Take a look at Resource Owner Password Credentials Grant
. Which is the 4th bullet point in the second link that you provided. password (user credentials)
https://www.rfc-editor.org/rfc/rfc6749#section-4.3
Simply put:
- User sends their
login
andpassword
- Server grants user
access_token
(equivalent to the old cookie session id) - User sends
access_token
with the remainder of their requests
Also, If you want to give mobile devices access while keeping data private i'd suggest generating "free" accounts linked to mobile mac addresses. Then have them go through the above said authentication with their mac address as login / password as empty. That way you can implement the same user logic to mobile with throttle/ban/upgrade/etc per device.