Newbie Question: What is a secure and accepted way for authentication and authorisation of REST API endpoint for mobile and SPA's? A google search usually yields JWT but from what I know about JWT, it's complex and doesn't support revocation of tokens easily.
There are pros and cons of JWT but if you are OK with it, it is not complex if you use a library. JWT purists want everything on the token (no database) but if you are OK with using a database, just store the token and delete it to revoke. When authenticating, add a database query (it's not that bad) in addition to the verification of the token
If you're using AWS, maybe take a look at Cognito?<p><a href="https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html" rel="nofollow">https://docs.aws.amazon.com/cognito/latest/developerguide/wh...</a>
May be you are interested in this page
<a href="https://sushi2k.gitbooks.io/the-owasp-mobile-security-testing-guide/content/0x04e-Testing-Authentication-and-Session-Management.html" rel="nofollow">https://sushi2k.gitbooks.io/the-owasp-mobile-security-testin...</a>