How to implement OAuth 2.0 like token based authentication for rest API which is accessed from mobile and javascript web applications

Question

I need to implement authentication and authorization mechanism for my REST API. This is rest api is accessed from a mobile application and web application.

Mechanism I would like to implement:
So as per my understanding, I am using password based authentication. Mobile application or javascript web application sends username and password over HTTPS post request to obtain access token for limited time.

Problem

1. As access token expires every 1hr or so. End user is again requested to enter username and password. This is not acceptable.
2. If we increase the time of the token for longer period, then if someone gets handle on token they can have access to Rest API for more time. As the web application is javascript application, its easily available in plan text.

So I am trying to understand how are applications like facebook and twitter implement authorization for their native mobile applications. Do they remember access token for ever by storing in local storage. So that if some malicious application have root access to android phone can access the tokens.

What are the improvements to above mechanism to make it work for both for both standalone web application which is developed in javascript and android application?

Answer 1

Access tokens are indeed meant to be short lived. To maintain authorization for a long period of time, OAuth2 has something called "refresh tokens".

If the provider supports it (and both Google and Facebook do), the OAuth2 consumer can request a refresh token in addition to the access token during the initial flow (Google calls that "offline access" I believe). The access token is used normally but when it expires, the consumer can request a new access token using its credentials and the refresh token.

See Google's doc for more info: https://developers.google.com/accounts/docs/OAuth2WebServer#offline.