Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello,
I am working on a Laravel project ( Basically it is going to be vuejs with laravel)
So, I want to authenticate user before entering the project , so i found these following ways
Use of php artisan make:auth -> I think this is the simple way of getting authentication on your project
Using Socialite -> This is used for if i want to make the user authenticate through the social media i.e. facebook , twitter , google etc.
Using passport - > Now, i am stuck here , i have so many question about the passport authentication , like
Thank you
Agree with @sirik here but would like to expand on their third point. You need Passport when you want to act like Facebook/Twitter, etc., and provide authorization to other apps on behalf of your users. It's a very unlikely situation for most apps.
@shashi_verma Passport is for adding an OAuth server to your application. It allows you and third-party clients (i.e. mobile apps) to request tokens that they’d then use to make requests to API endpoints that require authentication.
@martinbean @ankush981 @sirik What about the following scenario?
What we want is to allow the user of the mobile app to register/login using either of these two methods:
We use Passport for 2 reasons:
We issue a Client_ID and CLIENT_SECRET to be able to identify our mobile app - this way someone using PostMan could not make a request (if he cannot find the Client_ID and CLIENT_SECRET). This is also useful if in the future we want to open up our API to third-party applications.
For the "credentials" case, we use Passport's password grant and we issue an access_token to the user.
The issue is what we do with the Login-With-FB feature. What about the following:
a. The user logs in to FB using our mobile app.
b. FB sends to our mobile app the user's data (email, FB-ID, FB-access-token)
c. Our mobile app sends to our Laravel-web-API-app the user's data.
d. Laravel cheks if the user with email and FB-ID exists. If the user exists, Laravel logs him in and creates a token and returns it to the mobile app. If the user doesn't exist we go to the next step.
e. Laravel uses Socialite's `userFromToken(FB-access-token)`method to retrieve the user's data from FB.
f. Laravel creates the user and creates a token and returns it to the mobile app.
What do you think of the above flow?
And how could Laravel create a token with Passport in steps (d) and (f)? I know that with JWT there is a method JWTAuth::fromUser($user). Does Passport have something similar?
@padawantony You’d use Passport (OAuth) to allow your application’s users to grant access to first- and third-party services, i.e. your mobile app.
If you’re authenticating Facebook users, then you will be going through Facebook’s OAuth flow, and getting an access token for a Facebook user. You’ll need to then do something to map the user ID you get from Facebook to a user in your application (if one exists at all).
@martinbean Hmm.. Not exactly. The user "logs-in-with-Fb/Google" through the mobile app. Fb/Google returns the user's data and his fb/google token to the mobile app. Then the mobile app hits my api and sends these data to my backend.
The issue then is that Passport cannot create a token without validating the user's password (and the user doesn't have a password because he logged in with fb/google). So there needs to be some custom logic there or I should use some package like https://github.com/coderello/laravel-passport-social-grant/tree/master/src
But I think I will just use JWTauth in the end instead of adding custom logic to Passport
@padawantony I don’t think you understand OAuth in that case.
he user "logs-in-with-Fb/Google" through the mobile app. Fb/Google returns the user's data and his fb/google token to the mobile app.
Yes. The user is therefore authenticating against Facebook’s or Google’s OAuth server, and getting an OAuth token from those services and not yours.
Then the mobile app hits my api and sends these data to my backend.
And that’s what I meant by, once you’ve got an OAuth token for a Facebook/Google user, you then need to map that Google/Facebook user ID to a user ID in your application (if one exists).
I should use some package like https://github.com/coderello/laravel-passport-social-grant/tree/master/src
There’s no such thing as a “social grant” type in the OAuth 2 spec. This package is just a hack for someone else who doesn’t really understand what OAuth is.
And that’s what I meant by, once you’ve got an OAuth token for a Facebook/Google user, you then need to map that Google/Facebook user ID to a user ID in your application (if one exists).
It is not enough to map the FB_id to a user_id in your application. You also need to create a access_token which you will return to the mobile app for any subsequent request. Passport needs an email and a password to create the access_token. But since your user logged in using FB, you don't have a password for the user, so Passport cannot create a token.
There are solutions of course, such as automatically creating a default password for every new user. But that's a hack. I'm saying there's no official way in Passport.
You can argue that you could use Passport's Personal_Access_Tokens. But again, not the same thing.
I ended up using JWTAuth in the end, which has a simple method to create a token based on an existing user (without having to validate his password):
// Get some user from somewhere
$user = User::first();
// Get the token
$token = auth()->login($user);
I have the same problem as @shashi_verma and @padawantony. I have an API built with Laravel and using Passport with a password grant client to grant access tokens to Members on the system.
Our Mobile App offers a standard login where Members can enter their email address and password to generate an access token to be able to access the API, scoped for their member account.
We want to offer social logins (and sign-ups) on the mobile app so they can essentially "Sign in with Google" and then access the Laravel-API as their Member account.
I get that there must be some link between the authenticated email from the socialite connect and the member email on the Laravel-API but how do I generate an access token when there is no password supplied from the user when using "Sign in with Google"?
@benr1804 I came across this thread after trying to get my head around the workflow of social login and Passport.
The long and short of it is, you're simply using the social provider, e.g. Google, Facebook etc, to validate that the authenticating user has legitimate control/access over the email address being used for authentication with your Laravel app.
Generically speaking, you're asking the social provider the following:
if (User passes your authentication requirements) {
Tell me they have passed and then I will run some logic to update or create a user with the details you give me.
Auth::login($user);
} else {
They are not authenticated by the social provider, abort.
}
Please or to participate in this conversation.