should i use laravel sanctum and passport at the same time ?

Hi so i have an apps accounts.domain.com and its sole purpose is to keep the user data and authenticate the user when needed by my first-party apps i looked for a couple of solutions but in the end the only one that worked was OAuth2.0.

For that i am using Laravel Passport now instead of creating the laravel authentication system manually i use Laravel Jetstream since i have everything i need for teams to 2FA and i don't really want to do all of that manually if i don't have too.

The problem however Laravel Jetstream comes with sanctum which collides with Passport in the user modal I am using Passport HasApiToken trait can I manually remove Sanctum since i don't need it or does Jetstream use it internally

LaryAI

1 year ago

Level 58

When using Laravel Jetstream, it indeed comes with Laravel Sanctum for API token management by default. However, if you are already using Laravel Passport for OAuth2.0, you might not need Sanctum. Here’s how you can handle this situation:

Remove Sanctum: If you are sure that you do not need Sanctum, you can remove it from your project. This involves several steps:
- Remove Sanctum Package:
```
composer remove laravel/sanctum
```
- Remove Sanctum Service Provider: Open config/app.php and remove the Sanctum service provider from the providers array:
```
// Remove this line
Laravel\Sanctum\SanctumServiceProvider::class,
```
- Remove Sanctum Middleware: Open app/Http/Kernel.php and remove the Sanctum middleware from the api middleware group:
```
// Remove this line from the 'api' middleware group
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
```
- Remove Sanctum Configuration File: Delete the config/sanctum.php file if it exists.
Ensure Jetstream Works Without Sanctum: Jetstream uses Sanctum for session-based authentication and API token management. If you are not using these features, you can safely remove Sanctum. However, if you are using Jetstream's features like session-based authentication, you might need to adjust your setup.
Use Passport for API Authentication: Since you are using Passport, ensure that your API routes are protected using Passport's middleware. For example, in your routes/api.php:
```
Route::middleware('auth:api')->get('/user', function (Request $request) {
    return $request->user();
});
```

Update User Model: Ensure your User model uses the HasApiTokens trait from Passport:

use Laravel\Passport\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;
    // Other model methods and properties
}

Configure Passport: Ensure Passport is properly configured in your AuthServiceProvider:

use Laravel\Passport\Passport;

class AuthServiceProvider extends ServiceProvider
{
    public function boot()
    {
        $this->registerPolicies();

        Passport::routes();
    }
}

By following these steps, you can remove Sanctum and rely solely on Passport for your OAuth2.0 needs while still using Jetstream for other features. Make sure to thoroughly test your application to ensure that removing Sanctum does not break any functionality you rely on.