~vikanezrimaya/kittybox#12: 
Idea: IndieAuth via push notifications

Workflow:

  1. Authorization page sends request to send a push notification
    • Heavily rate-limit this endpoint to prevent abuse
    • Should only be available if there is a push notification endpoint on file (Kittybox Companion for Android should implement this)
  2. Use UnifiedPush to send a push notification to a device already logged in
  3. Device shows an authentication prompt
    • Should contain all data related to this authorization
    • No validation should be necessary: all data was already validated by the authorization endpoint and is trusted
  4. If accepted, device pings the Authorization Endpoint with an OAuth2 token scoped to kittybox:authenticate_other_devices (scope name subject to bikeshedding)
  5. Authorization page long-polls (or receives by other means) the result and sends the authorization code to the redirect URI
Status
REPORTED
Submitter
~vikanezrimaya
Assigned to
No-one
Submitted
8 months ago
Updated
8 months ago
Labels
No labels applied.