# Create Custom OIDC Apps **ID:** ORG-011 **Priority:** Medium **Status:** Planned **Phase:** 2 ## User Story As an organization owner, I want to create custom OAuth/OIDC client applications so that I can integrate my own internal tools and services with the identity provider. ## Acceptance Criteria - [ ] Create a new custom OIDC application - [ ] Configure application name and description - [ ] Upload application logo - [ ] Set application URL - [ ] Configure redirect URIs - [ ] Select allowed OAuth scopes - [ ] Choose grant types (authorization_code, client_credentials, refresh_token) - [ ] View client ID and client secret - [ ] Regenerate client secret if compromised - [ ] Edit existing applications - [ ] Delete applications - [ ] Configure token lifetimes ## Technical Notes - Custom OIDC apps are organization-scoped - Client secret is hashed in database, shown only once at creation - Redirect URIs validated to prevent open redirect attacks - Standard OAuth 2.0 / OpenID Connect flows supported - PKCE support for public clients ## Data Model ```typescript interface ICustomOidcApp { id: string; type: 'custom_oidc'; data: { name: string; description: string; logoUrl: string; appUrl: string; ownerOrganizationId: string; oauthCredentials: IOAuthCredentials; oidcSettings: { accessTokenLifetime: number; // seconds refreshTokenLifetime: number; // seconds }; }; } interface IOAuthCredentials { clientId: string; clientSecretHash: string; redirectUris: string[]; allowedScopes: string[]; grantTypes: ('authorization_code' | 'client_credentials' | 'refresh_token')[]; } ``` ## UI Components - **AppsView** - Custom OIDC tab with app list - **OidcAppFormView** (`/account/org/:orgName/apps/custom/new`) - Create new app form - **OidcAppFormView** (`/account/org/:orgName/apps/custom/:appId`) - Edit existing app ## Related Stories - ORG-009: Connect Global Apps - ORG-010: Browse and Install Partner Apps - DEV-004: Proper App ID Initialization - DEV-005: Register OAuth Client App