you're already using Passport (and you need oauth) then continue using Passport... you don't NEED Airlock for stateful authentication, as Passport can provide it for you. See https://laravel.com/docs/5.8/passport#consuming-your-api-with-javascript On the other hand, if you don't need oauth... then get rid of passport and use airlock instead. If you're keen on keeping both (or need to), To answer the second half of your question, you don't need any special or custom login methods to return tokens for a first party frontend. Assuming you're using a default laravel auth scheme, you simply
If you get a 200 OK from /login, then you're authenticated (which means the cookie has been created and there's a valid session associated with it) and subsequent requests will succeed. |
Please see the answers by @bcorcoran |
@bcorcoran okay, that makes sense I suppose, but how do I go about getting the CSRF cookie from passport as it's only recommended to inject it when serving the front-end, however, my front-end is served by another server entirely. Also if that's the case, why does airlock even support or mention passport at all? shouldn't it be a "use airlock OR passport, not both" |
@KieronWiltshire you don't in that scenario. Passport isn't designed in that way. Airlock, however, is... hence the If you want to use Passport for something like this, you need to deal with storing the token on the client and keep passing it back to the server for every request. With Airlock, you're authenticating & receiving a cookie and as long as you have the domain in the airlock whitelist, it will be valid. |
@bcorcoran so I guess I need to use both then? |
@KieronWiltshire I don't know- I don't know the requirements of your application and this really isn't the place for this kind of support. That being said, if you need oauth... then keep Passport. If you don't, get rid of Passport and use Airlock. If you're asking if you need Passport and Airlock together to authenticate a frontend on another server... no, you only need Airlock. |
So I'm actually using passport to authenticate my entire API. However, I've now reached the point where I actually need stateful authentication for a first-party front-end.
I found airlock as a possible solution, but I don't understand how I'm supposed to use airlock and passport together, and I think this is down to airlock being in development and has unfinished or unclear documentation. (or quite possibly, I'm being dumb)
So using passport, my User model already uses the passport's equivalent to
HasApiTokens
trait. So I'm assuming I just ignore adding the airlock equivalent - but I'm unsure, I think this could do with some clarification.Finally, in my
AuthController
I have a login method which already creates a personal access token and returns it in a JSON response back to the user, now I'm assuming I'm supposed to include theAuth
facade upon successful authentication and use thelogin
method to create the session. So my questions around this premise are :-Clarification would be helpful! thank you.
The text was updated successfully, but these errors were encountered: