Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi,
So basically I work on a Laravel 11 project, and the session cookie is generated by a portal from which I access my application.
I have an AuthMiddleware aliased to 'sso' which is responsible for requesting to the portal app with the cookie and retrieve the user, and authenticate him.
I'm using a library in my vendors which exposes routes which are protected by a middleware aliased to 'api'.
My issue is that since I don't have any middleware aliased to 'api' in my application, my user is never authenticated and thus, I can't use the library for the moment.
I tried to replace my alias 'sso' to api like so :
->withRouting(
web: __DIR__ . '/../routes/web.php',
api: __DIR__ . '/../routes/api.php',
commands: __DIR__ . '/../routes/console.php',
health: '/up',
)
->withMiddleware(function (Middleware $middleware) {
$middleware->alias([
'api' => AuthMiddleware::class,
]);
but if I try to dd() something from within AuthMiddleware, this middleware is never called when associated to alias 'api'.
What's wrong ? is there a mismatch somewhere ?
Thanks.
I finally found the solution :
->withRouting(
web: __DIR__ . '/../routes/web.php',
api: __DIR__ . '/../routes/api.php',
commands: __DIR__ . '/../routes/console.php',
health: '/up',
then: function () {
Route::middleware('sso')
->group(base_path('vendor/path/to/routes/api.php'));
}
)
My 'sso' middleware is now overriding the 'api' middleware mentioned in the dependency route file.
@naspy971 You should be using middleware properly. You don’t want to be overriding the entire api middleware group just to do some custom authentication; just use the built-in auth middleware and specify your guard for your API routes:
// routes/api.php
Route::middleware('auth:api')->group(function () {
// Routes protected by 'api' auth guard...
});
You can configure the api guard to use your own “SSO” provider:
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
+ 'api' => [
+ 'driver' => 'soo',
+ 'provider' => 'users',
+ ],
],
You can define your own guard with your own logic (i.e. retrieving users from an SSO server) as per the auth docs:
Auth::extend('sso', function (Application $app, string $name, array $config) {
return new SsoGuard(Auth::createUserProvider($config['provider']));
});
This way, you’re using Laravel’s authentication component properly, and you’re not going to utterly confuse other developers by completely overriding things like entire middleware stacks for the entirely wrong purpose.
@martinbean Seems like a good deal !
@martinbean Just one more question now that I implemented successfully this solution. In my previous AuthMiddleware I used to throw an exception and return it as json to the user if the authentication failed. I can't find a way to achieve this using a guard.
I tried this :
->withExceptions(function (Exceptions $exceptions) {
$exceptions->render(function (
AuthenticationException $exception,
Request $request
) {
return Response::json([
'Authentication failed' => $exception->getMessage(),
], 401);
});
But all I get is "Route [login] not defined."
@naspy971 You’ll get a JSON response if you request one. You need to add a Accept: application/json HTTP header when making requests.
Please or to participate in this conversation.