Black Friday: 40% off Bifrost Hela & Thor plans • Code: BLACKFRIDAY40
Ends in:
d
h
m
s

Authentication

#Authenticating Your Users

Most apps will want to have some concept of who the user is so that they can use your app to connect securely with external services, such as your API or cloud service.

In a mobile app, you will always need to call an external service (external to the user's device) that acts as the source of truth about your users credentials. It could be a service you manage or a third-party service like WorkOS, Auth0 or Amazon Cognito.

Authenticating the user serves two purposes:

  1. It allows you to prove who they are when they connect to your API.
  2. It gives you an opportunity to grant or deny access to certain features of your app based on the authenticated state of the user.

Whilst some user data may ne stored on the user's device for convenience, you should not rely on this data to authenticate the user. This is because the data is outside of your control. So you will not be using the typical Laravel authentication mechanisms to check for an authenticated user.

#Tokens FTW!

Most mobile apps opt for some form of "auth token" (e.g. a JWT or an expiring API key) that is generated by your auth service and stored securely on the user's device.

These tokens should only live for a short period, usually no more than a few days. It's useful to have a single-use "refresh token" that lives for a longer time (e.g. 30 days) also shared with your user when they have successfully authenticated. This can be exchanged for a new auth token when the user's current auth token has expired.

You should store both auth and refresh tokens in secure storage. Checking for an auth token's existence to validate that the user is authenticated is not sufficient. If the token has expired or been revoked, you should force the user to re-authenticate. The only way to know for certain is to exercise the token.

#Laravel Sanctum

Laravel Sanctum is a very convenient and easy-to-use mechanism for generating auth tokens for your users. They simply provide their login credentials and if authenticated, receive a token. Using a simple login form, you can collect their username and password in your app and POST it securely to your auth service via an API call.

Note that, by default, Sanctum tokens don't expire. You should enable token expiration for increased security. You may only find out that a token has expired when your app attempts to use it unsuccessfully.

#OAuth

OAuth is a robust and battle-tested solution to the mobile app auth problem. If you're running Laravel Passport or your authentication service support OAuth, you should use it!

You will likely want to use an OAuth client library in your app to make interacting with your OAuth service easier.

When initiating the auth flow for the user, you should use the Native\Mobile\Facades\Browser::auth() API, as this is purpose-built for securely passing authorization codes back from the OAuth service to your app.

You should set your redirect URL to nativephp://127.0.0.1/some/route, where some/route is a route you've defined in your app's routes that will be able to handle the auth code.

Note that the scheme of the redirect URL in this case is always nativephp://. This has nothing to do with any custom deep link scheme you may have set for your app. It is only tied to the Browser::auth() session.

Previous
Security
Next
Databases
Edit this page on GitHub