Mobile app authentication using Rest API

Hello all,

I’m building an app(React-Native for mobile app and elixir/phoenix for backend rest api). I need advice/help with authenticating …

Here’s the scenario … user enters his phone number while login/signup and user receives a OTP code as an SMS. User enters the OTP code in next mobile app screen. After validating the OTP code, the system sends back Access_token & Refresh_token(also other info related to token expiry data) to mobile app and store the token data in AsyncStorage of React-Native.

The issue is I’ve never done anything like this before. I’m thinking of sending access_token as a Header as follows Authorization: Bearer <access_token>. After the access_token gets expired, I use refresh_token to re-issue new access_token and refresh_token, this scenario happens whenever the access_token gets expired.

My actual question is, should I store the Access_token and Refresh_token in backend database as well? so that I can keep track of current user info, I’m novice in this area. But I read somewhere that with tokens we don’t need to use a database as Phoenix has the capability of signing and verifying tokens.

Stay safe.

First question I’d ask is: do you really need to use OAuth2 (and OpenID Connect) ?

OAuth2 is designed to grant access to your data to third parties. Think sharing your Facebook photos with a printing service. At some point you’ll have a screen showing: “Do you agree to share the following data with [x] My pictures”.

OpenID Connect is for enabling SSO (Single Sign_on) when you have several website running with different hostname (because an authentication cookie cannot be shared between different domains).

If you have only one mobile application communicating with one backend, you probably don’t want the additional complexity of OAuth2 / OpenID Connect. Beware of not shooting yourself in the foot though while rolling out your own solution, security is hard.

Also OAuth2 and OpenID Connect authenticate through the browser (at the exception of the OAuth2 Resource Owner and Password Credential" profile which is being retired for security reasons). That means you don’t authenticate in the native app, but you have to redirect to the browser. SFAuthenticationSession on iOS and Android Custom Tab offer quite good UI, but it may still not be acceptable on a UX / UI perspective for you (more details here).