Suppose I have a REST API
backend and it is used by a mobile app. Authentication is based on tokens (JWT) with expiration time. Mobile app user does not want to enter credentials so often, even for weeks. In other side I think token must not have expiration time more than 24 hours or so. If I do not include token invalidation on backend (which imposes a session management on a REST server) what options are available and what is cons and pros of each one?
What about to force mobile app to login automatically behind the eyes of the user if token is expired? In this way user and password must be saved somewhere in mobile app that I'm not sure if it is a good idea.
Our back-end in ASP.NET Core Web API and current mobile app is Xamarin.IOS.
Best Answer
No, it is not a good idea to store the user's password. Saving the password is easy to get wrong and creates another attack vector (storage on mobile device). Though they shouldn't, many users use the same password for multiple services. So a compromise of their password for your service could also expose their data for other services. You can't really protect the user from their bad habits, but storing a password in your app is very avoidable.
What you probably want is a refresh token. This concept is a part of the OAuth2 spec. These can be used to keep the user "logged in" without keeping their password or requiring long token expirations. You can also effectively "log off" a user by deauthorizing their refresh token, provided you are using short access token lifetimes.
The way it works:
If you aren't already, I would highly recommend externalizing authentication and authorization (not implementing it yourself). There are several cloud providers which do this as a service (e.g. Auth0). For .NET Core there is also IdentityServer4 which you can host yourself. I do not have experience with ASP.NET Core Identity, but at cursory glance it does not automatically come with OpenID Connect and OAuth2 features. You have to do integration steps with other providers (like IdentityServer4) to get that.