Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Using Laravel 9
"require": {
"php": "^8.0.2",
"guzzlehttp/guzzle": "^7.2",
"laravel/framework": "^9.19",
"laravel/passport": "^12.0",
"laravel/sanctum": "^3.0",
"laravel/tinker": "^2.7",
"tymon/jwt-auth": "^2.1"
},
Ive been at this for almost 8 hours now and no amount of stackoverflow, laracast threads and chatgpt prompts where able to solve this issue.
I am trying to authenticate a user using oauth.
if($response->status() == 200){
$userInfo = [
'id' => $response["output"]['id'],
'first_name' => $response["output"]['first_name'],
'last_name' => $response["output"]['last_name'],
'email' => $response["output"]['email'],
'access_token' => $accessToken
];
$user = New User($userInfo);
Auth::Login($user);
// dd(Auth::user());
return redirect()->route('home');
// return view("home");
}
When I datadump the Auth::user() before the redirect it displays the authenticated user. When I datadump Auth::user() after the redirect in my homecontroller its returns false
When I return the home view I can see that the user is authenticated but when I go to a new page the authenticated user is gone.
All my routes are in the same group
//web.php
Route::group([], function () {
Route::get('/', [HomeController::class, 'index'])->name('home');
Route::get('login', [AuthController::class, 'index'])->name('login');
Route::get('login/callback', [AuthController::class, 'callback'])->name('login.callback');
});
I double checked all session settings and tried file, database or cookie driver and nothing works. The only way I can get this to work is if I remeber the login. My session config is as follows
array:15 [▼ // app/Http/Controllers/HomeController.php:13
"driver" => "file"
"lifetime" => "120"
"expire_on_close" => false
"encrypt" => false
"files" => "/app/htdocs/storage/framework/sessions"
"connection" => null
"table" => "sessions"
"store" => null
"lottery" => array:2 [▶]
"cookie" => "laravel_session"
"path" => "/"
"domain" => "localhost"
"secure" => false
"http_only" => true
"same_site" => "lax"
]
kernel is as follows
protected $middleware = [
// \App\Http\Middleware\TrustHosts::class,
\App\Http\Middleware\TrustProxies::class,
\Illuminate\Http\Middleware\HandleCors::class,
\App\Http\Middleware\PreventRequestsDuringMaintenance::class,
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
\App\Http\Middleware\TrimStrings::class,
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
];
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
Please help i am fighting for my life
You new up a User in memory for the current request
$user = New User($userInfo);
but it is not persisted so there is no User record to find after the redirect. You need to save the User instead:
$user = User::updateOrCreate([
'id' => $response["output"]['id'] // and/or email
], [
'first_name' => $response["output"]['first_name'],
'last_name' => $response["output"]['last_name'],
'email' => $response["output"]['email'],
'access_token' => $accessToken
]);
@tykus I thought authenticated users where stored in session. In my application users arent supposed to be stored in a database as the oauth server stores all the data. I guess I can work around this by letting the oauth server log users out on every other app that connects to it but thats seems kind of silly
Any suggestions?
@Nyacho that's not how Socialite/OAuth is intended to be used; your application needs to be able to identify an authenticated User in subsequent requests. The OAuth flow has been completed; your user has been authenticated where do you suppose the User is going to be stored in the meantime so that the Auth provider can retrieve it in subsequent Requests?
@tykus As I mentioned before, I thought the user was stored in session and that the auth provider got the user from there. all user data is is stored on the oauth server, and will be retrieved once logged in via that server. I wanted to avoid storing users in a second database as I figured it would create mismatched data if something where to be patched in either of databases. I suppose the updateOrCreate method would somewhat mitigate this.
@Nyacho a User ID is stored in the Session, but the User record is retrieved on every Request (whenever using the built-in Auth Providers).
If you want to avoid storing some representation of the User in your database, then you will need to write your own Authentication system that uses only the Session. Otherwise, store the minimum information needed and use updateOrCreate to keep the data in sync.
Please or to participate in this conversation.