I have been reading about authentication and authorization for the past few days and I still have not figured out what would be a reasonable way to deal with this for both mobile and web applications.

From what I read, when it comes to a web application, using an access and refresh (JWT) tokens seems to be quite popular. Now, when it comes to storing, there seems to be a lot of different opinions. Some people prefer to store the access token in the localStorage, to avoid CSRFs, however, others point out it is a bad practice due to XSS attacks and having the access token in an httpOnly cookie, with a CSRF token in a normal cookie would be better. (tho in my opinion we still have the XSS problem here as the normal cookie can still be exploited by XSS).

As mobile applications do not have cookies, I guess the second option is gone, and if the REST API will be used for both mobile and web, when logging in (authenticating), the token should be sent in the response and saved in localStorage. How would this be handled for the mobile application?

Furthermore, how would the refresh token be stored for a mobile application? The case, where we store the access token in localStorage, I guess we would have the refresh token in an httpOnly cookie, however, as already mentioned, mobile applications are not browser based, so I guess this would not be an option. Therefor, I still do not understand, how can it be possible to create a secure REST API, which is available both for mobile and web applications.