Working with a REST API developed with PHP/Symfony2 that uses Oauth v2 authentication.
The idea is that the consumer get a access token by means of a Grant type and that access token has an expiration time of, say, an hour. The authorization happens in the token passage, which occurs through the header Authorization.
When this access token expires, one can get another token using one refresh token or the user credentials themselves (hence the various types of Grant type - password, refresh token etc).
The implementation of this protocol involves, in my case, only 4 tables: oauth_access_token (where users' access tokens are stored), oauth_client (in which are stored the clients that can get access tokens and refresh tokens - you can even create clients for third parties), oauth_refresh_token (in which refresh tokens are stored, which can eventually be exchanged for an access token) and oauth_auth_code.
Finally, I think that this solution is well suited when granting access to the resources of your application. In addition, I usually protect the connection with TSL and use basic authorization on routes that do not require an access token. :)
Search on Oauth2. Also take a look at how the authentication process works in other Pis that have levels permissions, such as the google.
– Oeslei