Download the PHP package centivadev/filament-google-workspace-auth without Composer
On this page you can find all versions of the php package centivadev/filament-google-workspace-auth. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download centivadev/filament-google-workspace-auth
More information about centivadev/filament-google-workspace-auth
Files in centivadev/filament-google-workspace-auth
Package filament-google-workspace-auth
Short Description Google Workspace auth for Filament users
License MIT
Homepage https://github.com/centivadev/filament-google-workspace-auth
Informations about the package filament-google-workspace-auth
Filament Google Workspace Auth
Google Workspace (OIDC) authentication for Filament v4/v5 using a dedicated FilamentUser model and Spatie roles/permissions.
Features
- 100% Google login (no username/password)
- Workspace domain restriction (
hd+ email domain) - Automatic user provisioning with avatar + last login timestamp
- Default role assignment on first login (configurable)
- Filament resources to manage users/roles/permissions (with protected roles)
- Policies + permissions-based authorization (Laravel Gate)
- Separate guard and model to avoid conflicts with a future
Usermodel - Session validity management: absolute timeout + near-real-time Google account revocation detection
Requirements
- PHP 8.2+
- Filament v4 or v5
- Laravel 11/12+
Installation
Publish config + migrations:
Install Spatie permissions (migrations + config):
Google Cloud Console Setup
- Create or select a Google Cloud Project
- Configure OAuth Consent Screen
- Type:
Internal(Workspace only) - Add your Workspace domain (
mydomain.com) - Add scopes:
openid,email,profile
- Type:
- Create OAuth Client ID
- Type:
Web application - Authorized redirect URI:
https://YOUR-FILAMENT-DOMAIN/auth/google/callback- Example:
https://admin.mydomain.com/auth/google/callback
- Type:
- Copy the Client ID and Client Secret into your
.env
Filament Panel Setup
Enable the plugin and remove password-based features from your panel provider:
Remove ->passwordReset() and ->emailVerification() from your panel provider to keep the login 100% Google.
FilamentUser model
Add the required traits and fields:
Make sure the filament guard exists in config/auth.php and that filament-users provider uses the FilamentUser model.
Configuration
The published config file lives at:
config/filament-google-workspace-auth.php
Key options:
hosted_domainto restrict Workspace domainallowed_emailsto restrict to specific emailssuper_admin_emailsto auto-assignsuper-admindefault_roleto auto-assignguestguardto match your Filament guard (default:filament)routes.prefixto align with your Filament path (example:auth/googlefor a root‑domain panel)
Admin UI
The plugin registers three resources (configurable):
- Filament Users
- Roles
- Permissions
They are grouped under the navigation group configured in resources.navigation_group.
Protected roles:
super-adminandguestcannot be deleted- The
nameof those roles is not editable
Base permissions:
- The package ships a migration stub
add_base_permissions.php.stubthat seeds default Filament permissions. - It also creates the
super-admin+guestroles if missing. - It assigns all permissions for the guard to
super-admin. Publish and run the package migrations to create them.
Authorization:
- Policies are registered for roles, permissions, and Filament users.
- Gate checks rely on Spatie permissions like
filament.users.*,filament.roles.*,filament.permissions.*.
Session Validity
The package provides two independent mechanisms to ensure sessions stay in sync with Google Workspace.
Remember me
Controls whether a persistent cookie is issued after login. When false (default), the session ends when the browser is closed.
Absolute session lifetime
Forces the user to re-authenticate with Google after a fixed delay, regardless of activity.
This is independent from Laravel's native SESSION_LIFETIME (config/session.php). Both apply simultaneously — the one that triggers first wins:
| Setting | Type | Resets on activity? |
|---|---|---|
Laravel SESSION_LIFETIME |
Idle timeout | Yes — extends on every request |
FILAMENT_GOOGLE_SESSION_LIFETIME |
Absolute timeout | No — fixed since login |
Example: SESSION_LIFETIME=120 (2h idle) + FILAMENT_GOOGLE_SESSION_LIFETIME=480 (8h absolute).
A user active all day is kicked out after 8 hours. An idle user is kicked out after 2 hours.
Important: When
FILAMENT_GOOGLE_REMEMBER=true, the remember-me cookie bypasses Laravel'sSESSION_LIFETIMEentirely. In that case,FILAMENT_GOOGLE_SESSION_LIFETIMEis the only timeout enforced.
Google account revocation detection
Periodically calls the Google OpenID Connect UserInfo endpoint (https://openidconnect.googleapis.com/v1/userinfo) to verify the user's account is still active. If the account has been deleted or suspended in Google Workspace, the user is logged out immediately.
The check uses the access_token stored in the session (valid for 60 minutes after login). After that window, session_lifetime acts as the safety net.
Timeline:
Network errors when calling the UserInfo endpoint are ignored (fail open) to avoid disrupting legitimate users during transient Google outages.
Notes
- This package does not use Socialite.
- All auth is OIDC with PKCE.
- If you want to disable auto-provisioning, set
FILAMENT_GOOGLE_AUTO_PROVISION=false.
Testing
Tests are fully offline: Google endpoints are mocked, no real credentials are required.
All versions of filament-google-workspace-auth with dependencies
filament/filament Version ^4.0 || ^5.0
firebase/php-jwt Version ^7.0
spatie/laravel-permission Version ^6.0
spatie/laravel-package-tools Version ^1.15.0