My setup is like the following: I have a frontend written in Vue.js, a API in Laravel 5.6 and the infrastructure on AWS. Everything runs in docker containers. We have 4 API containers and a Load Balancer between Frontend and API. The authentication works with Laravel Passport v5 and bearer tokens.
Basically everything works fine and authentication is successful.
But when we deploy a new version of the API it comes to the following situation: 2 API instances have version 1 and the other 2 API instances have version 2. This is intended, because we want to have continuous deployment with no downtimes. After some time the 2 v1 instances also are replaced by the new v2 instances. All instances use the same database.
Unfortunately during this time window, the authentication does not work anymore. It seems like the Frontend makes a few request to the API with a correct new token. The Load Balancer distributes some of the requests to v1 instances some to v2 isntances. The requests to v2 instances are successful, the ones to v1 instances are not (401 unauthorized).
My question: How does passport validate the bearer token? Why cant a v1 instance validate a token which was generated by v2 instance and vice versa? What can I possibly oversee that differs between the instances and influence passport even though they all use the same database?
We have solved the problem and I explain it for those of you who are interested in: The problem is, that as part of our deployment process we always call the artisan command "php artisan passport:keys" in order to make passport work in the new docker container.
If you have a closer look at this command, it generates 2 files: oauth-private.key and oauth-public.key
These files are crucial for the generation of bearer tokens. The thing is, if you have multiple API docker containers with different oauth-files, they cannot validate the tokens of each other.
So the solution is, to change the deployment and always deploy the same oauth-files.