Passport Grant Tokens vs Sanctum API Token Authentication

@martinbean I have read the entire documentation of Passport, but it is still confusing for me.

Can you explain me some steps please ?

According to the documentation, I have to do in order :

• php artisan passport:client --public => what is a client ?

• https://laravel.com/docs/11.x/passport#code-grant-pkce-redirecting-for-authorization => how should I use the /redirect route ? then if the user approves the authorization request, ok but how is he able to approve the authorization request ? I don't understand where could be any button he can click on to approve

• https://laravel.com/docs/11.x/passport#code-grant-pkce-converting-authorization-codes-to-access-tokens => return $response->json(); I don't see any token in the response, and what do I have to do in the frontend when I receive this response ?

Sorry for all these questions, but OAuth is all new for me.

Thanks for your help.

V

php artisan passport:client --public => what is a client ?

@vincent15000 A client is what issues tokens. You can have multiple clients for multiple applications. So you could have a client for your web application, a client for an iOS app, a client for an Android app, and so on.

https://laravel.com/docs/11.x/passport#code-grant-pkce-redirecting-for-authorization => how should I use the /redirect route ? then if the user approves the authorization request, ok but how is he able to approve the authorization request ? I don't understand where could be any button he can click on to approve

The docs (https://laravel.com/docs/11.x/passport#code-grant-pkce-redirecting-for-authorization) explain the process:

Once a client has been created, you may use the client ID and the generated code verifier and code challenge to request an authorization code and access token from your application. First, the consuming application should make a redirect request to your application's /oauth/authorize route

So, you redirect your user to /oauth/authorize. It then builds a URL to redirect the user to. The URL will start with /oauth/authorize, is provided by Passport, and will prompt the user to log in (if they’re not already authenticated) and to authorise the client. By default, it will return this view. As you can see, it’s similar to the pages you get when authorising access to say, your Google or Facebook account, where you get a screen saying “[Some App] wants to use your account”. When the user approves the request, they’ll be redirected back to the original app (your SPA) with an OAuth access token that your SPA can use to make API requests as that user.

https://laravel.com/docs/11.x/passport#code-grant-pkce-converting-authorization-codes-to-access-tokens => return $response->json(); I don't see any token in the response, and what do I have to do in the frontend when I receive this response ?

Again, the docs (https://laravel.com/docs/11.x/passport#code-grant-pkce-converting-authorization-codes-to-access-tokens) covers this step.

@martinbean Ok ... hmmm ... I see that when I create a client, it can be binded to a user by the user_id field. What if I need to use the same client for several users ?

I have found this on the web ... very interesting.

https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce

@vincent15000 The client does not need to be bound to a user. At all.

@vincent15000 also Have you gone over this material?:

https://oauth2.thephpleague.com/terminology/

@jlrdw Thank you, very interesting documentation to better understand how OAuth works.