Mobile Login for OAuth Services
Usecase: Secure authentication RocketChat/Nextcloud apps on an (somewhat) untrusted mobile device without entering the SSO password
General idea:
- Start authentication in app, get redirected to SSO login page
- Select "Mobile Login" option
- Login page requests a unique token from the server and shows it to the user
- User loggs into SSO on the laptop, selects "Authenticate Mobile Device" and enters the token
- On the laptop: Page displays a unique confirmation token
- User enters the confirmation token on the mobile device
- The OAuth authorization continues as if the user was regularly logged into the SSO, but limited to the specific OAuth service