[Pitch] OIDC Client Application

[fungc-io]

Problem

To use Authgear in applications that already support OAuth login, such as Wordpress, CraftCMS. So they can use enjoy Authgear feature very easily, such as passkey, 2FA.

Appetite

• ~4 weeks~ 6 weeks

Solution

• Create a Wordpress site that is signup with Authgear
• Create a tutorial on how it’s connected

We only using Authgear as 3rd party auth at this stage. i.e. adding Authgear to Wordpress is like adding Google login to an existing app. The session is managed by the app.

Design changes

• Support Client Secrets, and Authorization flow

• In “Add Application” add an option:

  [ ] OIDC Client Application Allow users to login with Authgear on to access any other OIDC compatible applications. e.g. WordPress, Craftcms, Magento

• No client secret for other app types

• Some design changes in current behavior: “application type” for all app types are not changeable

• In application detail page:

  • In Basic Info, below “Application Type”, add a readonly (disabled) text field “Client Secret”
  • In URIs, only show “Authorized Redirect URIs”
  • Remove “Refresh token”, “Access Token” and "Cookie-based authentication” panes

• In the user /settings, under "Security",

  • Change “Signed in Sessions” to “Signed in Devices and Apps”

  • Button

    ## Signed in Devices and Apps
    
    Manage your authenticated devices and apps

  • Page:

    ## Signed in Devices and Apps
    
    ### Devices
    
    paragraph: You’re currently signed in to your account on these devices
    
    [device list]
    
    [Terminate group]
    
    [Terminate all other sessions]
    
    ### **Authorized Apps**
    
    Paragraph: You use your account to sign in to these sites and apps. They can view your profile information
    [List of apps with revoke button]

• In User detail page in the Portal, add a tab for “Authorized Apps”, same affordance for the admin

Other Changes

• Add a doc page explaining this feature

Rabbit holes

Keep a list of problems the user may face if they uses Authgear as 1st party login. i.e. They use the OIDC client secret but not as SSO. They will be known issues but not considered in this pitch because they are not the intention of this feature.

No-goes

• Secret rotation is not needed for now.

Tasks

• [x] #2433
• [x] #2435
  • replace is_first_client with third_party_app application type and ignore is_first_client
  • add client_secret and client name
• [x] #2438
• [x] #2440
• Support nonce in authz code flow It is supported already
• [x] #2442
• [x] #2482
• Support accessing the settings page for third-party client by idp session
• [x] #2504
• [x] #2485
  • Support auto generate secret from server side when saving new oauth client
  • Support update client name
  • Click to show client secret, no reauth for this version
• [x] #2518
• [x] #2526
  • Show third-party app authorizations
  • Hide third-party sessions from the sign-in sessions
• [x] #2533
  • Show third-party app authorizations
  • Hide third-party sessions from the sign-in sessions
• [x] #2484
• [x] #2542
• [x] #2541
• [x] https://github.com/authgear/docs/pull/108
• [x] #2555

[carmenlau]

Moved to the description

[fungc-io]

ref: #2428 @carmenlau Design in Figma: https://www.figma.com/file/msiE4O5imHONAG5EjhZeiZ/Authgear-UI?node-id=7631%3A113965

[fungc-io]

@carmenlau design is updated for larger screens

[fungc-io]

@carmenlau I've added 1 more item to the todo for "Set and Display Privacy Policy and T&C links for OIDC clients"

[carmenlau]

@louischan-oursky @fungc-io When I am writing the doc, I found that it would be easier for the users to follow if we mention the endpoints in the portal. I did the following adjustment, see if it makes sense.

For the third-party app, I removed the Endpoint field from the Basic Info and added Endpoints section.

Thought?

[fungc-io]

awesome, i like it. btw can we move "Consent Screen" to above "URIs"?

[louischan-oursky]

I prefer this order: configuration URI, authentication endpoint, token endpoint, userinfo endpoint, jwks endpoint

[carmenlau]

can we move "Consent Screen" to above "URIs"?

But "URIs" is the section they must edit to make the whole setup works, so I keep this order. Do you still want to change the order? I am okay with this:)

I prefer this order: configuration URI, authentication endpoint, token endpoint, userinfo endpoint, jwks endpoint

Adjusted accordingly!