I'm creating a backend that has a REST API that will be consumed from an mobile app. Because the app is mobile only we're not using an email and password to create account/login but instead a phone number and then they receive a pin number with an SMS message to confirm they own the number.
After I confirm the user is who they say they are with the pin number, how should I go about authenticating future API requests?
My first thought was to create a token and return it to the app. My second thought was to use OAuth but then i'm getting confused as to which method would work with the Phone number/SMS login method (2/3 leg, grants, etc..). I don't fully understand how this might work when using OAuth with our own apps (as opposed to OAuth with another provider). The token seems like the easier route.
If I use the token, is it bad to use the same token until the user is logged out? (over https). I'm assuming it's worth the extra work to make them expire a little longer than the avg. user session.
Unfortunately it doesn't seem to be a turn key solution that works with phone numbers. I'm using Meteor but am expecting to roll my own with Node modules (by exposing connect on the Meteor server).
Any help is greatly appreciated!