Clarifications on how to use PKCE authentication with Laravel Passport

[valh1996]

Hello, I would like to have clarifications on how to use your package with Laravel Passport and more precisely the PKCE OAuth flow to authenticate each user of a tenant in a Restful API. Indeed my Restful API which implements your package only serves as an API, a separate SPA consumes this API and soon a mobile application too.

I think I managed to install Laravel Passport so that it is "Tenant aware" and that the authorization routes are linked to the tenant:

if (!$this->app->routesAreCached()) {
    Passport::routes(function (RouteRegistrar $router) {
        $router->forAuthorization();
        $router->forAccessTokens();
        $router->forTransientTokens();
    }, [
        'prefix' => '/v1/as/{domain}/oauth',
        'middleware' => ['tenant.finder']
    ]);
}

My first question is that the authorization form is in my API now which should normally return only JSON, is this the right way to do it (e.g /v1/as/my.tenant.domain.com/oauth/authorize...)?

If this is not the right way to do it, what is the way to have a multi-tenants API where we can authenticate with PKCE while respecting that my Laravel project contains only my API routes and that the frontend is in a separate project please?

[masterix21]

Are you using only one domain (ex. domain.com), or each tenant has its domain?

[valh1996]

Each tenant has its own domain and its own database.

[masterix21]

Why are you using the prefix 'prefix' => '/v1/as/{domain}/oauth', if you have the domain already? So, are you isolating the passport tables in each tenant database?

[valh1996]

I don't need to manage domains/subdomains directly in my API routes. That's why I simplify use the prefix /v1/as/{domain}. It's not really my API which is accessible from several domains. And yes, I isolate the tables in a separate database for each tenant.