Update the specs to reflect latest implementation

tung2744 commented 1 week ago

[ ] Address comments in pr
[ ] Add a section to mention new client config to enable app-initiated-sso-to-web
[ ] Mention device_secret rotation in reauth, refresh token, refresh id token
[ ] Explains what happens to the device_secret during device_secret rotation. (i.e. Always generate a new device_secret. Validation of the old device_secret is not needed because if it is invalid, a new secret will be generated. Therefore anyway a new device_secret is created)
[ ] Remove scope from authorization endpoint as it is specified when generating the token

linear[bot] commented 1 week ago

DEV-1445 Update the specs to reflect latest implementation

tung2744 commented 5 days ago

Some notes after a offline discussion


Expected app B behavior:

1. Check if device sso is available (Add authentication state in enum DEVICE_SSO_AVAILABLE)
  - Only check device_secret if device sso enabled
2. If yes, app B should use device sso to login. (App call on initiate is better)
3. If app B didn't do 1 and 2, and call authenticate, it is an error. (Define a error code)

- When app B want to login as different user account, need to perform device sso first to obtain a session, then call logout.

- device sercet share between different container name?

- app to web sso requires device sso to work

authgear / authgear-server

Update the specs to reflect latest implementation #4375