Let's consider the following scenario:

1) We have a Laravel Web-API app
2) We have our own mobile app
3) We have a "Login-With-FB" feature in our mobile app.

What we want is to allow the user of the mobile app to register/login using either of these two methods:

1) Credentials: email and password
2) Using the Login-With-FB feature

What I'm thinking

Using Passport:

1) We issue a Client_ID and CLIENT_SECRET to be able to identify our mobile app - this way someone using PostMan could not make a request (if he cannot find the Client_ID and CLIENT_SECRET). This is also useful if in the future we want to open up our API to third-party applications.

2) For the "credentials" case, we use Passport's password grant and we issue an access_token to the user.

The issue is what we do with the Login-With-FB feature. What about the following:

a. The user logs in to FB using our mobile app.

b. FB sends to our mobile app the user's data (email, FB-ID, FB-access-token)

c. Our mobile app sends to our Laravel-web-API-app the user's data.

d. Laravel cheks if the user with email and FB-ID exists. If the user exists, Laravel logs him in and creates a token and returns it to the mobile app. If the user doesn't exist we go to the next step.

e. Laravel uses Socialite's userFromToken(FB-access-token)method to retrieve the user's data from FB.

f. Laravel creates the user and creates a token and returns it to the mobile app.

What do you think of the above flow? And how could Laravel create a token with Passport in steps (d) and (f)? I know that with JWT there is a method JWTAuth::fromUser($user). Does Passport have something similar?