Level 14
Lumen is a micro framework, quite a different thing than Sanctum and Passport.
Jan 2, 2021
9
Level 4
Lumen vs sanctum vs passport
Hello dear community, I am a bit confused, because I have some issues in getting the scopes/differences of lumen vs sanctum and lumen vs passport.
sanctum vs passport is pretty clear. Passport provides a full OAuth2 implementation and sanctum doesn't.
But how does Lumen fit into this?
I ask, because I am building an application which uses Laravel as a frontend&backend to configure and control node-bots. These nodes should authenticate via a secure token with the server and wait for tasks and send the results back to the server.
Now I have to choose between the 3 different api solutions, as far as I understand lumen is shipped with laravel8 but what is the difference to sanctum?
Cheers and thanks for your help
Level 4
I understood, that Lumen is a framework with the focus on delivering amazing fast api's. Is this right?
Am I right, that everything what is provided by lumen, is also covered by laravel?
Thanks for the quick reply!
Cheers
Level 67
@krie9er Lumen is a VERY stripped down version of Laravel intended for massive-scale microservice optimization and I wouldn't even consider using it until you need to optimize a specific service to break away from your (monolith) app into a microservice.
Especially if you are building any app with some level of complexity, by the time you pull the packages you'd need into Lumen you'd have basically just turned it into a full Laravel app.
Also, if you reach for Vapor for scale I'm under the impression you really don't even need Lumen because of how Laravel and Lambda work together to sparkle up application functions.
Stick with Laravel imo.
As far as Passport vs. Sanctum... simple question, do you need oauth or can you live with basic API token auth? If yes to oauth, use Passport... if not, Sanctum.
3 likes
Level 4
This makes it clear, thanks @fylzero
1 like
Level 1
@fylzero Obviously you have a lot of experience building different types of sites and apps. Can you give us a few examples of scenarios where Sanctum won't do and Oauth provides extra functionality?
Level 67
@liama There really aren't multiple examples of what I'm describing.
Passport/Oauth2 basically gives your application the API and interface to allow users to create access tokens that allow third-party apps to communicate with the API of your Laravel application. So unless cross-application access is something you need, you can pretty much skip using Passport.
Definitely watch the Laracast video on Passport to gain a better understanding of what this does. Taylor Otwell actually connects two laravel apps using it in this video. https://laracasts.com/series/whats-new-in-laravel-5-3/episodes/13
The truth is, Passport is a bit complex because Oauth2 is complex. The Laravel docs certainly assume anyone using Passport has a solid foundational knowledge of Oauth2 imo. Without that, you won't have an understanding of what the terminology is around grant types, etc.
Sanctum is much simpler. It allows you to properly auth your SPA and create tokens for your API. That's really all it does. I say properly because up until Sanctum was released I would often see applications being created that just relied on logging a user in through Blade views then relying on web routes for the SPA code. This comes with a few challenges that Jess Archer laid out nicely in a Laracon talk (almost right before Sanctum was really a thing / released). https://www.youtube.com/watch?v=Zv4bUXEwl20
Level 1
@fylzero Thank you for the thorough reply. I understand everything much better now.
Just one more question: Right now, the project I'm working on doesn't need to support 3rd part apps. In the future it might, but I can't tell for sure if and when that will be. Would using Sanctum now and then in the future (maybe) upgrade to Passport make sense?
Level 67
@liama Unless you know your eventual product roadmap will call for something, I would not just pull random things in that might get used someday. Yes, technical debt is real... but, so is over-engineering.
That said, absolutely... you could always use Sanctum now and tear it out / replace it with Passport later.
If you ever need to do this, one trick I would use is creating a fresh Laravel install, Git init/commit the project, then install Sanctum. By doing this you can look in, for example, VS Code's source control and see the diffs of everything you'd need to walk back to uninstall it.
Sanctum is pretty much a composer package, a config, a migration, and a middleware entry in the Kernel file. It is not exceedingly difficult to remove from a project.
2 likes
Level 1
thank you once more for a very insightful reply
Please or to participate in this conversation.