Authenticating users in Laravel

Laravel comes packed with many ways to authenticate users. When installing a new application and wanting to add authentication to it, your choices are not limited. The options available to authenticate users within Laravel:

• Laravel Breeze
• Laravel Jetstream
• Laravel Fortify
• Laravel Sanctum
• Laravel Passport

As we can see, there are many installable packages that aim to make the whole process of authentication simple and easy for any developer to get started. However, it may be overwhelming at times to determine which one to use. This article aims to cover what each package is and when it is a good idea to choose one over the others.

Laravel's Default Auth Facade

Before we take a look at the installable packages that can be used to authenticate our users, it may be an important to note that Laravel can authenticate users without having to install any additional packages. One may use the default Auth Facade that ships with the framework. To use it, just ensure that your database has a record for the user that you want to authenticate; thus, we can simply find the user and log him or her in as follows:

$user = User::where('email', 'email@example.com');

Auth::login($user);

This will authenticate the user and create the session as needed. You are free to build whatever custom logic you want around this facade. A small note and something to remember is that all the packages and installable options available within the Laravel ecosystem will make use of this Facade and the login() method to generate authentication sessions.

For more information about how Laravel handles this and what is available to you directly from the framework, check out the complete documentation.

Laravel Breeze

If you are looking for a simple and easy to customize authentication option, then Laravel Breeze is for you. Breeze is the easiest and most customizable of all the options available within the ecosystem. Out of the box, Breeze will provide you with the following:

1. Login
2. Registration
3. Password Resets
4. Password Confirmations
5. Profile Management
6. Email Verification

Furthermore, all of this will come fully unit tested. For most projects, Breeze is the perfect starting point. When installing Breeze, you can also choose the type of project you would like to build, and the package will scaffold the required dependencies for you. This makes Breeze a great way to begin a project. Need Livewire? Breeze will automatically install Livewire and connect all the authentication to use Livewire. Prefer Inertia? Same thing; simply choose which stack you want to work with when installing, and from there, you are ready to build. Pretty neat!

To get started with Laravel Breeze, check out the complete documentation.

Laravel Jetstream

Laravel Jetstream is a more complicated version of Breeze in that it gives you a lot more features available to use. Jetstream comes with the following out of the box:

1. Login
2. Registration
3. Profile Management
4. Password Reset
5. Email Verification
6. Two-Factor Authentication (2FA)
7. Teams Management
8. Browser Sessions Management
9. API Tokens & Permissions

When using Laravel Jetstream, you are able to choose which features you would like to have enabled and can expand the features as you go. The main difference between Jetstream and Breeze is the ease of use. In my personal opinion, Jetstream is a little harder to customize, although it is fully customizable for someone who knows what they are doing. The docs are packed full of examples and methods for overriding the default behavior, so if Jetstream sounds like your cup of tea, I recommend starting there.

Jetstream is a good option if you are looking to build a fully fledged web app. To get started with Laravel Jetstream and learn more about what it can do, check out the complete documentation.

Laravel Fortify

Laravel Fortify is a frontend agnostic implementation of authentication. What this means is the package installed will provide all the needed backend tools to get started with authentication, leaving the entire frontend of your app up to you.

Out of the box, Fortify will provide the backend implementation for the following:

1. Login
2. Registration
3. Password Management
4. Two-Factor Authentication
5. Email Verification

We have previously discussed Laravel Jetstream, which makes use of Laravel Fortify for their complete implementation. Fortify is a great option for anyone who wants to get started with Authentication quickly but would prefer to handle the auth logic without being coupled to any UI options that come with the other authentication options.

Installing Fortify on your project is simple and fully documented; check out the complete documentation.

Laravel Sanctum

Unlike the other methods of authentication described above, Sanctum is a way to authenticate based on API tokens. This is really helpful for API-based or SPA-based applications.

When building an SPA or PI, the client (browser) typically makes a request to retrieve an authentication token. This token is then passed to subsequent requests that tell the application whether the token is allowed to access specific types of data. Laravel Sanctum offers a simple way to create these tokens.

Sanctum is a great choice when dealing with mobile apps or providing additional API endpoints to an existing application. The use case for these simple "personal access tokens" is vast and can be applied in many circumstances.

The installation of Sanctum is essentially only going to install a Trait and a Middleware that will hook into your existing authentication system. This allows you to build an app UI using one of the methods implemented above and then implement sanctum on top of it for anything extra.

For more information on Laravel Sanctum, as well as installation instructions, check out the complete documentation.

Laravel Passport

Laravel Passport functions the same as Sanctum. However, the biggest difference is that Passport makes use of OAuth protocol. Thus, the app will need to grant access before API calls can be made. Think about "Login With Facebook" or "Connect to GitHub", these are examples of OAuth.

Laravel Passport provides a way for users to obtain an API key by connecting their app to your app. Once the connection is successful, an API key will be given for the connection.

In most cases, Laravel Passport is not preferred over Laravel Sanctum, and this should be considered when building your application. Passport should only be used when the requirement is to build an OAuth system. It is important to note that Passport requires considerable knowledge and server management to keep it up and running.

Once Passport is installed, and keys have been generated, it functions the same as Sanctum in providing a middleware to authenticate requests.

To Learn more about Laravel Passport, check out the complete documentation.

Which Option Should You Choose?

With all the options above, we can see that it is easy to get overwhelmed with the choices, and it may be difficult at times to decide which one to use.

In my personal opinion, if you are going to be building an application from scratch, the best choice would be Laravel Breeze. Simply install it, publish all files, and hack away on your next application.

Furthermore, if you will be extending an existing application but want to make use of the "Laravel Way", then Laravel Fortify is for you! Install the package and refactor each feature to use the new methods provided.

Additionally, if you want to build a quick MVP but do not care too much about how it looks, I would go with Jetstream and refactor after the initial MVP phase.

Moreover, if you need an API, use any of the above methods and slap Sanctum on top of it.

However, in most cases. Laravel Breeze is the easiest and simplest to work with without locking you in to any hidden pieces of code or methodologies.

Conclusion

The Laravel ecosystem is vast, and each of the above packages are actively maintained, which means that they will get better over time. This makes Laravel a good choice for your next application. With so many approaches to authentication, developers have the freedom to build whatever they want with as much freedom as they could ever need. What will you build next?