I made API in my laravel 5.8 application. This API endpoints will be consumed only by a mobile android APP. so there is only one client which will consume API. To give security and authentication to my API i am trying to implement laravel passport and its Oauth2 server, but is laravel passport's Oauth2 server required for my scenario? is it going to be heavy?. I saw passport's password credentials grant to make things little easier when generating token instead of going through oauth2 authorization code flow. but for this i think i need to involve a user in users table.
Whatever ways are used in generating access token, isn't it possible to generate token without relating any user in users table but involving other credentials like client id and secret and others?. I am saying it because when APP makes API request including that token then in my laravel application database checks are made to verify the token and it slows down the app more.
Waiting for kind replies of experts of laravel API. My concern is API security and best way to implement my goal.
You only need a client credential token for your app. Using the client_id and client_secret you can retrieve an access token which you can use for your requests. Everything you need for that can be found in the documentation.
One important thing is that the client_id and client_secret should be available inside your mobile app. You need to make sure this data is saved in a secure way to prevent people from decompiling your code and seeing the credentials.
isn't it possible to generate token without relating any user in users
@enthusiast14 Well exactly who are you authenticating if not a user? That’s the entire point of OAuth: to allow users to give access to a trusted client (such as your Android app). So if you have no users, why do you need tokens?
@bobby but it still checks the database to verify the token when request comes to API, right? . Are there any ways to reduce database checking time like cache?
