I have doubts about what the correct schema should be for the next technical solution. I need to authenticate a user in a mobile application by reading a QR code, the user being previously authenticated in a web application.
The use case consists in that the user uses a web application located in an intranet, but needs to be able to upload images from a mobile device that will be connected to the internet. The mobile application will consume a public API exposed on the internet through a API Gateway. The API Gateway will connect to the backend to upload the images. As a requirement, when the user needs to use the mobile device to capture and upload images, they should not authenticate again, since they have an open session in the web application, and simply use a QR code to authenticate the device. Logically the QR will not use the user's credentials.
My idea is to make use of Oauth 2.0 with the following flow to authenticate mobile device:
- The web application requests API Gateway to generate an authorization token and it responds with a UUID.
- The web application will display the authorization token using a QR received from the API Gateway.
- The mobile device will read the QR, and request an access token to the API Gateway with the authorization token.
- The API Gateway validates the authorization token and generates the access token that is returned to the mobile device.
- The mobile device makes calls to the public API (API Gateway) using the access token.
My question is whether it is the correct scheme, or there is another standard solution.
Thanks!!
from Mobile authentication using QR in web application
No comments:
Post a Comment