Login from a device that does not support callbacks
Hi,
I need to let users authenticate from a device that cannot receive callbacks. I was thinking that there is a way with PKCE to have an API to act as an intermediary and finally call the /token with the
here is the flow I was thinking:
Are there any ways to do this other than the above (if the above is possible)?
I need to let users authenticate from a device that cannot receive callbacks. I was thinking that there is a way with PKCE to have an API to act as an intermediary and finally call the /token with the
codecodecode_verifiercode_verifier on the client to get the token.here is the flow I was thinking:
/**
* 1. Device initiates authentication by launching a browser and making a GET request to the API:
* GET my-api/login?challenge=<S256_challenge>&device_id=<unique_device_id>
* - The device generates a S256 code challenge and includes it in the request along with a unique id.
*
* 2. The API redirects the user to the authorization server for login:
* Redirect to /auth?...&code_challenge=<S256_challenge>&callback=my-api/callback&state=<unique_device_id>
* - including the S256 challenge, and the device's ID as the state parameter.
*
* 3. The user completes the login process in the browser.
*
* 4. Upon successful login, the authorization server redirects the user to the API callback URL:
* my-api/callback
* - The API stores the received authorization code.
*
* 5. The device periodically polls the API to check the status for code:
* Device makes a GET request to my-api/status?device_id=<unique_device_id>
* - The device sends its unique ID to check if the authorization code is ready.
*
* 6. The API responds with the authorization code if available:
* - The API sends the stored authorization code back to the device.
*
* 7. The device exchanges the authorization code for tokens:
* Device makes a POST request to the token endpoint:
* POST https://your_kinde_subdomain.kinde.com/oauth2/token
* - The request includes the code verifier, authorization code, client ID, and redirect URI.
*
* 8. The device receives the tokens:
* - The authorization server responds with the access token and ID token.
* *//**
* 1. Device initiates authentication by launching a browser and making a GET request to the API:
* GET my-api/login?challenge=<S256_challenge>&device_id=<unique_device_id>
* - The device generates a S256 code challenge and includes it in the request along with a unique id.
*
* 2. The API redirects the user to the authorization server for login:
* Redirect to /auth?...&code_challenge=<S256_challenge>&callback=my-api/callback&state=<unique_device_id>
* - including the S256 challenge, and the device's ID as the state parameter.
*
* 3. The user completes the login process in the browser.
*
* 4. Upon successful login, the authorization server redirects the user to the API callback URL:
* my-api/callback
* - The API stores the received authorization code.
*
* 5. The device periodically polls the API to check the status for code:
* Device makes a GET request to my-api/status?device_id=<unique_device_id>
* - The device sends its unique ID to check if the authorization code is ready.
*
* 6. The API responds with the authorization code if available:
* - The API sends the stored authorization code back to the device.
*
* 7. The device exchanges the authorization code for tokens:
* Device makes a POST request to the token endpoint:
* POST https://your_kinde_subdomain.kinde.com/oauth2/token
* - The request includes the code verifier, authorization code, client ID, and redirect URI.
*
* 8. The device receives the tokens:
* - The authorization server responds with the access token and ID token.
* */Are there any ways to do this other than the above (if the above is possible)?
