We currently have a product that is an IoT device with no display or input method.
In order to activate it with a user account, we use a native mobile app that communicates with a Spring Boot web app that responds to the Password Flow, and sends back access+refresh tokens.
The access+refresh tokens are then sent from mobile app to IoT via encrypted channel, and the IoT is then able to stay logged in forever by refreshing the access token on its own.
It has worked for us the past couple years because we own the mobile app/web app/IoT device. However, I’m aware that it is not optimal, and does not support federated identity (dealbreaker).
What flow would you suggest to authenticate the user on mobile app, have IoT device be logged on forever (unless credentials are no longer valid) and supports federated identities (ex. Facebook)?
Thanks in advance!