app/stories/developer/DEV-005-oauth-client.md

# Register OAuth Client App

**ID:** DEV-005
**Priority:** Medium
**Status:** Planned

## User Story
As a developer, I want to register my application as an OAuth client so that users can authorize my app to access their data using standard OAuth 2.0 flows.

## Acceptance Criteria
- [ ] Register OAuth 2.0 client application
- [ ] Support Authorization Code flow
- [ ] Support PKCE for public clients (mobile/SPA)
- [ ] Configure allowed scopes per client
- [ ] Consent screen customization
- [ ] Token endpoint for code exchange
- [ ] Refresh token support
- [ ] Client credentials flow for server-to-server

## Technical Notes
- OAuth/OIDC client registration is now part of the Apps system
- **For organization owners**: Use Custom OIDC Apps (ORG-011) to create OAuth clients
- **For third-party developers**: Submit to AppStore (DEV-008) for public apps
- Standard OAuth 2.0 / OpenID Connect flows supported
- Scopes: openid, profile, email, organizations
- PKCE is required for mobile and SPA security

## Implementation Path

This story's functionality is now implemented through:
1. **Custom OIDC Apps** (ORG-011) - Create org-specific OAuth clients via the Apps UI
2. **Partner Apps** (DEV-008) - Submit public apps to the AppStore

Both use the same underlying `IOAuthCredentials` model:
```typescript
interface IOAuthCredentials {
  clientId: string;
  clientSecretHash: string;
  redirectUris: string[];
  allowedScopes: string[];
  grantTypes: ('authorization_code' | 'client_credentials' | 'refresh_token')[];
}
```

## Related Stories
- ORG-011: Create Custom OIDC Apps (primary implementation)
- DEV-004: Proper App ID Initialization
- DEV-008: Submit App to AppStore

## Related TODOs
- New feature - OAuth server implementation