Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

drissboumlik's avatar

Auth via Laravel passport to access blade views

I'm using laravel passport and no password column in users table and I have to display an admin panel

how can this work exactly without password thanks in advance

1 like
23 replies
LaryAI's avatar
LaryAI
AI
5 months ago
Level 58

Certainly! Here’s a step-by-step solution for using Laravel Passport for authentication with Blade views, even if your users table does not have a password column (such as when using social authentication or some custom auth):

1. Use Laravel’s session-based authentication for Blade views

Passport is designed for API authentication (typically for SPAs/mobile/etc.), but Laravel Blade views are most easily protected via the built-in session (web guard) authentication. If your users don’t have passwords, you can still manually log them in for Blade-protected views.

2. Add a login route or controller

If you don’t have passwords, you’ll need an alternative authentication method (socialite, magic links, one-time codes, etc.). Let’s say you want to log in an admin by their email:

// routes/web.php

Route::post('/admin-login', function (Illuminate\Http\Request $request) {
    $user = \App\Models\User::where('email', $request->email)->first();

    if (! $user) {
        return back()->withErrors(['email' => 'No such user']);
    }

    Auth::login($user);

    return redirect('/admin');
});

3. Protect your blade views using middleware

// routes/web.php

Route::get('/admin', function () {
    return view('admin.dashboard');
})->middleware('auth');

4. If you use Passport for API access only

Passport is for API token authentication and not usually used for authenticating Blade views. If an admin needs to access both API and Blade views, keep the API requests using Passport tokens, and use session (web) guard for logging into the Blade-admin area.

5. Summary

  • Use session-based (web guard) authentication for Blade views.
  • Use Passport (api guard) authentication for APIs.
  • Since you have no passwords, log in your users using another unique identifier (like email) manually, or use a package like Laravel Socialite.

Example: Socialite for Blade authentication

// routes/web.php

Route::get('login/{provider}', [SocialController::class, 'redirect']);
Route::get('login/{provider}/callback', [SocialController::class, 'callback']);

// app/Http/Controllers/SocialController.php

use Illuminate\Support\Facades\Auth;
use Laravel\Socialite\Facades\Socialite;
use App\Models\User;

class SocialController extends Controller
{
    public function redirect($provider)
    {
        return Socialite::driver($provider)->redirect();
    }

    public function callback($provider)
    {
        $socialUser = Socialite::driver($provider)->user();

        $user = User::firstOrCreate([
            'email' => $socialUser->getEmail(),
        ]);

        Auth::login($user);

        return redirect('/admin');
    }
}

In short:
Use session (web) authentication for accessing/administering Blade views, and keep Passport for APIs. If you lack passwords, use a different login mechanism (social, magic links, etc.), then manually authenticate users in your login flow for Blade.

Let me know if you need a specific example tailored to your auth flow!

vincent15000's avatar

I'm not sure to understand what you need.

With or without password is according to me the same problem : how are you managing the authorizations.

Accessing to a blade view doesn't depend on the password, but on the authorization to access the view.

With Passport (as well as with Sanctum), you can add abilities to the tokens, for example with scopes.

https://laravel.com/docs/12.x/passport#defining-scopes

You display the view only if the authenticated user has the ability to access the view.

drissboumlik's avatar

am trying to figure out how to login users without password first

1 like
vincent15000's avatar

It's like when you access you git repository (gitlab / github) in command line, you just have to generate a public / private key pair and copy the public one on your git repository.

With Passport, the client application that wants to connect to your application has to request a token.

https://laravel.com/docs/12.x/passport#requesting-tokens

You necessarily need to send a client id and a client secret, the equivalent of a username and a password.

But Passport is mostly used to allow other applications to connect to your application via an API.

1 like
drissboumlik's avatar

I always used laravel passport with password

post '/login' (email+password) => returns token

get '/users' (include token in headers Bearer)

that's it

never worked without using password,

should i use client id and secret for every user

or how should this work without the password

1 like
vincent15000's avatar

Can you explain the context in which you are using Passport ?

Is it to allow users to login using a login form ? If yes, you don't need Passport.

drissboumlik's avatar

I have to use passport (enforced by the project client)

am working on an app should work as a youtube-like plateform, course plateform or video CDN , users can have access to protected routes either by an api key (apikeys table) or laravel passport through OAUTH2 server (am not familiar with this)

I always used laravel passport for simple login post '/login' => get token that's it

1 like
vincent15000's avatar

I don't understand ...

users can have access to protected routes

Do you mean they have access via another application ? So another application will access your application ?

drissboumlik's avatar
// in my api.php
Route::middleware(['auth.multi-guard', 'group.permission'])->group(function (): void {
       // ....
});

// here is the auth multiguard middlware 
public function handle(Request $request, Closure $next): Response
{
    // Try API key authentication first
    if ($apiKeyUser = Auth::guard('api-key')->user()) {
        Auth::setUser($apiKeyUser);

        return $next($request);
    }

    // Fall back to default Passport authentication
    if ($apiUser = Auth::guard('api')->user()) {
        Auth::setUser($apiUser);

        return $next($request);
    }

    // If neither method works, return unauthorized
    return response()->json(['message' => 'Unauthenticated.'], Response::HTTP_UNAUTHORIZED);
}

I think it will be accessed from different apps, this api am working on , can serve as a youtube like plateform, or course plateform or video cdn for other apps

so I was told we will have same code but 3 instances (installations) for this app

  • youtube like plateform

  • course plateform

  • video cdn for other apps

1 like
martinbean's avatar

@drissboumlik I really don’t understand what you’re trying to do, and I don’t think you do either, or you don’t understand what OAuth actually is or how it works.

How is a user meant to get obtain an OAuth access token if they don’t have a password? An OAuth token isn’t just going to appear out of thin air. Your admin panel needs to redirect the user somewhere to authenticate (using email and password), and when they have authenticated, they’d be redirected back to the admin panel with an OAuth token.

But if you did do that, then what is the point of using OAuth in the first place? You may as well just use session-based authentication. Trying to use Passport/OAuth for first-party authentication with the same app is just a complete waste of time, over-engineering, and unnecessary.

1 like
martinbean's avatar

@drissboumlik I’m still confused. Where does “external apps” coming into accessing an admin panel?

Can you explain:

  1. Which application the admin panel belongs to.
  2. Which application the users you want to access the admin panel belong to.
1 like
drissboumlik's avatar

oh no forget the admin panel,

I wasn't told about any other apps, just assumed since users table has no password column

other apps accessing the app's protected routes by the auth:api middleware

also I always used laravel passport for simple login post '/login' => get token that's it

1 like
vincent15000's avatar

I wasn't told about any other apps

So it's just to login to an application, but without password ?

Passport doesn't do that, you necessarily need a pair of values like id / secret or email / password, ...

If you want to login without a password, you can for example send an email with a link to login. So no password, but just an email with a link.

1 like
drissboumlik's avatar

I think so,

this app will app only api , no frontend

1 like
vincent15000's avatar

Oh ... you mean that the application has no frontend ?

Sorry ... but it's very difficult to understand what type of application you have without some precise details.

drissboumlik's avatar

am guessing the users will get access through another app (client)

1 like
JussiMannisto's avatar

You have to understand what you want to achieve first. How could anyone help you if you're guessing what the task is?

Figure out what your code needs to do first: who authenticates the users, and how.

2 likes
vincent15000's avatar

You are guessing that the user will get access through another app ?

Hmmm ... are you really working on the application ?

Why are you only guessing that ?

You first have to know exactly what you have to do ... you can't only guess.

martinbean's avatar

am guessing the users will get access through another app (client)

@drissboumlik So how about you stop “guessing”, and actually get some details nailed down? Because right now no one (including you) knows what you’re trying to achieve, so you’re just wasting every one’s time.

1 like
martinbean's avatar

@drissboumlik So you wouldn’t use Passport here. If the user information is stored with account.company.com, and you’re authenticated via that website, then you’d use Socialite and a custom provider to obtain the user information from that site, obtain an OAuth access token, and then use that token to create/retrieve a user in your database.

So, you should have a controller that does the redirect to account.company.com, and also handles the token callback from account.company.com. When you’ve got the token, you use that to create/retrieve the user in your application and authenticate them:

class AuthController extends Controller
{
    public function redirectToProvider()
    {
        return Socialite::driver('company.com')->redirect();
    }

    public function handleProviderCallback()
    {
        $externalUser = Socialite::driver('company.com')->user();

        // $externalUser is instance of \Laravel\Socialite\AbstractUser
        // Use external user details to create/retrieve user in your database
        $user = User::query()->updateOrCreate(
            attributes: [
                'external_user_id' => $externalUser->getId(),
            ],
            values: [
                'name' => $externalUser->getNickame(),
            ],
        );

        // Once you have created/retrieved user, authenticate them...
        Auth::login($user);

        return redirect()->route('admin.dashboard');
    }
}
2 likes

Please or to participate in this conversation.