I'm building a native mobile app that connects to an OpenID authorization server using authorization code flow with PKCE.
As this is a native app, I would like to save the user credentials locally the first time the user enters the email and password. Every time the user starts the app, the app will start the login process using a browser instance in the background.
Is this a normal flow in native apps?
If you are going to send user name and password each time, you might as well do it over non secure channel, and without hashing/encrypting the password.
The flow is like that: You log-in and you save your token. (May be more than one) You use this token for API calls. (Or different APIs)
At start, instead of generating new tokens, you use the saved ones.
You check if your token is expired or not. If it is expired - you make the user re-enter credentials.
If some token for some API returns 401 (Unauthorized) (Token has been revoked, for some reason) you make the user re-enter credentials.
If something is not clear, please ask.