The auth dance for widgets like the sticker picker currently involves the integration manager being an integral part of your client, as Riot rightly refuses to provide a scalar token to the widget unless the widget belongs to the integration manager (as per config). This means that sticker pickers sometimes don't work on mobile or other Riot instances.

The widget could instead send an action over the postMessage API to request an OpenID token that it can then pass along to it's backend for verification. Given this is how the scalar token is sourced, this seems to be a reasonable thing to do. It's also hard to lie about your identity with this approach.

UX-wise, it might be a good idea to shove a popup to the user saying "Your sticker picker wants to verify your identity". The widget would probably have to be aware of this UX and not time out it's own request for asking for identity. A rate limit might need to be introduced, and the act of approving/denying the widget should probably persist instead of notifying the user every time they happen to reload the page.