16

I'm starting a new project soon, which is targeting mobile application for all major mobile platforms (iOS, Android, Windows). It will be a client-server architecture.

The app is both informational and transactional. For the transactional part, they're required to have an account and log in before a transaction can be made. I'm new to mobile development, so I don't know how the authentication part is done on these platforms. The clients will communicate with the server through a REST API. Will be using HTTPS ofcourse.

I haven't yet decided if I want the user to log in when they open the app, or only when they perform a transaction.

I got the following questions:

1) Like the Facebook application, you only enter your credentials when you open the application for the first time. After that, you're automatically signed in every time you open the app. How does one accomplish this? Just simply by encrypting and storing the credentials on the device and sending them every time the app starts?

2) Do I need to authenticate the user for each (transactional) request made to the REST API or use a token based approach?

Please feel free to suggest other ways for authentication.

Thanks!

supercell
  • 1,497
  • 3
  • 12
  • 11

1 Answers1

14

You pass username/password to the login method of your RESTful API and it returns access-token. That access token is just some unique (for the system) string.

Device stores (persists) that access-token. Each time you send RESTful request to the server you put that access-token in header of HTTP request. Server finds the user by access-token and on success fulfills the request.

username/password must not be stored on the device.

c-smile
  • 391
  • 2
  • 7
  • Is it possible for third parties (hackers, etc) to get a hold of the access-token? – supercell Nov 11 '13 at 09:35
  • That's possible of course. Especially if you are not using HTTPS. Most of online email clients are asking you to relogin time to time. The token has an expiration time set to two weeks for example. So once per two weeks you will need to relogin. – c-smile Nov 11 '13 at 18:36
  • How the access token will be generate, and will the access token be saved on the server. – Ghyath Serhal Feb 07 '15 at 10:46
  • @c-smile Facebook never asked me to re login. Therefore, I don't really see the difference between a password and an access token. – manash Apr 29 '15 at 18:06
  • i know this is quite late. but facebook and other providers issue refresh token, access token and expiry time (for access token) on the time of login. access token is short lived and new access token can be generated using refresh token. Next login can create new refresh token, making the old one invalid – Cerlin Apr 01 '16 at 13:06