UPDATE: Since I wrote this post, we’ve also added event-based user functionality and social login support to our Laravel integration. Be sure to check out those too!

A few months ago, we released an Authentication Driver for Laravel that allows you to use the Auth Facade. Recently, we updated this to a full integration with views already set up for you in our Laravel Authentication package. This makes it very easy to start a project with Stormpath authentication built in from the beginning. This isn’t just basic authentication, we are using tokens to do the authentication and following the OAuth standards for it!

With this package, we have enabled the basic user workflows for you. Login, Logout, Forgot Password, and Change Password workflows are pre-built and easy to turn on and off. These are all powered by the Stormpath PHP SDK and fully configurable from the configuration file.

What is Stormpath?

Stormpath is a complete identity API with powerful authentication, authorization, and user management for any application. Stormpath makes it easy to do stuff like:

  • User registration and login.
  • Account verification via email.
  • Password reset via email.
  • And a bunch of other cool stuff you probably don’t like coding!

Why Use Stormpath’s Laravel Authentication Package?

Well, quite simply, we make managing user accounts, roles, and permissions a lot easier, more secure, and more scalable than what you’re probably used to. We also automate a lot of advanced user features like customer-organizations for multi-tenant applications, single sign-on, and social login. Plus, you never have to build or maintain a user database.

Using Stormpath not only allows you to easily build your application out, but it also allows you to scale your site to support millions of users without changing your code, or even needing a database!

So, let’s dive in.

If you don’t already have a Stormpath account and application, you’ll need to create one now — you can do so here: https://api.stormpath.com/register

The rest of this article assumes you have a Stormpath account and API key pair.

Build Your Laravel Application

To help you understand how this package works and integrates with Laravel, let’s build a simple application. This application will have a Login, Logout, and Register functionalities. After we get all of the basics installed, we will enable the Forgot Password workflows and work with middleware.

Install the Tools You Need

The first step is to install all the tools needed to start this project. The following tools will be required:

  • Composer
  • Laravel
  • Stormpath-Laravel

Install Composer

Composer is a dependency manager for PHP. It is how Stormpath distributes all PHP Packages. Visit http://getcomposer.org and follow the instructions here to fully install composer. Once you have this installed, you should be able to type composer in terminal and see the output:

The following message may appear. You can ignore it as this is just a notice about performance if you are using xdebug.

You are running composer with xdebug enabled. This has a major impact on runtime performance. See https://getcomposer.org/xdebug

Install Your Laravel Project

In this example, I use a tool called the Laravel Installer. It is a simple command line tool that lets you quickly install a new project. There are a few other ways you can install Laravel but they all require composer.
Install the Laravel Installer by running composer global require "laravel/installer" Next, run the following to install the project.

If you don’t want to use the installer, another option to install Laravel is with composer. Visit https://laravel.com/docs/5.2/#installing-laravel

You can now cd into my-stormpath-project and run php artisan. If everything installed correctly, you should see something like the following:

Require the Stormpath Laravel Package

Requiring the Stormpath Laravel package is very simple with Composer. Open your composer.json file and add the following line to the require block:

At the time of writing this post, The package version is 0.1.0.

There are a few more settings that have to be configured to enable this package before you can run it. The first step is to take your API keys from Stormpath and put them into your .env file of your project. From the root of your project, open up .env and place the following at the end of the file replacing the necessary values.

After saving this file, We have to initialize the package. Open config/app.php and add the following to your providers section.

You should now be able to start up the server using php artisan serve from the command line and visit http://localhost:8000/login. You should see the following login screen


Congratulations, you have installed stormpath/laravel! You now have basic login and registration capabilities without needing to build any logic or views at all.

Protect a Route with Stormpath

Out of the box, we provide you with a few different middleware options to protect your routes. We have stormpath.guest and stormpath.auth

stormpath.guest is set up so only un-authenticated users can see the route. This is useful for registration pages and pricing/upgrade pages. These are pages that registered users may not need to see.

stormpath.auth is the inverse of stormpath.guest. This middleware requires a user to be logged into the system to be able to view the route.

To set up a route, all you need to do is add the middleware to the route.

By default. stormpath.guest middleware is enabled for login, register, forgot-password, and change-password routes.

Configure Your Laravel Integration

So far, we have touched on the basics of what this integration is able to do. We have built in many more features that can be enabled and configured within the Stormpath Configuration of the Package. In order to access and modify these, you will need to publish the vendor files. In Laravel, there is an artisan command to do this for us. From the root of your project in terminal, run php artisan vendor:publish and this will create a new file located at config/stormpath.php with all the configuration options that are available.

Enable Forgot/Reset Password Workflows

When building an application, a lot of people will either forget or incorrectly set up the forgot password and reset password workflows. If a developer does not want to manually reset user passwords all the time, they will want to offer a way for the user to do so. This can be a very insecure part of an application if it is not correctly set up.

We have made this easier for you and integrated it as part of the core package. By default, these workflows are turned off, but it is just a configuration option in the config/stormpath.php file that you need to enable. Find the forgotPassword key in the array and set enabled to true. You now have access to the Forgot password workflow by going to /forgot in your browser.

Forgot Password

This will begin the email flow for the forgot password workflow. The user will receive an email if the account is found. The email will include a link for them to reset their password. No crazy code is needed for you to set this up correctly and it is secure.

Pre-Built Workflows with ID Site

If you know about Stormpath, you may already know about ID Site. If you are unaware of what ID Site is, it is a set of hosted and pre-built user interface screens that take care of common identity functions for your applications — login, registration, and password reset. ID Site can be accessed via your own custom domain like id.mydomain.com and shared across multiple applications to create centralized authentication as needed.

We wanted to make an easy way for you to use ID Site in Laravel. There are a couple of things that need to be done to enabled ID Site. Steps for setting up ID Site can be found in the Stormpath docs.

To enable the package to use ID site for all your requests, open up the file config/stormpath.php and you will see a full list of available options. The one we are looking for can be found towards the bottom of the file in the web->idsite setting. We want to mark it as enabled for ID Site to work. Now, any of the features that are enabled will use ID site by default.

Finish up Your Secure Laravel Application

With the above, you should now be able to create a secure application quickly without much work to do. We would love to hear your thoughts on this and hope you are as excited as we are about this.

Feel free to drop a line over to email anytime.

Like what you see? to keep up with the latest releases.