I’m working on a mobile application that needs to communicate with a separate backend server for user authentication. The app should allow users to sign in using either traditional email/password credentials or through social media platforms like Facebook, Twitter, and Google.
My main challenge is figuring out how to properly connect the mobile client authentication with the backend API authentication. After a user successfully logs in through the mobile app, I need to ensure they can access protected API endpoints.
Here’s what I want to achieve:
- User signs into the mobile app using email/password or social login
- User gets authenticated successfully
- App sends a request to GET /api/user-profile
- Backend checks if the user is properly authenticated and either returns the profile data or sends back a 403 error
What’s the best approach to handle the authentication token or session management between the mobile client and the API server? How do I verify that requests coming from the app are from authenticated users?
oauth 2.0 with refresh tokens is a solid choice. ur backend issues a short-lived access token (like 15 min) alongside a refresh token during log in. store both securely in the app and send the access token with api calls. when it expires, just use the refresh token to get a new one - no need for user to log in again. it’s a bit more complex than jwt, but gives better control if u ever need to revoke access.
Use JWT tokens for authentication between your mobile app and backend. When someone logs in through your app, the backend creates a JWT with their user info and permissions. Store this token in your device’s secure keychain (not regular storage) and send it as a Bearer token in your API request headers. Your backend just validates the JWT signature and pulls user data from the token - no database lookups needed for every request. Make sure you set up token refresh since JWTs should expire after a reasonable time. This works great with regular login or social auth providers since your backend generates the same JWT format either way. Scales really well too.
Wait, are you handling social logins directly in ur mobile app or sending them through ur backend? That changes the token flow completely. Also, what happens when users switch devices - do they have to log in with Facebook/Google again? There’s a lot of moving pieces here.