0

I am new to mobile development.

As i understand the best way to authenticate/give authorization to a user is using OAuth2.0 with the social providers as Facebook, Google ect ... When we enter the credentials the server returns an access token which is stored in the device so we do not need to re enter every time the credentials and it grants him the rights.

But I want to use my own user login within my own DB, I don't know where to look because everything that I read tells me to NOT store the username/password. What do I store (the token ?) and how ?

Improve this question
1

1 Answer 1

Reset to default
1

You can also set up token-based authentication with your own user database.

To create a token, you offer an endpoint like /login. This endpoint would require a username/password combination for authentication and it would return a token that is unique for the user and valid until the next time you want to ask for a password. This token can be stored in the mobile app.
All other authenticated endpoints in the backend would require the token for authentication. If you have a logout mechanism, that would just immediately mark the token as invalid.

That is the basic idea of token-based authentication. One improvement that mitigates the risk of storing a long-lived, reusable, token is to let every API call return a new token that should be used on the next call. That way, the token is single-use, which is less of a security risk, and you can easily implement a "logout if idle for X time" feature, which might be more acceptable to your users than a "login every week".

Improve this answer
2
  • The token is generated with the credentials. Let's assume user1 is new to the app and sign with Log1 Pass1. It generates the token A1b2-1223... I store in my DB name : user1, addressMail : Log1, token : A1b2-1223 ?? Commented Aug 23, 2019 at 9:34
  • @Kamil: You would store that, plus a date until when the token is valid and a hash of the password to check against when generating the token. An alternative is to use JSON Web Tokens, which don't require storing anything in the database. Commented Aug 23, 2019 at 9:55

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.