Best Practice for Using Ory Hydra/Kratos on Android POS Devices Without Browser-Based Login

[resulbdev]

Hi everyone,

We are using open-source Ory Hydra + Kratos + Oathkeeper for our web applications and OAuth2/OIDC infrastructure.

Now we want to support Android POS devices, but these devices usually do not have a proper browser and browser-based OAuth flows provide poor UX on POS hardware.

Our goal is to keep Hydra as the central OAuth2 token issuer while providing a fully native login experience on the POS device.

How can we achieve this architecture properly with Ory?

Thanks!

[vinckr]

Hey @resulbdev

You can either use OAuth 2.0 Device Authorization Grant (RFC 8628) - I think this is supported in Ory community edition as well (docs) or alternatively a Custom Login/Consent + Kratos Native API (On-Device Credentials)

If you need the user to enter credentials directly on the POS device (e.g., a PIN or password at a terminal), you can combine Ory Hydra's custom login/consent flow with Ory Kratos' native (API) login flows, which require no browser.