stories/organization-owner/ORG-011-custom-oidc-apps.md

# Create Custom OIDC Apps

**ID:** ORG-011
**Priority:** Medium
**Status:** Planned
**Phase:** 2

## User Story
As an organization owner, I want to create custom OAuth/OIDC client applications so that I can integrate my own internal tools and services with the identity provider.

## Acceptance Criteria
- [ ] Create a new custom OIDC application
- [ ] Configure application name and description
- [ ] Upload application logo
- [ ] Set application URL
- [ ] Configure redirect URIs
- [ ] Select allowed OAuth scopes
- [ ] Choose grant types (authorization_code, client_credentials, refresh_token)
- [ ] View client ID and client secret
- [ ] Regenerate client secret if compromised
- [ ] Edit existing applications
- [ ] Delete applications
- [ ] Configure token lifetimes

## Technical Notes
- Custom OIDC apps are organization-scoped
- Client secret is hashed in database, shown only once at creation
- Redirect URIs validated to prevent open redirect attacks
- Standard OAuth 2.0 / OpenID Connect flows supported
- PKCE support for public clients

## Data Model

```typescript
interface ICustomOidcApp {
  id: string;
  type: 'custom_oidc';
  data: {
    name: string;
    description: string;
    logoUrl: string;
    appUrl: string;
    ownerOrganizationId: string;
    oauthCredentials: IOAuthCredentials;
    oidcSettings: {
      accessTokenLifetime: number;  // seconds
      refreshTokenLifetime: number; // seconds
    };
  };
}

interface IOAuthCredentials {
  clientId: string;
  clientSecretHash: string;
  redirectUris: string[];
  allowedScopes: string[];
  grantTypes: ('authorization_code' | 'client_credentials' | 'refresh_token')[];
}
```

## UI Components
- **AppsView** - Custom OIDC tab with app list
- **OidcAppFormView** (`/account/org/:orgName/apps/custom/new`) - Create new app form
- **OidcAppFormView** (`/account/org/:orgName/apps/custom/:appId`) - Edit existing app

## Related Stories
- ORG-009: Connect Global Apps
- ORG-010: Browse and Install Partner Apps
- DEV-004: Proper App ID Initialization
- DEV-005: Register OAuth Client App
feat(apps): Add Apps subsystem: App and AppConnection models, managers, typed request handlers, web UI routes and documentation 2025-12-01 09:18:48 +00:00			`# Create Custom OIDC Apps`

			`ID: ORG-011`
			`Priority: Medium`
			`Status: Planned`
			`Phase: 2`

			`## User Story`
			`As an organization owner, I want to create custom OAuth/OIDC client applications so that I can integrate my own internal tools and services with the identity provider.`

			`## Acceptance Criteria`
			`- [ ] Create a new custom OIDC application`
			`- [ ] Configure application name and description`
			`- [ ] Upload application logo`
			`- [ ] Set application URL`
			`- [ ] Configure redirect URIs`
			`- [ ] Select allowed OAuth scopes`
			`- [ ] Choose grant types (authorization_code, client_credentials, refresh_token)`
			`- [ ] View client ID and client secret`
			`- [ ] Regenerate client secret if compromised`
			`- [ ] Edit existing applications`
			`- [ ] Delete applications`
			`- [ ] Configure token lifetimes`

			`## Technical Notes`
			`- Custom OIDC apps are organization-scoped`
			`- Client secret is hashed in database, shown only once at creation`
			`- Redirect URIs validated to prevent open redirect attacks`
			`- Standard OAuth 2.0 / OpenID Connect flows supported`
			`- PKCE support for public clients`

			`## Data Model`

			```typescript
			`interface ICustomOidcApp {`
			`id: string;`
			`type: 'custom_oidc';`
			`data: {`
			`name: string;`
			`description: string;`
			`logoUrl: string;`
			`appUrl: string;`
			`ownerOrganizationId: string;`
			`oauthCredentials: IOAuthCredentials;`
			`oidcSettings: {`
			`accessTokenLifetime: number; // seconds`
			`refreshTokenLifetime: number; // seconds`
			`};`
			`};`
			`}`

			`interface IOAuthCredentials {`
			`clientId: string;`
			`clientSecretHash: string;`
			`redirectUris: string[];`
			`allowedScopes: string[];`
			`grantTypes: ('authorization_code' \| 'client_credentials' \| 'refresh_token')[];`
			`}`
			```

			`## UI Components`
			`- AppsView - Custom OIDC tab with app list`
			- OidcAppFormView (`/account/org/:orgName/apps/custom/new`) - Create new app form
			- OidcAppFormView (`/account/org/:orgName/apps/custom/:appId`) - Edit existing app

			`## Related Stories`
			`- ORG-009: Connect Global Apps`
			`- ORG-010: Browse and Install Partner Apps`
			`- DEV-004: Proper App ID Initialization`
			`- DEV-005: Register OAuth Client App`