nextAuth offers several ways to let a user log in using a mobile device.
|HTML login block||Combines QR & push login in an HTML block that can be easily integrated into websites.|
|QR login||Display a QR code which the user can scan using a nextAuth-enabled mobile app.|
|Push login||Push a message to the nextAuth-enabled mobile app to trigger authentication.|
|App-to-app login||Let a user log in mobile app A by using nextAuth-enabled mobile app B on the same device.|
|In-app login||Let a user log in from inside the nextAuth-enabled mobile app.|
The session identifier (also called ‘nonce’) plays a crucial role in all login methods. It identifies the session in which a user performs actions in the application. Before logging in, a session identifier should be generated by the application, which will query the NS on the status of the session. A session identifier can be generated either server-side or client-side.
The session identifier must be unique and random (i.e. hard to guess). For this reason we recommend using a least 128 bits (16 bytes) of random data to generate the session identifier. This also makes it unlikely that two sessions have the same identifier by chance.
The session identifier should be encoded, preferably in hexadecimal or in Base64, to restrict it to a safe character set. This avoids all kinds of encoding and conversion issues, which could corrupt the session identifier.
By calling getSession with the generated session identifier, the status of the session can be checked with the NS. This method will return whether an account is logged in to the session, along with additional information about the user.
getSession method returns a JSON object
LoginStatus describing the status of the session.
LoginStatus.loggedin will be
true if an account is logged into the session,
false otherwise. It should be used by business applications or integrations with nextAuth to determine the identity of the user.
When logged in,
LoginStatus.accountid provides the ID of the logged in account. If a user is assigned to this account, and
LoginStatus.userid will return the userid (username) of that account.
Instead of having your webpage continously pull for the
LoginStatus of a session, one can also implement a websocket, where changes to the
LoginStatus are pushed to the webpage.
All login methods allow displaying contextual information to the user when approving a login. Such contextual information can include, for example, a location or IP address, a user agent (browser type, operating system).
A distinction is made between
announceinfo, which is displayed at the moment the user approves the login, and
sessioninfo, which is displayed in the overview of (active and past) sessions. You can, for example, provide more detailed information in
sessioninfo for logging purposes which is not directly useful at the moment the user decides to allow the login.