n many Laravel applications, OAuth is handled correctly, but authorization modeling slowly degrades over time.
Scopes become undocumented strings.
Authorization rules spread across policies, middleware, and UI layers.
Admin panels re-implement domain logic that should not live there.
To address this, I extracted the authorization domain logic from a real-world Filament + Passport setup into a dedicated
core package:
👉 https://github.com/N3XT0R/laravel-passport-authorization-core
What this package is
Laravel Passport Authorization Core is a UI-agnostic, domain-oriented authorization layer built on top of
Laravel Passport.
It focuses on authorization intent, not OAuth mechanics.
- No UI
- No OAuth flows
- No token issuance
- No policy enforcement magic
Passport remains fully responsible for runtime authentication and token validation.
The core idea
Instead of treating scopes as arbitrary strings, this package introduces explicit authorization concepts:
-
Structured scopes (
resource:action) - Authorization context (client, grant, actor, scope, intent)
- Application-level use cases as the only integration surface
- Clear separation of:
- Domain
- Application (Usecases)
- Infrastructure (Passport integration)
All interaction happens through Application / Usecase classes — never through low-level models or repositories.
Why this matters
Laravel Passport intentionally avoids opinions about authorization modeling.
In larger systems, this often leads to:
- duplicated authorization logic
- unclear ownership of permissions
- UI-driven security decisions
- poor auditability and reviewability
This package provides a single, explicit authorization backbone that can be reused by:
- admin interfaces (e.g. Filament)
- policies and middleware
- API gateways
- background jobs
- audit and compliance tooling
What this package does not do
To be explicit:
- ❌ It does not replace Passport
- ❌ It does not implement OAuth flows
- ❌ It does not enforce authorization decisions
- ❌ It does not assume application architecture
It defines structure and intent — enforcement remains the responsibility of the application.
Relationship to Filament Passport UI
This package serves as the domain core for
Filament Passport UI, which focuses purely on administrative UI concerns.
The long-term architecture deliberately separates:
- Authorization domain logic → Core package
- Presentation & admin workflows → UI package
Both packages evolve independently with a stable boundary.
Who this is for
This package is intended for developers who:
- care about long-term authorization clarity
- work on multi-service or multi-team systems
- want audit-friendly security models
- prefer explicit architecture over implicit conventions
Final thoughts
This is not a “plug-and-play helper package”.
It’s a foundational library meant to support clean architecture and long-lived systems.
Feedback, architectural discussion, and constructive criticism are very welcome.
👉 https://github.com/N3XT0R/laravel-passport-authorization-core
Top comments (0)