I need to implement an authentication and authorization mechanism for my REST API. This is access to recreation, access to which is carried out from a mobile application and a web application.
The mechanism that I would like to implement:
So, in my understanding, I use password-based authentication. The javascript mobile app or web app sends username and password at HTTPS request to gain access to the token for a limited time.
Problem
- Because the access token expires after 1 hour or so. The end user will again be asked to enter a username and password. This is unacceptable.
- If we increase the token time for a longer period, then if someone receives a token descriptor, he can get access to the Rest API for a while. Since the web application is a javascript application, it is easily accessible in the text of the plan.
So, I’m trying to understand how applications like facebook and twitter implement authorization for their native mobile applications. They remember the access token forever, storing it in local storage. Thus, if some malicious applications have root access to the Android phone, you can access tokens.
What are the improvements to the above mechanism to make it work as a standalone web application developed in javascript and android applications?
source share