Perhaps such an obvious question, but requesting an access token with Password Grant Type and 'scope' => '*'
, using Laravel 5.3 + Passport always returns the all-access token, no matter the user who requested it.
So... Where does the filtering / limiting validation logic usually reside? Can you please specify the common workflow in this situations?