End-user IoT device auth with no display


We currently have a product that is an end-user IoT product with no display or input method, but full internet connectivity.

In order to activate it with a user account, we use a native mobile app that communicates with a Spring Boot web app (Spring Security OAuth) that responds to the Password Flow, and sends back access+refresh tokens.

The access+refresh tokens are then sent from mobile app to IoT via encrypted channel, and the IoT is then able to stay logged in forever by refreshing the access token on its own.

It has worked for us the past couple years because we own the mobile app/web app/IoT device. However, I’m aware that it is not optimal, and does not support federated identity (dealbreaker).

What flow would you suggest to authenticate the user on mobile app, have IoT device be logged on forever (unless credentials are no longer valid) and supports federated identities (ex. Facebook)?

I’m fully aware of the OAuth Device Flow. However, would it be acceptable to pass the user code back to the mobile app since the IoT does not have any display?

Finally, in the new version of the mobile app, the user will need to authenticate himself before being able to activate his devices. Are we talking about doing Authorization Code Flow followed by Device Flow for each IoT product? Perhaps auth can be reused with SSO?

Thanks in advance for your input!