Open tung2744 opened 1 week ago
Some notes after a offline discussion
Expected app B behavior:
1. Check if device sso is available (Add authentication state in enum DEVICE_SSO_AVAILABLE)
- Only check device_secret if device sso enabled
2. If yes, app B should use device sso to login. (App call on initiate is better)
3. If app B didn't do 1 and 2, and call authenticate, it is an error. (Define a error code)
- When app B want to login as different user account, need to perform device sso first to obtain a session, then call logout.
- device sercet share between different container name?
- app to web sso requires device sso to work
scope
from authorization endpoint as it is specified when generating the token