-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: how to best design authentication? #56
Comments
Hi @axtg, It basically depends on where you would perform the authentication from. Is it a first-party SPA? A mobile app? Another backend service? In most cases, I highly suggest using Sanctum (Cookie for first-party SPA, Bearer token for mobile apps), because it provides literally everything you need. However, if you plan to make your app an OAuth identity provider, then Passport should be the way to go from the very beginning. |
@alexzarbn Appreciate that line of thought. So here is what I tried doing in Insomnia after installing Sanctum:
Step 3 gives me an unauthenticated message. If I try the Bearer token for the user, it does work. So I tried changing in api.php the guard to auth:web, but that does not work. That beggs the question, can I use a single API endpoint for both a SPA and external app (e.g. Zapier/ Integromat)? I'd live to give my fictive users the opportunity to do so. But I think I am missing one crucial point about Sanctum. Thanks for the help! |
@axtg Please read Sanctum's Configuration and Orion's Authorization documentation. Yes, you can use the same endpoint, the only difference would be the way you authenticate: from within your app - it is a first-party authorization using cookie, from any external service - it can be a personal access token. |
Wow. Okay, so this took me a while. All good now. |
I've got a question, I'm using the Orion happily locally with Insomnia to build my endpoints. Works perfect, very happy with this well-thought-through and structured approach.
But now I need to setup authentication. Login, register, reset password etc.
I normally use Fortify for this, but this leverages the X-XSRF-TOKEN approach (web), instead of Bearer (API). I tried setting up Sanctum now too, but I'm getting confused on the best-practice approach.
Any thoughts or experiences that can help me move forward?
Thanks.
The text was updated successfully, but these errors were encountered: