stories/developer/DEV-004-app-id-setup.md

# Proper App ID Initialization

**ID:** DEV-004
**Priority:** High
**Status:** Planned

## User Story
As a developer, I want to properly register my application with a unique App ID so that the identity provider can identify and configure my app correctly.

## Acceptance Criteria
- [ ] Developer can register new applications
- [ ] Each app gets unique App ID and App Secret
- [ ] Configure allowed redirect URIs per app
- [ ] Configure allowed origins (CORS) per app
- [ ] App-specific settings (token expiry, etc.)
- [ ] View app analytics (logins per app)
- [ ] Regenerate app secret if compromised
- [ ] Delete/deactivate applications

## Technical Notes
- Current client has `id: ''` placeholder (TODO in code)
- App ID is now part of the unified Apps model (`IApp` discriminated union)
- Three app types exist: Global Apps, Partner Apps, Custom OIDC Apps
- For custom applications, use the Custom OIDC Apps flow (ORG-011)
- App credentials stored as `IOAuthCredentials` with hashed client secret
- Validate redirect URIs to prevent open redirector attacks
- App ID/Client ID is included in JWT claims

## Apps Architecture

The Apps system supports three types:
1. **Global Apps** (ORG-009) - First-party platform apps (foss.global, task.vc)
2. **Partner Apps** (ORG-010, DEV-008) - AppStore model for third-party apps
3. **Custom OIDC Apps** (ORG-011) - Organization-created OAuth/OIDC clients

## Related Stories
- ORG-009: Connect Global Apps
- ORG-010: Browse and Install Partner Apps
- ORG-011: Create Custom OIDC Apps
- DEV-005: Register OAuth Client App
- DEV-008: Submit App to AppStore

## Related TODOs
- `ts_idpclient/classes.idpclient.ts:30` - `id: '', // TODO`
add stories 2025-11-30 15:01:28 +00:00			`# Proper App ID Initialization`

			`ID: DEV-004`
			`Priority: High`
			`Status: Planned`

			`## User Story`
			`As a developer, I want to properly register my application with a unique App ID so that the identity provider can identify and configure my app correctly.`

			`## Acceptance Criteria`
			`- [ ] Developer can register new applications`
			`- [ ] Each app gets unique App ID and App Secret`
			`- [ ] Configure allowed redirect URIs per app`
			`- [ ] Configure allowed origins (CORS) per app`
			`- [ ] App-specific settings (token expiry, etc.)`
			`- [ ] View app analytics (logins per app)`
			`- [ ] Regenerate app secret if compromised`
			`- [ ] Delete/deactivate applications`

			`## Technical Notes`
			- Current client has `id: ''` placeholder (TODO in code)
feat(apps): Add Apps subsystem: App and AppConnection models, managers, typed request handlers, web UI routes and documentation 2025-12-01 09:18:48 +00:00			- App ID is now part of the unified Apps model (`IApp` discriminated union)
			`- Three app types exist: Global Apps, Partner Apps, Custom OIDC Apps`
			`- For custom applications, use the Custom OIDC Apps flow (ORG-011)`
			- App credentials stored as `IOAuthCredentials` with hashed client secret
add stories 2025-11-30 15:01:28 +00:00			`- Validate redirect URIs to prevent open redirector attacks`
feat(apps): Add Apps subsystem: App and AppConnection models, managers, typed request handlers, web UI routes and documentation 2025-12-01 09:18:48 +00:00			`- App ID/Client ID is included in JWT claims`

			`## Apps Architecture`

			`The Apps system supports three types:`
			`1. Global Apps (ORG-009) - First-party platform apps (foss.global, task.vc)`
			`2. Partner Apps (ORG-010, DEV-008) - AppStore model for third-party apps`
			`3. Custom OIDC Apps (ORG-011) - Organization-created OAuth/OIDC clients`

			`## Related Stories`
			`- ORG-009: Connect Global Apps`
			`- ORG-010: Browse and Install Partner Apps`
			`- ORG-011: Create Custom OIDC Apps`
			`- DEV-005: Register OAuth Client App`
			`- DEV-008: Submit App to AppStore`
add stories 2025-11-30 15:01:28 +00:00
			`## Related TODOs`
			- `ts_idpclient/classes.idpclient.ts:30` - `id: '', // TODO`