6 months ago

JWT/Passport Auth for SPA - What is best for my Use Case?

Posted 6 months ago by TuffRivers

Ive been doing a lot of research on SPA auth with laravel, from my understanding refresh tokens are NOT to be used with single page apps. Also note, i will be building the FE, not a third part access, and i will have a mobile app (refresh tokens best practice for mobile app).

From what i gather, i have two options to secure my API for my SPA specifically:

  1. Grant Code with PKCE (https://laravel.com/docs/7.x/passport#code-grant-pkce)
  2. JWT without refresh token example doc (https://www.codechief.org/article/laravel-6-rest-api-with-jwt-authentication-with-crud)

Option 1 seems like a bit more overhead on the client side to setup and requires passport which is a bit more baggage for what i need right now, but setting up the refresh token route for my mobile app is super easy /oauth/token

Option 2 seems easy and light weight, can setup refresh token as well for mobile app (might be abit more work), is it really less secure to have token that expires say every 24hrs?

Your input is appreciated.

Please sign in or create an account to participate in this conversation.