In different ways, but OAuth or OpenID will suit you.
There are more than one authorization methods, for all occasions.
How it all works - open spec or posts on this topic with human language and read.
The main and most important thing is that for this you will need a service that will issue and verify tokens - either ready-made (everything in Google, for example Auth0) or your own (from open source - keycloak is quite good)
Other services and applications work with this server and trust it more than themselves . The protocols are standard, so there are libraries for all popular languages ​​/ frameworks.
True, it is not very clear why you need nodejs - JWT tokens will be issued by the OAuth server. Although if you have it written in nodejs, then it's ok.
Example:
users on the site are authorized with a name and password on the identity server (let's say this is your node), this server returns, among other things, information in the token that the user can leave comments (for example, adding scope: 'comment')
php server receives a request with a token on creating a comment, opens this token, checks with your node that this token is real (they are signed) and if real, looks to see if scope: 'comment' is there and if yes, then creates a comment.
For example, the admin will have, for example, in addition to the ability to comment, the ability to delete any comment (for example, scope: 'comment-admin') - this scope will be checked when deleting. As well as other admin rights.
You can also give comment-admin to a moderator, for example.