I am trying to implement:

1. An MVC Web API server to return content on-demand (REST Server)
2. A Central authentication OAuth 2.0 server (for example OWIN)
3. An Android end-user side Application

The Scenario is like this: Android application requests content on REST Server, if its token is expired, REST server makes a request on authentication server to identify the client. The REST server should be registered using its own [id,secret] on authentication server and then Android application should be informed to identify on central authentication server using end-user [username,password] and Android application [id,secret].

So REST server must be registered on authentication server using fixed [id,secret]. Android application must be registered on authentication server using fixed [id,secret] and end-user [username,password].

So the problem is most samples on the web use cookie based sessions that cannot be used via a REST server and a non-browser end user (at least it is not recommended). I did not find a clear example to explain the implementation of this scenario or even some part of this, all that I found were some beginner code snippets. Thanks for your help.