PHPackages                             samyapp/laravel-external-authentication - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. samyapp/laravel-external-authentication

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

samyapp/laravel-external-authentication
=======================================

Laravel authentication guard for authentication based on headers or environment variables set by an authenticating reverse proxy.

v1.0.0(9mo ago)12.5k↓48.3%1[2 issues](https://github.com/samyapp/laravel-external-authentication/issues)[1 PRs](https://github.com/samyapp/laravel-external-authentication/pulls)MITPHPCI passing

Since Jun 8Pushed 9mo ago1 watchersCompare

[ Source](https://github.com/samyapp/laravel-external-authentication)[ Packagist](https://packagist.org/packages/samyapp/laravel-external-authentication)[ RSS](/packages/samyapp-laravel-external-authentication/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (5)Dependencies (3)Versions (9)Used By (0)

Laravel External Authentication
===============================

[](#laravel-external-authentication)

Laravel authentication package that authenticates users based on HTTP request headers or environment variables set by an external authentication source such as Apache with basic authentication, SAML2 SSO via mod\_auth\_mellon, or a custom implementation using Nginx's [http\_auth\_request](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html).

This package focuses on *authenticating* users and setting properties or attributes on your user model based on those set via the external identity provider.

[![Build Status](https://github.com/samyapp/laravel-external-authentication/actions/workflows/php.yml/badge.svg)](https://github.com/samyapp/laravel-external-authentication/actions/workflows/php.yml/badge.svg)

Security
--------

[](#security)

If you rely on HTTP headers to determine if a user is authenticated you *must* ensure that these headers have been sent to your Laravel app from a trusted source and not spoofed by the client.

For example:

- Running Nginx with the [http\_auth\_request module](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html)setting the HTTP headers and proxying to a php-fpm backend running your application on the same VM.
- Using Apache with [mod\_auth\_mellon](https://github.com/latchset/mod_auth_mellon)for SAML SSO with PHP on the same server, setting environment vars for PHP

Both of these cases should be safe, *provided you ensure the web servers set the variables to blank values when no user is authenticated*.

In addition, if your authentication servers (Apache or Nginx in the examples above) are proxying to php on one or more different servers (over a network) you should ensure that php only responds to requests from those specific upstream servers to avoid other users on the network being able to make requests with forged headers.

Quickstart
----------

[](#quickstart)

1. Install: `composer require samyapp/laravel-external-authentication`
2. Publish the configuration:

    ```
    php artisan vendor:publish --provider="SamYapp\LaravelExternalAuth\ExternalAuthServiceProvider"

    ```
3. Configure your application to use the External Guard:

    *config/auth.php*:

    ```
    'guards' => [
         'web' => [
             'driver' => 'external-auth',
             'provider' => 'users',
         ],
     ],

    ```
4. If using [transient users](#working-with--transient--users) in your app, configure the user provider and model:

    *config/auth.php*:

    ```
    'providers' => [
         'users' => [
             'driver' => 'transient',
             'model' => '\SamYapp\LaravelExternalAuth\TransientUser',
         ],
     ],

    ```
5. Edit `config/external-auth.php` with your [configuration](#configuration).
6. Add authentication to the routes you want to protect.
7. Access the authenticated user the same way you would in any normal Laravel app. Any user attributes defined in your `config/external-auth.php` `'attributeMap'`should be available on your user model.

Troubleshooting
---------------

[](#troubleshooting)

When configuring an external authentication source such as Apache mod\_mellon\_auth it can be useful to see what attributes and values it is sending to PHP.

You can enable logging of this data (using your app's Laravel logging configuration) by setting `'logInput' => true,` in your config. You must also ensure that `'logLevel'` is set at least to the minimum level that your app's logging level is (e.g. info, debug, warning, etc).

When not all user attributes are found, a list of both matched and missing attributes will also be logged.

Be aware that this will (except when developmentMode = true) dump the contents of Request::server() into your Laravel logs so should only be enabled when essential for troubleshooting.

Development / Testing Configuration
-----------------------------------

[](#development--testing-configuration)

Configuring an authentication service such as Apache mod mellon Instead of configuring an authentication service during development you can enable development mode and specify the headers that you want set:

`config/external-auth.php`

```