Both options are viable but the second option is definitely more straightforward.
How I would implement the second approach:
- Create session with JWT token on web2 backend.
- Call your canister backend through the wallet with the users subject id from the previous step as argument.
- Call your web2 backend to notify the previous step has completed.
- Your web2 backend calls the canister to get the principal registered for the users subject id.
The 2nd step can be restricted to actual valid subject ids by e.g. verifying the incoming JWT signature within the canister.
The 4th step can be restricted to only your web2 backend by checking if the caller principal is on an allowlist.
And yes a standardized sign message method isn’t available yet, it was de-prioritized a while back when the priority was on topics specific to the IC. You can find the current ICRC-32 draft here: GitHub - dfinity/wg-identity-authentication: Repository of the Identity and Wallet Standards Working Group
In case you’re interested in picking this up and would like to discuss the current status and work to be done to get it past the finish line, feel free to schedule a meeting: Newsletter for Identity & Wallet Standards Working Group