As a back-end, I'm using Laravel (5.7) with Laravel Passport package. As a front-end, I'm using nuxt (2.4.x) in 'universal' mode.
I need to make authentication of my client (I mean browser's one). I see that there is a module - @nuxtjs/auth. According to their documentation I should provide client_id and client_secret to configurations. But is not it unsafe? I should not keep, at least, client_secret on the client's side. Or auth module keeps that data on the server side?
The next point which I've found is module @nuxtjs/proxy. According to one of the answers on the GitHub issues, I can pass some headers via it. The question is the same: does it keep credentials only on the server side or it is an unsafe way?
In the end, I've figured out to make an authentication by the separate routes in Laravel, which will make internal requests with adding client_id and client_secret data on the API side. Is it a correct way to do auth?
Also, as I understood, there are several ways of the oauth2 process: Authorization Code, Implicit Resource Owner Password Credentials and Client Credentials. The situation above is written for the first of the described types. As I understood, nuxt and Laravel Passport use Resource Owner Password Credentials type. But why there is a client_secret (in auth module docs), when it should only provide client_id? How should I make an authentication with Laravel Passport?
Maybe I dig in the wrong way. Maybe you have a better solution?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire