I’m writing an Identity Provider service with OAuth2 support. I have discovered Hydra and I found it very exciting product. I guess Hydra is the solution in my case.
On the other hand I have a first-party mobile app and this app is already authenticated in my service. I want to perfom an automatic authentication in my web-app by scanning a qr-code in the web-interface using the mobile app. QR-codes are being generated by my service.
I’m not sure about complete flow of this process and what it should look like. What to do after qr-code scan? How to authenticate web-app securely? Should I just send a token directly from mobile app? Looking for some advice. Thanks.
We do this at the moment, but just with a jwt signed by our Web app embedded in the qrcode. We then instantly POST it back to our API which checks it and saves the FCM token to be used in push notifications. Our Mobile app doesn’t speak to our API proper yet, we’ll move to AppAuth with hydra once I have some of my forum posts cleared up.
Make your Web app a client and then embed the access token and refresh token in the QR code.
Actually, I may have misread your post as you want the qrcode to sign them into the web app? Like WhatsApp Web?
Yes, exactly the same way like WhatsApp web do.
Have you looked what’s inside their Qr Code and watched via F12 in Firefox or Chrome in the console? May give you some ideas.