I'm having the following scenario:
- I'm running multiple instances of the same Laravel app on different subdomains, but using the same database instance
- I'm using Laravel Passport for authentication and OAuth
- I'm running one instance of the app on a separate subdomain just for OAuth purposes (i.e. a central identity instance)
- I created a personal access client and the web app calls a local API endpoint to generate a personal access token
- What I would like to do is to be able to verify the issues personal access token from another application, by calling the identity instance API, passing in the personal access token in the Authorization header.
The problem: In point 5 this works when the personal access token was generated from the same instance/subdomain, but not if it was generated from another instance/subdomain.
So for example if I generate the personal access token from the web app running on the identity.company.com domain and then pass in the token in the Authorization header to the API running at identity.company.com then it validates the token successfully. However if I go to say instance1.company.com, generate my personal access token there and then pass it in to the API running on identity.company.com then I'm getting an Unauthorized error. As I mentioned, all instances are using the same database so that's not the problem. Is a personal access token bound in any way to the domain it was generated on?