Link

Login methods

nextAuth offers several ways to let a user log in using a mobile device.

Login method Description
HTML login block Combines QR & push login in an HTML block that can be easily integrated into websites.
QR login Display a QR code which the user can scan using a nextAuth-enabled mobile app.
Push login Push a message to the nextAuth-enabled mobile app to trigger authentication.
App-to-app login Let a user log in mobile app A by using nextAuth-enabled mobile app B on the same device.
In-app login Let a user log in from inside the nextAuth-enabled mobile app.

Session identifier

The session identifier (also called ‘nonce’) plays a crucial role in all login methods. It identifies the session in which a user performs actions in the application. Before logging in, a session identifier should be generated by the application, which will query the NS on the status of the session. A session identifier can be generated either server-side or client-side.

Generating a session identifier

The session identifier must be unique and random (i.e. hard to guess). For this reason we recommend using a least 128 bits (16 bytes) of random data to generate the session identifier. This also makes it unlikely that two sessions have the same identifier by chance.

The session identifier should be encoded, preferably in hexadecimal or in Base64, to restrict it to a safe character set. This avoids all kinds of encoding and conversion issues, which could corrupt the session identifier.

Checking if a user is logged in to a session

By calling getSession with the generated session identifier, the status of the session can be checked with the NS. This method will return whether an account is logged in to the session, along with additional information about the user.

The getSession method returns a JSON object LoginStatus describing the status of the session. LoginStatus.loggedin will be true if an account is logged into the session, false otherwise. It should be used by business applications or integrations with nextAuth to determine the identity of the user.

When logged in, LoginStatus.accountid provides the ID of the logged in account. If a user is assigned to this account, and LoginStatus.userid will return the userid (username) of that account.

Instead of having your webpage continously pull for the LoginStatus of a session, one can also implement a websocket, where changes to the LoginStatus are pushed to the webpage.

Session information

All login methods allow displaying contextual information to the user when approving a login. Such contextual information can include, for example, a location or IP address, a user agent (browser type, operating system).

A distinction is made between announceinfo, which is displayed at the moment the user approves the login, and sessioninfo, which is displayed in the overview of (active and past) sessions. You can, for example, provide more detailed information in sessioninfo for logging purposes which is not directly useful at the moment the user decides to allow the login.


Table of contents