Laravel 5.1:如何使用oauth2-server-laravel?

What I am trying to do ?
I am trying to build api for online booking flight so that other travel agency can use that api. It have function to search the flight, show the search result,book the flight and online payment.So, for the authorization I am planning to use oAuth. When the user visit the travel agency site they can search,book the flight and can do payment .Here, they don't have to authenticate for searching the flight and booking but payment is done by using third party. What I am trying to do is that when user is using the api they don't need authentication but we should authorize that the user is from valid site or not so I am using the oauth grant type client credentials

What I have done ?
I am trying to use the laravel package lucadegasperi/oauth2-server-laravel for the oauth. I had successful install the package on my project and done configuration according to the information provided from here https://github.com/lucadegasperi/oauth2-server-laravel/wiki. I had tested to get access token using the chrome extension postman . enter image description here

What I am confused about ?
If I share the client_id and client_secret on the client side then any other user can use that client id and client secret and use our api . How can I generate the access token after user submit search button and used that token for the other process like showing search result, booking etc.

So, my question are

  1. Am I using right grant type for authorization ? If not , which will be the suitable for this?

  2. How can I use client_id and client_secret so that we can authorize site securely ?

You can write a Wrapper application that will contain your Client_Id, Client_secret. and your wrapper application will manage Access token as well.

Idea is:

Whenever any request will come to your wrapper, then it will look if there is any Access token exist in the cache, if yes, then take that token and make a final request to your application and grab data based on your token.

If Token doesn't exist in Cache then Wrapper app will make a token request based on your Client_id and Client Secret and get a token and store token for next call.

By this way, your application does not expose your credentials & token at publically.