ChatGPT解决这个技术问题 Extra ChatGPT

Laravel Passport vs JWT vs Oauth2 vs Auth0

Confusion about API auth types in Laravel?

I'm currently learning how to create an API in Laravel and I found myself into this confusing concepts. After a few days of research and practice, I could finally understand enough this concepts to make a mini-guide. I had to look into a lot of separate webpages so I will make my best attempt to explain the relationship between them.

C
Community

What are these concepts?

Passport is an official Laravel package that implements Oauth2 and JWT.

Auth0 is an authentication and authorization service. It is kinda "all in one" solution for API auth. It implements JWT by default and can implement Oauth2 as well as many other protocols.

OAuth2 is an authorization framework or protocol that enables applications(the ones you're going to build) to give limited access to user accounts such as Facebook, GitHub, etc... Imagine that your app grew big enough to offer a "Sign in with APP NAME HERE" or provide limited access to your users account to other third-party applications. With Oauth2 you can achieve this among many other things.

JWT is a token format. In other words, it is how data will be arranged to create a token. Another token format would be SWT.

In other words:

Passport implements -> Oauth2 and JWT.

Auth0 can implement -> Oauth2 or many other protocols like LDAP, OPEN ID, etc...

Oauth2 can implement -> JWT or other token formats like SWT...

What should you use?

Not only it would be crazy for a beginner to create its own Oauth2 implementation compatible with Laravel, but also chances are that if you're reading this is because you don't know exactly how to all the Oauth2 complexity. Oauth2 out. All we have remeaning is three package options. Passport, tymondesigns/jwt-auth and Auth0.

Before continuing, let me note that when I refer to 'JWT' or 'plain JWT' I really mean to the tymondesigns/jwt-auth package. The real match comes between Auth0, Passport and plain JWT...

Auth0 is a Swiss army knife compared to Passport and JWT. This knife is an all in one solution. It can do a lot of stuff on its own plus some extras that you might never need without depending on Laravel or other frameworks. To not extend this too long, let me just say that it can do whatever you could possibly imagine as an API beginner. Also, you would have a really good dashboard straight out of the box which will allow you to manage all aspects of your API. From third-party authentication to add more apps (mobile, web, desktop) that can consume that API.

Passport could be compared with a more delicate knife. Its creators knew what it will cut and designed it specifically for those tasks. In other words, it was built especially for Laravel to work smoothly and flawlessly without having many bells and whistles bothering around. Though, don't forget that in the long run you can implement your own code on top of it. Like a nice and custom dashboard to manage your API clients.

Finally, back to the knife analogy, I like to compare JWT with a sharpened blade without any fancy extras. It's lightweight, functional, secure and does its job. You get the benefit that you will not have to worry about all extras that the other packages add. Furthermore, you can upgrade this knife however you want due to its flexibility or even switch to another package if you need a heavier upgrade.

Conclusion

It depends on you, if you want to cut everything that might be thrown at you and stay more in the API world than in Laravel (Auth0), narrow down to the focus of Laravel and Oauth2 for third party authentications (Passport) or have a basic secure data transfer out of the box via API (JWT). And yes... You can also link your app to your mobile app with the three of them.

Personally I prefer Passport because:

I like to work with the official Laravel packages.

Besides the many extra routes and tables added to my project, its performance will not be affected.

If I started with the most basic API auth and wanted to scale, it would be much easier.

The coziness of working with a Laravel Package.

Still talking about the last point, some may say that Auth0 community is small. It basically is, but also it has awesome client support personnel.

Tutorials on Passport and Oauth2

Laravel and Oauth2 Docs explanation of tokens might be a little difficult. Here is a Good Explanation of Passport's(therefore Oauth2) Different Types of Tokens and Their Use Cases. Since I couldn't figure out the "routes" part of the tutorial I wouldn't recommend the tutorial part.

This is a Good Passport Video Tutorial which also uses the PostMan Chrome app for API calls. For those of you who are new to this API stuff, apps like PostMan will make your work a lot easier than using a "curl" Linux/Mac command. You could watch the complete series or just the Passport part. At the moment I'm stuck on video 4. Here's my Stack Overflow question.

Resources

Many of the resources are all spread above in the article but I also have some here.

Stack Overflow JWT vs Oauth

Auth0 explanation of Oauth2

An Introduction to OAuth2

OAuth2 Simplified

Great post! A key point as well is that for most login functionality you'll be making an oauth client. If you want to be an oauth server (like linkedin, github, google) and give out tokens that can be done with passport also but it's different from building a simple login that uses those services (ie a oauth client)
Let’s be frank. Most apps do not require Laravel Passport. They would do just fine with Tymon JWT. All they want is a stateless e-mail and password authentication with refresh tokens. Using Laravel Passport for only this is an over kill. Laravel Passport makes sense if you’ve a Facebook-like app offering users’ clients to access their data via an API with permissions. It involves 3 parties. User, client and backend. And most apps involve 2 parts. User and backend. My two cents.
Thanks for your comment. I do recognize the convenience that Tymon JWT offers since it's not granted that all apps will need to implement the party authentication in the future. Unfortunately, my personal opinion leaked too much into the post. I will definitely update the post taking in consideration your comment.
One gotcha: Passport (at least version 7.5.1 that I have tested) doesn't come with functionality to create tokens without validating the user's password. For example, if a user uses Login-with-FB through your mobile app, when you then hit your API, you cannot create a token for him because he doesn't have a password. There are some packages that have been built for cases like this (ex: github.com/coderello/laravel-passport-social-grant/tree/master/…) but I have found that using JWTauth is easier in such situations.

关注公众号,不定期副业成功案例分享
Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now

HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable.

简体中文 English

Platform

Support

Contact US

Any questions or suggestions during use, you can contact us in the following ways:

Email: huntsbot@xinbeitime.com

Copyright© 2022-2023 www.huntsbot.com 浙ICP备2022000860号-4 All Rights Reserved.