I am considering a high-level flow for the following scenario, and I would like feedback about whether it would work, whether there is a better way of implementing it, etc.
Scenario: As a user logged into account1 on webSite1 using a web browser, I want to link this account to account2 on smartPhoneApp2 (different company) using a QR code, so that account1 knows that I have a verified account with account2.
Proposed flow:
-
Customer clicks to link accounts on webSite1, which initiates a series of events on the back-end:
-
webSite1's server makes a GET request to smartPhoneApp2, passing a UUID and asking for a QR code to be generated
e.g. GET /UUIDgetQR/12345
-
smartPhoneApp2's server generates a QR code for that UUID and sends it in the response to the GET request
-
webSite1's server server sends the QR code, along with the rest of the information needed to load the next web page, to the customer’s browser
5a. Web browser then sends periodic GET requests for some 'linkComplete' flag, which in turn prompts webSite1's server to send periodic GET requests to smartPhoneApp2 for that same unique ID which was passed to fetch the QR code
e.g. GET /UUIDlinkInformation/12345
5b. User authenticates into smartphoneApp2 and scans the QR code
5c. smartPhoneApp2 sends a POST request to smartPhoneApp2's servers, containing information about the QR code (which is linked to the UUID originally sent by website1), smartPhoneApp2 account details and credentials, and some new UUID generated by smartPhoneApp2 which can now be passed back to webSite1 as an agreed common identifier for that individual
-
smartPhoneApp2's servers can now respond to webSite1's GET request with this new UUID, and other details about the individual if necessary.
-
webSite1's server stores the new UUID against that individual’s account, and responds to the browser’s GET requests to flag that linking is complete and prompting it to load the success page.
Any comments very much appreciated.
Aucun commentaire:
Enregistrer un commentaire