Hello everyone! I have very exciting question form me.

What is a right way to authenticate your SPA JavaScript application (VueJS+Router, ReactJS+Router etc.)? I have investigated this question and found very different results for such standard feature as authentication. In most cases developers uses laravel/passport (Full OAuth2 server implementation) to just authenticate frontend application, which is looks strange for me.

Someone uses Personal Access Token:

• https://medium.com/modulr/create-api-authentication-with-passport-of-laravel-5-6-1dc2d400a7f
• https://tutsforweb.com/laravel-passport-create-rest-api-with-authentication/

Someone uses Password Grant:

• https://medium.com/@joelbrubaker/laravel-passport-spa-frontend-authentication-e876cd81928f

Anotherone uses tymon/jwt-auth package:

• https://blog.peterplucinski.com/setting-up-jwt-authentication-with-laravel-and-vue-part-1/

Someone else uses CreateFreshApiToken middleware to attach api token to cookie, how recommended in the documentation:

• https://github.com/LaravelDaily/Larancer-Vue/blob/master/app/Http/Kernel.php#L38
• https://laravel.com/docs/5.6/passport#consuming-your-api-with-javascript

And also have found answers like:

Just use sessions!

So, the main questions:

1. Whats the profit to use Password Grant or Personal Access Tokens for your JavaScript app, if much simpler and recommended way it’s to use - CreateFreshApiToken middleware?

2. Is this not overhead, to install Full OAuth2 Implementation, to just authenticate Frontend SPA with CreateFreshApiToken middleware which just attach token to cookie?

3. Is it make sense to use laravel/passport with CreateFreshApiToken middleware if it’s just attach token to cookie like in case with sessions?

4. Is there a reason to use simple JWT with tymon/jwt-auth, if yes, so which?

And main question, so, What is a right way to authenticate your JavaScript SPA Frontend Application?

P.S. I don’t ask about mobile applications, or 3rd parties, just your Frontend JavaScript application.