I'm starting a new project soon, which is targeting mobile application for all major mobile platforms (iOS, Android, Windows). It will be a client-server architecture.
The app is both informational and transactional. For the transactional part, they're required to have an account and log in before a transaction can be made. I'm new to mobile development, so I don't know how the authentication part is done on these platforms. The clients will communicate with the server through a REST API. Will be using HTTPS ofcourse.
I haven't yet decided if I want the user to log in when they open the app, or only when they perform a transaction.
I got the following questions:
1) Like the Facebook application, you only enter your credentials when you open the application for the first time. After that, you're automatically signed in every time you open the app. How does one accomplish this? Just simply by encrypting and storing the credentials on the device and sending them every time the app starts?
2) Do I need to authenticate the user for each (transactional) request made to the REST API or use a token based approach?
Please feel free to suggest other ways for authentication.
Thanks!
Best Answer
You pass username/password to the login method of your RESTful API and it returns access-token. That access token is just some unique (for the system) string.
Device stores (persists) that access-token. Each time you send RESTful request to the server you put that access-token in header of HTTP request. Server finds the user by access-token and on success fulfills the request.
username/password must not be stored on the device.