We currently have a product that is an IoT device with no display or input method.
In order to activate it with a user account, we use a native mobile app that communicates with a Spring Boot web app that responds to the Password Flow, and sends back access+refresh tokens.
The access+refresh tokens are then sent from mobile app to IoT via encrypted channel, and the IoT is then able to stay logged in forever by refreshing the access token on its own.
It has worked for us the past couple years because we own the mobile app/web app/IoT device. However, I’m aware that it is not optimal, and does not support federated identity (dealbreaker).
What flow would you suggest to authenticate the user on mobile app, have IoT device be logged on forever (unless credentials are no longer valid) and supports federated identities (ex. Facebook)?
Thank you for your replies!
Yes, I am fully aware of Device / Auth Code / Client Credentials flows and I did read that article on how to add Device Flow to Okta.
Another auth provider suggests using the Client Credentials flow for IoT (machine to machine) but I’m ambivalent… Generating a new Client ID / Secret pair for each end-user IoT product does not seem very efficient, and it would need to be matched with the customer account as well.
On the other hand, the Device Flow looks appropriate indeed but I’m a bit confused on how the “user code” should be handled when the IoT does not have a display. In that case, is it acceptable that the client device (IoT) returns both user_code and verification_uri to the secondary device to input them automatically during authentication?