Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

4asifm's avatar

Custom Authentication: Guard or Middleware

Hi All, I am trying to implement a custom authentication method in my laravel app. After reading some documentation and some post, I am thoroughly confused. I am using laravel breeze starter package as a sandbox.

So in my config/auth.php I have defined a custom guard which uses the same driver and provider as "web" 'customuser' => [ 'driver' => 'session', 'provider' => 'users', ],

I have left the defaults as is in auth.php 'defaults' => [ 'guard' => 'web', 'passwords' => 'users', ],

In my routes/web.php I have Route::get('/home2',[HomeController::class, 'index'] )->middleware(['auth:customuser']);

When I navigate to /home2 - I am presented with the login panel after which I am redirected back to "Dashboard" which is the default HOME for Breeze.

If I change the defaults gaurd from "web" to "customuser", it works fine when I navigate to /home2 -HomeController->index() is served.

So my first question is why does it not work when the defaults is not changed? And my second question is ->middleware(['auth:customer']), the right way to specify a custom auth guard? Or in my HomeController should I call Auth::guard('customeruser')->validate()? Is a guard really a middleware?

0 likes
2 replies
mabdullahsari's avatar

First of all, I'm pretty sure you're using the wrong tool for the problem at hand. Instead of defining additional guards, you should make use of user roles to authorize different parts of your application. Refer to this excellent blog post from Martin: https://martinbean.dev/blog/2021/07/29/simple-role-based-authentication-laravel/

A guard is simply put an object that is responsible for extracting user information from a request and translating that information into an existing entity/model in your application, which will be an Authenticatable instance in most cases (not necessarily though, e.g. in Sanctum). Whenever a guard is able to translate an incoming request into a user object, it deems the operation successful and thus authenticates the user sending the request. The authentication itself happens in a middleware named... you guessed it: Authenticate. It spins through provided guard names and if there is any match, sets the found entity as the default using the shouldUse method. At that point, you're authenticated.

The reason why you have to change the default, is because the every auth call falls back to the default guard set in the config file. If you don't change it, you will have to provide the guard's name with every call you do to the AuthManager e.g. for retrieving the authenticated user's instance using auth()->guard('customuser')->user().

TL;DR Use a different guard if the means by which you have to authenticate differ from the default password based one:

  • Biometric auth using Webauthn
  • Passwordless auth
  • Token-based auth (.e.g. an API endpoint)
jlrdw's avatar

@4asifm if customizing Auth I suggest using manual authentication and not a starter kit.

https://laravel.com/docs/8.x/authentication#authenticating-users

So you are in full control. But just a suggestion. But a users table and authentication with breeze should be fine. Then use authorization to determine what the logged in user can or cannot do.

There are quite a few free videos on authorization right here on laracasts.

Please or to participate in this conversation.