Anyone out there?

Hi Tom,

I have the same situation as you. My application is split into backend (Laravel) and frontend (vue). Now I am struggling the for hours to decide what to use.

My research gives me a lot of headaches and everyone is doing something else. And most of the time something like "Vue -> Request -> Backend -> change request -> Request Backend again"...

Now I am trying to implement the PKCE. Do you have a working prototype or something? Have you solved the problem already?

I ended up just using https://github.com/tymondesigns/jwt-auth.

A friend of mine is using Sanctum

https://laravel.com/docs/7.x/sanctum#spa-authentication

Please follow the instructions on this Page under the Approving The Request section

"Sometimes you may wish to skip the authorization prompt"

This does NOT work with PKCE as I mentioned in my original post

Hello guys, I've been searching for this for three days and I'm about to break my monitor :(

I faced the same issue and I'm literally confused. Since I'm working on a Vue SPA app I heard about Laravel Passport but it seems it's not the best choice although they have a special section for SPA which is PKCE, but this has some strange issues.

I've read Tom's comment and heard about Sanctum is that working fine for SPA?

it seems like it was created for the SPA! please let me know, thanks.

Sanctum is probably your best bet

https://www.youtube.com/watch?v=Kd3hcrxtTHA (Laravel Employee)

Thanks! I already gave it a try It's the best choice for SPA.

Hey guys, i guess i'm a bit late to the party but i would like to ask if you're trying to implement this on a Laravel and Vue single project, or there is a laravel api somewhere and there's another vue spa trying to consume the api from another domain?

I'm currently creating two projects, a laravel api for backend and vue spa consume it. I started the project with Passport but you guys are saying that Sanctum is the best choice for SPAs, is this true for my case?

I didn't implement the vue app already, so it would be nice to know if i'm there's a better authentication option.

They say you have to be on the same top-level domain.

In order to authenticate, your SPA and API must share the same top-level domain. However, they may be placed on different subdomains.

So I think if you're working on multiple domains you won't be able to use Sanctum.

You'll need to use something like tymondesigns/jwt-auth to generate tokens, but I don't recommend it if you're going to store tokens in the localStorage.

However, there is a trick you can implement to store the tokens within an http-only cookie. https://medium.com/@shindelav/make-an-api-based-application-with-laravel-passport-d6f1074a7b3a

Please ignore the Passport part just focus on how to respond with a cookie carrying the token when you're logged in successfully, and how to inject the cookie value to the Authorization header before Laravel handles the authorization operation.

that's all I know wish it helps.

Thanks Mustafa, i will give it a look.