README

Overview

Laravel Passport Authorization Core provides a domain model and use cases for structured access control on top of Laravel Passport.

Instead of implicit authorization scattered across your codebase, it offers an explicit permission model: **resources ** (user, invoice, report) + actions (read, create, delete) stored in the database as queryable facts. You implement enforcement however you need—middleware, policies, guards, custom logic.

Single source of truth. No opinions about how you validate.

The Problem

Without This Package

• Scopes are undocumented strings with no structure
• Permissions defined in code, config, and middleware—scattered
• No way to query "what can this client do?"
• Manual governance, impossible to audit
• Example: Dropbox integration created via CLI, permissions unclear, no visibility

With This Package

• Permissions stored as resource:action in the database
• Single, queryable source of truth
• Clear what each client/user can do
• Full audit trail, systematic governance
• Example: Same client, explicit permissions visible in UI, queryable via code, revokable with confidence

How It Works

1. Define Resources and Actions
2. Query & manage Grants via Use Cases
3. Implement enforcement in your app (middleware, policies, etc.)

Resources: Entities needing permission control (user, invoice, report, etc.)

Actions: Operations you control. Global (list, read, create, update, delete) or resource-specific (export, approve).

Grants: Permissions assigned to any OAuthenticatable entity (User, Client, ServiceAccount, or custom).

• Polymorphic: who has the permission?
• resource_id + action_id: which permission?
• context_client_id (optional): in context of which client?

Use Cases: Encapsulated business logic to manage permissions (see Usecase Overview).

What This Package Does

• Domain model for structured access control
• Use cases for managing permissions
• Polymorphic grant storage (User, Client, ServiceAccount, custom entities)
• Single source of truth for permissions
• Support for custom Passport models

What This Package Does NOT Do

• Enforce permissions (you implement that)
• Implement OAuth flows
• Modify Passport internals
• Assume your application architecture
• Provide UI or middleware

Requirements

• PHP ^8.4
• Laravel ^12
• Laravel Passport ^13

Installation

composer require n3xt0r/laravel-passport-authorization-core
php artisan vendor:publish --tag=passport-authorization-core-config

Documentation

• Usage – Working with resources, actions, and use cases
• Usecase Overview – Complete reference of available use cases
• Configuration – Custom Passport models, extensibility

Audit & Compliance

• Permissions are explicit database facts, not implicit configuration
• Authorization context is deterministic and queryable
• Full audit trail via activity logging
• Supports auditability requirements commonly found in ISO 27001–aligned systems.

Relationship to Filament Passport UI

This package is the domain core for Filament Passport UI:

• Core: domain model + use cases
• Filament UI: admin interface for managing permissions
• Independent evolution with stable boundary

Status

Actively developed. Feedback and contributions welcome.