Absolutely! Here’s a detailed starter kit suggestion for building a centralized authentication/authorization microservice architecture with RBAC in Laravel, using mature open-source components and best practices.
🛠️ Laravel RBAC Auth Microservices Starter Kit
Objective:
Provide a robust, ready-to-use foundation for:
- Centralized user authentication (OAuth2/JWT)
- Role-based access control (RBAC)
- API-first (web/mobile) applications
- Easy integration with external SSO (Google, Azure AD, etc.)
- Ready for separation of patient/doctor/hospital/nurse resource services
Recommended Starter Kit Components
| Component | Recommendation | Purpose |
| ------------------------- | ------------------------------------------------------------------------- | ------------------------------------------- |
| Auth API Microservice | Laravel + Passport + Spatie Permission | Login, registration, token, RBAC |
| User Management | Laravel CRUD, included in Auth service | User/role/profile/password/assignment |
| RBAC Engine | spatie/laravel-permission | Assign/check roles/permissions |
| API Gateway | Kong (OSS), or NGINX with JWT module | Token validation, routing, CORS, throttling |
| Resource Microservices | Laravel API projects | Patient, Doctor, Hospital, etc. |
| SSO/Federation (optional) | Laravel Socialite / SAML2 | Google, Azure AD, etc. |
Step 1: Start With a Boilerplate Repo
Option 1: Laravel API Boilerplate JWT (Easy Start, Modular)
Option 2: Your Own Laravel Project with Passport + Spatie
Install Laravel:
composer create-project --prefer-dist laravel/laravel my-auth-service
Install Passport:
composer require laravel/passport
php artisan migrate
php artisan passport:install
Install Spatie Permission:
composer require spatie/laravel-permission
php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider"
php artisan migrate
Add Socialite for Google/Azure SSO:
composer require laravel/socialite
Step 2: Basic Project Structure
services/
├── auth-service/ # Laravel app (Passport, Spatie, Socialite)
├── patient-service/ # Laravel API resource
├── doctor-service/ # Laravel API resource
├── hospital-service/ # Laravel API resource
└── api-gateway/ # Kong config / Nginx reverse proxy
Step 3: Configure Auth Service
- Login/Register/Password reset endpoints (
/api/login
, /api/register
, etc.)
- Token issuing via Passport (
/oauth/token
)
- Assign roles/permissions with Spatie (e.g., roles: 'patient', 'doctor', 'hospital', 'nurse')
- User claims in JWT: Passport supports custom claims if needed.
Example: Role Assignment
use Spatie\Permission\Models\Role;
$user = User::find(1);
$user->assignRole('doctor');
RBAC Middleware Example
Route::middleware(['role:doctor'])->group(function () {
Route::get('/doctor/dashboard', 'DoctorController@dashboard');
});
Step 4: Resource Microservices
- Each service (patient, doctor, hospital) is a Laravel API project.
- DO NOT handle authentication; only validate JWT on incoming requests.
- Delegate RBAC to the Auth API (e.g., via API call or by decoding JWT claims with roles).
Step 5: API Gateway (Kong/NGINX)
Kong:
- Kong JWT Plugin
- Validates JWT issued by Auth Service before forwarding request.
NGINX:
Example Kong Route for Doctor API
routes:
- name: doctor-api
paths:
- /api/doctor/
service: doctor-service
plugins:
- name: jwt
Step 6: SSO Integration (Optional)
- Use Socialite to add Google, Facebook, Azure AD login to your Auth Service.
- Map external users to internal roles on first login.
Step 7: Best Practices
- Stateless JWT: Always use Bearer tokens for web/mobile APIs.
- Short-lived access tokens, refresh tokens for long-lived sessions.
- Audit logs: Log all login, RBAC decisions.
- Zero trust: Every request validated.
- Principle of least privilege: Only assign minimum roles/permissions.
Step 8: Useful References
Pro Tip: Ready-Made SaaS/Multi-Tenant Starters
If you want a more “batteries included” SaaS-style setup, check:
Summary Table
| Feature | Out-of-the-box With Kit? | What To Add/Customize |
| --------------- | ------------------------ | ------------------------- |
| User Auth (JWT) | Yes (Passport/JWT) | None |
| RBAC | Yes (Spatie) | Custom roles per business |
| SSO | Yes (Socialite) | SAML/Azure: Add plugin |
| Central DB | Yes | Migrate/merge your users |
| Audit Log | Minimal | Add custom logging |
| API Gateway | Not in Laravel | Use Kong/NGINX separately |
| Mobile Ready | Yes (Token auth) | - |
Want a Full Sample Repo?
Let me know your preferred features, and I can assemble an open-source repo link or step-by-step “clone-and-go” guide for your use case!
Typical Next Steps for You
- Clone or scaffold a Laravel API project with Passport + Spatie + Socialite.
- Spin up sample resource microservices.
- Set up Kong or NGINX as your API gateway.
- Start integrating! (users, RBAC, mobile/web apps).
Want code snippets for a specific use case (e.g., SSO with Google, role assignment API, JWT config for Kong)? Or a full integration blueprint?
Just ask!