What I am trying to do ?
I am trying to build api for online booking flight so that other travel agency can use that api. It have function to search the flight, show the search result,book the flight and online payment.So, for the authorization I am planning to use oAuth. When the user visit the travel agency site they can search,book the flight and can do payment .Here, they don't have to authenticate for searching the flight and booking but payment is done by using third party. What I am trying to do is that when user is using the api they don't need authentication but we should authorize that the user is from valid site or not so I am using the oauth grant type client credentials
What I have done ?
I am trying to use the laravel package lucadegasperi/oauth2-server-laravel
for the oauth. I had successful install the package on my project and done configuration according to the information provided from here https://github.com/lucadegasperi/oauth2-server-laravel/wiki. I had tested to get access token using the chrome extension postman
.
What I am confused about ?
If I share the client_id and client_secret on the client side then any other user can use that client id and client secret and use our api . How can I generate the access token after user submit search button and used that token for the other process like showing search result, booking etc.
So, my question are
Am I using right grant type for authorization ? If not , which will be the suitable for this?
How can I use client_id and client_secret so that we can authorize site securely ?