Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I have a Laravel app that by design uses no database. Instead all (including authentification) data is obtained via soap/xml calls to an external host.
So I use my own user provider that provides validateCredentials(), etc. User credentials are passed to this remote server where the auth attempt is made. If successful, a sessionid from the server is returned and passed and checked in subsequent api calls. All good.
Now I want to use Socialite to allow logins via Google, etc. I have it working basically by adding the same login api call that I normally do in the callback function.
Now to my question or confusion. I'm trying to understand how Socialite handles the token expiration. Is the token checked to see if its still good on every request? If so does this still happen when the user/auth provider is custom?
In testing I haven't seen any timeout initiated by the Socialite code. My timeout from the server is all that is working...
Thanks in advance for you comments/help.
-b
Now to my question or confusion. I'm trying to understand how Socialite handles the token expiration.
@bschooly It doesn’t. Socialite is just a package for obtaining OAuth tokens from an OAuth server. It does the initial authorisation and that’s it. It doesn’t manage the lifecycle of any tokens it obtains.
You get the OAuth access token (and a refresh token if the server issues one). It’s then up to you to store these and refresh access tokens if needed.
Thanks, So no session management whatsoever? Like session expiration?
So I would have to do something like save the token in the session then check (examine it, etc) it on each request? Do the refresh, token where needed etc.
@bschooly No, it doesn’t do anything with the tokens. It just helps you retrieve them from a third party. It’s then up to you what you do with them.
So yeah, you’ll need to save the token somewhere and keep an eye on the expiry time, and ensure you refresh the token before it expires. Otherwise, if the access token expires then the associated refresh token will be invalidated as well, and you’ll then need to send your user back through the approval process in order to get a new, valid token.
Please or to participate in this conversation.