Hi @brady.miller @sjpadgett @im-Amitto,
As far as standards and existing solutions go, OpenID Connect is a popular standard to use for authentication and authorization, whether it’s for a browser, mobile client, or desktop client.
OpenID Connect builds on the OAuth2 authorization standard to provide both authentication and authorization. OAuth2 does a great job of supporting authorization by allowing a user to grant or revoke an app’s access to his/her data. OpenID “sits on top of OAuth2” and provides an authentication workflow. The value is that you can handle authorization AND authentication in a uniform fashion using the same framework.
The current “best practice” for mobile applications is to use a Proof Key for Code Exchange (PKCE) workflow.
This article provides a walkthrough of wiring up an Android app to use a framework called AppAuth, which is a “best” practices implementation of OpenID Connect and OAuth2. It may be helpful to review this article along with some content from Auth0 and Okta to see how other folks are handling this use-case.
To Brady’s point, OpenEMR will need to store some type of identifier/metadata to support this. If an OpenID Connect compliant solution can be implemented, OpenEMR will have a secure and “industry standard” means of authenticating mobile apps.