I am searching for the a best way to provide security to my clients [web-java script/mob-android app],so that authorize users/machine can only have access to my app. While searching on google I found that for authorization I can use OAuth 2.0 available from google ,
 is it adviceable to use OAuth 2.0?
 On web Client where does token stored?
on the developer site they have give that
You should write your code to anticipate the possibility that a granted token might no longer work. A token might stop working for one of these reasons: The user has revoked access. The token has not been used for six months. The user account has exceeded a certain number of token requests. There is currently a 25-token limit per Google user account. If a user account has 25 valid tokens, the next authentication request succeeds, but quietly invalidates the oldest outstanding token without any user-visible warning. If you need to authorize multiple programs, machines, or devices, one workaround is to limit the number of clients that you authorize per user account to 15 or 20. If you are a Google Apps admin, you can create additional admin users and use them to authorize some of the clients.
Using oAuth2.0 I need to have goole,facebook account or from my custom domain account say www.mysite.com/usr1 i can authenticate ?
 Once token is generated can we control its life time(How?) or it expires only after six month?
 for each google account user I can generate 25 tokens or for my google account(Account I used to create console project ) I can generate 25 tokens?
 can same token be used for multiple web client users?
Access tokens have limited lifetimes. If your application needs access to a Google API beyond the lifetime of a single access token, it can obtain a refresh token. A refresh token allows your application to obtain new access tokens.
 Is Access tokens is the same as I have generated from the console?
 from where can I get A refresh token?
any help will be appreciated!!!
thanks in advance