Stuck in Login Loop After Successful Authentication

Greetings all. We have an existing Laravel v9 web app which we are trying to integrate Auth0 into. The goal is to have Auth0 take over the frontend web sessions, but leave the backend API stuff alone, so in config/auth0.php we have:

return Configuration::VERSION_2 + [
    'registerGuards' => true,
    'registerMiddleware' => false,
    'registerAuthenticationRoutes' => true,
    'configurationPath' => null,

Because registerMiddleware wasn’t set to true we added the following line to the ‘web’ middleware group, as directed in the doc’s config section:

    protected $middlewareGroups = [
        'web' => [

The interesting bits of our routes/web.php are as follows:

Auth::routes(['register' => false, 'login' => false, 'logout' => false]);
Route::redirect('/', 'login');

Route::middleware('guest')->group(function () {
    Route::view('/register', 'auth.register')->name('register');
    Route::post('/register', 'Auth\ActivateController@register')->name('submit-registration');

Route::middleware(['auth','web','mobile'])->group(function() {
    // protected routes here

I created an event listener which waits for the AuthenticationSucceeded event from the callback, and can see that event is firing the the returned event object is full of all of the correct information about the logged in user.

After successful login, the user is sent back to the Auth0 login page in an infinite loop, almost as though the session values are not sticking. (We have our Laravel session handler set to ‘database’ and have not had any issues with our web app which we’ve been using for years)

I’ve tried various troubleshooting tweaks including:

  • Setting registerMiddleware = true and removing the manually added line to the web group
  • Removing Route::redirect(‘/’, ‘login’) to ensure it was not the cause of the loop
  • Totally commenting out the call to Auth::routes() to ensure it was not interfering
  • Messing with the AUTH0_ROUTE_* config parameters in my .env file
  • Running “composer update --no-dev; ./artisan optimize:clear; ./artisan optimize;” and opening a fresh private browser window before each login test to ensure a completely clean slate
  • Adding the behavior → legacyGuardUserMethod config mentioned in the release notes of an earlier version of the SDK.
  • etc.

I’m not seeing anything in the logs, so I don’t know where to start troubleshooting.

Any help greatly appreciated. Thank you!

For those who come across this post in the future, the root cause of the problem was we were using Eloquent user models, but had neglected to implement a custom UserRepository as outlined on the Eloquent page of the documentation. Once we did that, everything started working as expected.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.