How QR Code Login Works: From Token Authentication to Seamless Mobile‑PC Sign‑In
This article explains the technical principles behind QR code login, covering QR code basics, token‑based authentication, the step‑by‑step workflow between mobile and PC, and security considerations for implementing a reliable cross‑device sign‑in system.
QR Code Login Essence
QR code login is a form of authentication that involves two core actions: telling the system who you are and proving it.
Tell the system who I am
Prove who I am
When a user scans a QR code, the mobile app (already logged in) sends its account information to the server, which links the account to a unique QR‑code ID generated for the PC.
Understanding QR Codes
A QR code stores arbitrary strings, not just numbers like a barcode. Online generators can convert text or URLs into QR codes and decode them back.
Token‑Based Authentication Mechanism
After a successful username‑password login, the client receives a token that contains the account ID, device ID, and device type. The token is stored locally and sent with every API request. The server validates the token by matching the stored device information.
const token = {
acountid: '账号ID',
deviceid: '登录的设备ID',
deviceType: '设备类型,如 iso,android,pc......'
};The token is never the password; it merely references the bound account‑device record, making it safe even if exposed.
General QR‑Code Login Workflow
The process consists of three main stages:
Preparation – the PC requests a QR‑code ID from the server, which binds the ID to the PC’s device info and returns it; the PC then renders a QR code containing that ID and polls the server for status changes.
Scanning – the mobile app scans the QR code, extracts the ID, and sends its authenticated user info together with the ID to the server. The server creates a temporary one‑time token and returns it to the mobile app; the PC’s poll sees the status change to “scanned”.
Confirmation – the user confirms on the mobile device, sending the temporary token to the server. The server generates the final login token for the PC, updates the status to “confirmed”, and the PC retrieves the token to complete the login.
Detailed Steps
QR Code Preparation
PC sends a request with its device info to the server.
Server generates a unique QR‑code ID and binds it to the PC’s device info.
Server returns the ID; the PC creates a QR code containing the ID.
PC continuously polls the server for the QR‑code status.
Scanning State Transition
User scans the QR code; the mobile app extracts the ID.
Mobile app calls the server API, sending its authenticated identity and the QR‑code ID.
Server binds the identity to the ID, creates a temporary token, and returns it to the mobile app.
PC’s polling detects the “scanned” status and updates the UI.
Status Confirmation
Mobile app shows a confirmation dialog; upon user approval it sends the temporary token to the server.
Server generates the final login token for the PC based on the bound account and device info.
PC’s poll sees the “confirmed” status and receives the login token.
PC uses the token to access server resources.
Key Points
The QR code contains either a plain ID or a URL that includes the ID.
The temporary token is single‑use, ensuring the scan and confirmation steps come from the same mobile device.
If the user cancels the confirmation, the process stops, leaving the PC unauthenticated.
Summary
QR code login relies on token‑based authentication and stateful QR‑code IDs to let a pre‑authenticated mobile app securely grant a PC session without exposing passwords, making it suitable for PC, web, and mobile clients.
Java Interview Crash Guide
Dedicated to sharing Java interview Q&A; follow and reply "java" to receive a free premium Java interview guide.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.