stories/developer/DEV-005-oauth-client.md

# Register OAuth Client App

**ID:** DEV-005
**Priority:** Medium
**Status:** Planned

## User Story
As a developer, I want to register my application as an OAuth client so that users can authorize my app to access their data using standard OAuth 2.0 flows.

## Acceptance Criteria
- [ ] Register OAuth 2.0 client application
- [ ] Support Authorization Code flow
- [ ] Support PKCE for public clients (mobile/SPA)
- [ ] Configure allowed scopes per client
- [ ] Consent screen customization
- [ ] Token endpoint for code exchange
- [ ] Refresh token support
- [ ] Client credentials flow for server-to-server

## Technical Notes
- OAuth/OIDC client registration is now part of the Apps system
- **For organization owners**: Use Custom OIDC Apps (ORG-011) to create OAuth clients
- **For third-party developers**: Submit to AppStore (DEV-008) for public apps
- Standard OAuth 2.0 / OpenID Connect flows supported
- Scopes: openid, profile, email, organizations
- PKCE is required for mobile and SPA security

## Implementation Path

This story's functionality is now implemented through:
1. **Custom OIDC Apps** (ORG-011) - Create org-specific OAuth clients via the Apps UI
2. **Partner Apps** (DEV-008) - Submit public apps to the AppStore

Both use the same underlying `IOAuthCredentials` model:
```typescript
interface IOAuthCredentials {
  clientId: string;
  clientSecretHash: string;
  redirectUris: string[];
  allowedScopes: string[];
  grantTypes: ('authorization_code' | 'client_credentials' | 'refresh_token')[];
}
```

## Related Stories
- ORG-011: Create Custom OIDC Apps (primary implementation)
- DEV-004: Proper App ID Initialization
- DEV-008: Submit App to AppStore

## Related TODOs
- New feature - OAuth server implementation
add stories 2025-11-30 15:01:28 +00:00			`# Register OAuth Client App`

			`ID: DEV-005`
			`Priority: Medium`
			`Status: Planned`

			`## User Story`
			`As a developer, I want to register my application as an OAuth client so that users can authorize my app to access their data using standard OAuth 2.0 flows.`

			`## Acceptance Criteria`
			`- [ ] Register OAuth 2.0 client application`
			`- [ ] Support Authorization Code flow`
			`- [ ] Support PKCE for public clients (mobile/SPA)`
			`- [ ] Configure allowed scopes per client`
			`- [ ] Consent screen customization`
			`- [ ] Token endpoint for code exchange`
			`- [ ] Refresh token support`
			`- [ ] Client credentials flow for server-to-server`

			`## Technical Notes`
feat(apps): Add Apps subsystem: App and AppConnection models, managers, typed request handlers, web UI routes and documentation 2025-12-01 09:18:48 +00:00			`- OAuth/OIDC client registration is now part of the Apps system`
			`- For organization owners: Use Custom OIDC Apps (ORG-011) to create OAuth clients`
			`- For third-party developers: Submit to AppStore (DEV-008) for public apps`
			`- Standard OAuth 2.0 / OpenID Connect flows supported`
add stories 2025-11-30 15:01:28 +00:00			`- Scopes: openid, profile, email, organizations`
			`- PKCE is required for mobile and SPA security`

feat(apps): Add Apps subsystem: App and AppConnection models, managers, typed request handlers, web UI routes and documentation 2025-12-01 09:18:48 +00:00			`## Implementation Path`

			`This story's functionality is now implemented through:`
			`1. Custom OIDC Apps (ORG-011) - Create org-specific OAuth clients via the Apps UI`
			`2. Partner Apps (DEV-008) - Submit public apps to the AppStore`

			Both use the same underlying `IOAuthCredentials` model:
			```typescript
			`interface IOAuthCredentials {`
			`clientId: string;`
			`clientSecretHash: string;`
			`redirectUris: string[];`
			`allowedScopes: string[];`
			`grantTypes: ('authorization_code' \| 'client_credentials' \| 'refresh_token')[];`
			`}`
			```

			`## Related Stories`
			`- ORG-011: Create Custom OIDC Apps (primary implementation)`
			`- DEV-004: Proper App ID Initialization`
			`- DEV-008: Submit App to AppStore`

add stories 2025-11-30 15:01:28 +00:00			`## Related TODOs`
			`- New feature - OAuth server implementation`