Understanding Laravel Auth Guard

Laravel provides an easy to use authentication system, but it confused me a little when the first time I wanted to extend an application to have different type of users, each with its own table.

Laravel has defined some guards in config/auth.php out of the box:

This presents three related concepts: guard, driver and provider. Laravel has a good document on the topic of authentication, but it’s a bit lengthy and I felt confusion when I tried to configure them to support different users with separate tables. I hope this article can give you a quick understanding of the framework if you are also confused.

# Auth Guard

Wikipedia “Authentication”

In contrast with identification, the act of indicating a person or thing’s identity, authentication is the process of verifying that identity.

Laravel auth guard is responsible for authenticating a user. It takes some form of input and validate user identity in it. How to make the validation is implemented by a driver. The driver may use a user provider to retrieve user information.

Normally we use the API provided by auth guard to interact with the authentication system, like this:

$user = auth()->user();

# Auth Guard Driver

Driver knows how to authenticate user in a specific manner. For example, the session driver used by the “web” guard uses session ID for authentication. The session ID is encrypted and stored in a cookie named “laravel_session” by default. Session driver checks and decrypts session ID from this cookie, and then uses the configured provider to retrieve user information.

The contract for auth guard is Illuminate\Contracts\Auth\Guard. Session driver Illuminate\Auth\SessionGuard is one implementation. The following shows the main procedure.

If your project uses JWT, you might also have been using the great tymon/jwt-auth package. It contains a class Tymon\JWTAuth\JWTGuard implementing how to authenticate user by using JWT token in HTTP request.

# User Provider & Driver Configuration

The last piece of the configuration of auth guard is user provider. Actually, “provider” is not required in the configuration. It is required only when the driver requires it. Laravel document contains examples for drivers that do not need this configuration.

The configuration value for a guard will be passed into its driver as the driver’s configuration. In the following example:

JWT driver will receive:

[
'driver' => 'jwt',
'provider' => 'users',
'hash' => false,
]

as it’s configuration. This configuration is passed as $config in the following implementation:

So the scheme of guard configuration depends on its driver.

# Different Type of Users in Different Tables

In previous example, we have two types of user: admin and user. For admins session driver is used, and for users JWT driver is used. We could use them in auth middleware like this:

# protecting admin routes
Route::group(['middleware' => 'auth:admin'], function () {
# protecting user routes
Route::group(['middleware' => 'auth:user'], function () {

In our controller, we could use auth guard to get user information:

$user = auth()->user();

But wait! Now we have two kinds of auth guards, which one is used in this code? We know there’s a default guard configured in config/auth.php, is that one?

The answer is Laravel is smart enough to choose a proper guard. When authentication middleware authenticates a user via a guard specified in the route, it changes the default guard to that guard dynamically. So later auth()->user() call uses the right guard.

If you want to specify guard explicitly, you can do it like below:

# use admin guard explicitly
$user = auth('admin')->user();
# use user guard explicitly
$user = auth('user')->user();

Hope this article can be helpful, thanks for reading.

Full stack developer. Java, C, and Web.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store