RFC: Simple "Login with Clarius" implementation

[nnaskov]

Context

We want to be able to login users from the Clarius App to the ThinkSono app. A fully fledged solution would be a full implementation of OAuth2.0 protocol. However, this solution is expected to take a few months or more.

This RFC proposes an preliminary solution, based on OAuth principles, which could be implemented much faster.

It would satisfy the main use-case: A Clarius user, using the Clarius app, initiates an exam in the AutoDVT app and doesn't have an AutoDVT account. Secondary use-cases are not required for this flow (e.g. linking an AutoDVT user to a Clarius user or Login with Clarius button, similar to Login with Facebook, added directly in the AutoDVT app)

Process

1. In Clarius App, a user selects AutoDVT
2. Clarius App opens the AutoDVT app with an intent, which includes a identity token (e.g. in JWT format) with the following fields:
   • Unique User ID, which can never change (e.g. user GUID or email if users can't change their email)
   • email (if User ID is not email)
   • name of user (Optional)
3. AutoDVT app starts and sends the identity token to AutoDVT backend
4. AutoDVT backend verifies the identity token on Clarius backend (e.g. /verify-token endpoint)
5. If verification passes, AutoDVT backend creates a user with the same username
6. AutoDVT backend returns success to AutoDVT app and logs in the user with the newly created user

Technical requirements for Clarius

1. In the app:
   • Generate a valid identity token (internet may be required)
   • Start AutoDVT with the intent and attach the identity token
2. In the backend
   • an "/verify-token" endpoint or similar, used to verify identity tokens