Clients can request external login at the authorization endpoint using the acr_values query parameter, e.g. acr_values=ext:google.
The original authorization request is preserved internally and resumed after a successful external login.
When a user logs in and they still have a valid root session+cookie with matching credentials ID, the session is updated, instead of a new one being created.
TODO
[ ] Revise standard Seacat login flow
[ ] It should be analogous and compatible to the external login flow
[ ] It should use the state parameter instead of redirect_uri (store it in the login session)
[ ] After successful login, backend should unwrap the state and send back redirect URI (of the authorize request)
[x] External login callback endpoint must have a provider_id path parameter (as it did before).
[x] Configurable fallback redirect URL for failed external login flow.
[x] OPTIONAL: Add navigable endpoint GET /public/ext-login/{provider_id}?state={state} which merely redirects to the external authorization endpoint. This is just a shorthand so that the ugly deep links are not so exposed.
[ ] OPTIONAL: Add similar navigable endpoint for adding external login for existing users.
[ ] Webui
[ ] Login prologue should send state in payload
[ ] Fix URLs of external login buttons
[ ] Read redirect URI from PUT login response
[ ] Confirmation prompt before external credential is linked to seacat credentials
solves #316
Summary
acr_valuesquery parameter, e.g.acr_values=ext:google.TODO
stateparameter instead ofredirect_uri(store it in the login session)provider_idpath parameter (as it did before).GET /public/ext-login/{provider_id}?state={state}which merely redirects to the external authorization endpoint. This is just a shorthand so that the ugly deep links are not so exposed.statein payload