Login in to a Web Service with Mobile App

Question

If you're trying to request data from an API/Web Service how do you design the login process?

If it is sensitive data, do you send a login request to the server /w username+password, and receive a session-token or similar, or do you send username+password every request?

Assume you do get back a session-token. How do you get a fresh token, without asking the user to reenter their credentials. Do you save username+password on the device?

Answer 1

It is best to use client credentials flow of auth2:

1. show web page with login page
2. user enters username + password
3. page reloads and you get parameters from new page (auth code)
4. issue token request with auth code retrieved from previous step
5. save token with refresh token
6. use refresh token to obtain new token but remember that refresh tokens will have 'refresh_token' value set to null so you will have to save refresh token retrieved at the beginning to issue new tokens after they got too old (usually 3600s)

This: http://bshaffer.github.io/oauth2-server-php-docs/grant-types/client-credentials/ and this http://brentertainment.com/oauth2/ will make it easier to understand and implement