anyone started login flow from a QR Code on one de...
# ory-networkl
lemon-hamburger-81270
01/04/2023, 2:22 PManyone started login flow from a QR Code on one device, then complete the flow through mobile or other self service client? We are looking at this for a TV app but it would be similar to WhatsApp or Telegram Web. The QR reader would detect a URL and begin the flow, right? authorizing the new device?
p
proud-plumber-24205
01/04/2023, 3:51 PMHey @lemon-hamburger-81270
I might be mistaken, but for something like this to work you would need the QR code to contain a magic link of sorts which then authenticates the new device (a sort of passwordless flow). We offer passwordless flows through the browser, using WebAuthn (faceID, touchID, hardware key), so maybe the TV could complete the flow using a hardware token as a password instead of delegating it to another device (mobile phone)?
The flow you are talking about sounds very familiar to the device authorization grant flow done within the OAuth 2.0 spec https://github.com/ory/hydra/issues/2416
l
lemon-hamburger-81270
01/04/2023, 4:34 PMHey @magnificent-energy-493 that all sounds right, yes! Thabks for helping me with the nomenclature.
Me and @few-orange-16990 will check into these items and the linked issue and post back here if we run into any questions along the way.
lemon-hamburger-81270
01/05/2023, 10:24 AM@magnificent-energy-493 how does this sound?
Some important notes:
Currently Webauth only works with a single origin which is https://myaccount.oursite.com for the oursite.com Ory project. So we can’t use it for logging into identity through the TV app.
Possible Solution:
We Can set up a new site, a complete service that handles passwordless login process with same root domain which is oursite.com but with different subdomain, something like auth.oursite.com and if any app that wants to use this feature (passwordless login), they just redirect user to this site and provide redirect_url as an input and once user is authenticated they will be redirected back to redirect_url which will be the xyz site or app that is using this passwordless service.
Since we’re using passwordless login on account app without Oauth, we will have to create two separate pages on this new site.
One for Oauth login and one for normal login. Something like auth.oursite.com/oauth for Oauth login and auth.oursite.com/login for normal login.
lemon-hamburger-81270
01/06/2023, 8:05 PM@proud-plumber-24205 how does that sound? ^^
p
proud-plumber-24205
01/09/2023, 9:25 AMHi @lemon-hamburger-81270
Sorry for the late response, this sounds like it could work.
Just some questions:
We Can set up a new siteDoes this mean also setting up a new Ory Project since you have the current project WebAuthn origin set to https://myaccount.oursite.com? If that is the case, the TV will be considered a new user inside a different project even though the cookie is issued to the same domain. Another thought I had was account linking through permissions. What if the TV just authenticates using its own machine account, but does not have access to any of the user data just yet. The TV still displays a QR code to scan which the user through their mobile phone is directed to your webapp where they "link" their account to the TV. Essentially this link is created through permissions, e.g. TV with uuid has access to user uuid data. The permissions can be granular and also restrict the TV from doing anything malicious with the user account. Not sure if this might be a better solution than to force passwordless onto the TV or an input onto the TV for a session. Wdyt?
41 Views