Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Talion's avatar

Laravel passport how to logout user?

I have a main and client projects. The client project uses authorization of the main project through laravel passport.Login works fine, but when I try to log out using $request->user()->token()->revoke(); the client project redirects the user back to the main project for authorization, but for some reason, instead of asking for login, the main project simply issues a new token and redirects user back to the client project. I think the problem is that my login routes and the routes that returns SPA application are placed in the web, while all other routes are placed in api, but I can't undertand how to fix this. Also, I'm using \Laravel\Passport\Http\Middleware\CreateFreshApiToken::class in web(as I understand in allows me not to send bearer token in every request). Also, even if I delete everything from oauth_access_tokens table and refresh page or send api request to api:auth protected route I will get info like logged user. Why is this happening? What should I do to make logout work properly? my login and application routes(placed in web)

Route::get('/authorization{any}', 'SpaController@auth')->where('any', '^.*$');

Route::get('/{any}', 'SpaController@main')->where('any', '^(?!api)(?!logout)(?!storage).*$')->middleware('auth');

Route::get('logout', 'AuthController@logout')->middleware('auth');

Route::post('login', 'AuthController@login');

authorization controller

public function login(Login $request)

{

    if (config('recaptcha.enabled') && !$this->checkRecaptcha($request['recaptchaToken'], $request->ip())) {
         return 'Captcha error';
    }

    $credentials = request(['email', 'password']);

    if(!Auth::attempt($credentials))

        return response()->json([

            'message' => 'Unauthorized'

        ], 401);

    $user = $request->user();

    $tokenResult = $user->createToken('Personal Access Token');

    $token = $tokenResult->token;

    if ($request->remember_me)

        $token->expires_at = Carbon::now()->addWeeks(1);

    $token->save();

    return (['redirect' => redirect()->intended('/')->getTargetUrl()]);
}

logout route(placed in api)

Route::middleware(['auth:api','request.log'])->get('/logout', function (Request $request) {
    $request->user()->token()->revoke();
});
0 likes
20 replies
Talion's avatar

Thanks for help, but problem is, even if I manually delete everything from my oauth_tokens table, user wont be logged out

Nakov's avatar

@talion as you said you are maintaining a web session as well, so maybe you need to call Auth::logout(); after you revoke the token.

Talion's avatar

I have already tried that, but if I do so I get error Method Illuminate\Auth\RequestGuard::logout does not exist. Is there any way to do passport authorization without web session? I don't need it, all I want is to be able to redirect user back to client project after login using ->intended() and don't send bearer token with every request (preferably, but not required)

Talion's avatar

I did everything was stated in this article. But now, when I'm using default Laravel authorization instead of my custom(which I showed in question), any login attempt always returns "Invalid credentials" error. Why is this happening?

jjmu15's avatar

I have the same problem. I'm using the standard laravel Auth process to utilise Laravel Socialite and then using the CreateFreshApiToken middleware to consume the API locally.

When I try to logout by either using Auth()->logout(); and also revoking the token I get the Method Illuminate\Auth\RequestGuard::logout does not exist error.

I've tried specifying both the Auth('web') and Auth('api') guards as well and have no luck

jjmu15's avatar

Not yet, sorry. It is on the dev list but focussing on other features first.

ignisrzeus's avatar

Have you checked if the user has multiple tokens? Because it is possible.

        $request->user()->tokens->each(function ($token, $key) {
            $token->delete();
        });

Will delete every user's token. Hope this helps.

TassoPeperone's avatar

I face the same problem. i try everything, but with no result. Someone has found the solutions ?

martinbean's avatar

Passport adds an OAuth server to Laravel applications. You don’t “log out” when using OAuth-based authentication.

eli007s's avatar

if you call a logout function from Postman for example. And provide the token in the headers, how do you validate the request via an api call? i keep getting "null" for "auth()->user()"

ondery's avatar

Solution is simple... If you login from web routes (even if you use api personel access with cookie), you have to logout from web routes. Don't forget to apply the middleware 'auth' to your logout route.

* add a logout route to routes/web.php;


    Route::post('logout', 'Api\AuthController@logout')->middleware('auth');

and then you can use Auth::logout();

b8ne's avatar

Did anyone end up with a solution for this?

martinbean's avatar

@b8ne No, because there is no “solution”.

You don’t “log out” when using token-based authentication.

1 like
b8ne's avatar

Are you saying there is no logout because it’s more about revoking tokens? To get what I want, I think I’d have to clear session on the client, ‘logout’ via api call to revoke tokens, then redirect the user to the identity provider logout route to clear the passport session cookie. But I’d also have to give a callback uri so I can finally redirect back to the client app. Seems excessive, but is that the best way?

martinbean's avatar

Are you saying there is no logout because it’s more about revoking tokens?

@b8ne Yes. OAuth is token-based authentication. You don’t “log out” because you don’t “log in” anywhere using a token. You pass a token with any request you make. That request is either authorised by the token or not. There’s no state held on the server.

To get what I want, I think I’d have to clear session on the client, ‘logout’ via api call to revoke tokens, then redirect the user to the identity provider logout route to clear the passport session cookie.

So. Many. Questions. Why do you have sessions if you’re using Passport and APIs? What “passport session cookie”? Passport doesn’t have a session cookie. As I say, it’s an OAuth server implementation. You request tokens from the server, you then use those tokens to authenticate requests. These tokens should not be used to implement session- or cookie-based authentication at all.

I’d also have to give a callback uri so I can finally redirect back to the client app. Seems excessive, but is that the best way?

If you want session-based authentication then use session-based authentication and not a token-based authentication protocol like OAuth.

1 like
b8ne's avatar

On the provider I’m using react to render the actual login and register front end views. So I’m using passports CreateFreshApiToken which is where the cookie comes in. I’m also using skipsAuthorization. So even if I revoke a token, when I try to authorise from the client again, the identity session is still valid, sees I’m already logged in so automatically authorises the client. Ideally if I logout from the client and revoke the token, when I try to authorise again I’d have to login again.

Please or to participate in this conversation.