app/stories/developer/DEV-004-app-id-setup.md

Proper App ID Initialization

ID: DEV-004 Priority: High Status: Planned

User Story

As a developer, I want to properly register my application with a unique App ID so that the identity provider can identify and configure my app correctly.

Acceptance Criteria

• Developer can register new applications
• Each app gets unique App ID and App Secret
• Configure allowed redirect URIs per app
• Configure allowed origins (CORS) per app
• App-specific settings (token expiry, etc.)
• View app analytics (logins per app)
• Regenerate app secret if compromised
• Delete/deactivate applications

Technical Notes

• Current client has id: '' placeholder (TODO in code)
• App ID is now part of the unified Apps model (IApp discriminated union)
• Three app types exist: Global Apps, Partner Apps, Custom OIDC Apps
• For custom applications, use the Custom OIDC Apps flow (ORG-011)
• App credentials stored as IOAuthCredentials with hashed client secret
• Validate redirect URIs to prevent open redirector attacks
• App ID/Client ID is included in JWT claims

Apps Architecture

The Apps system supports three types:

1. Global Apps (ORG-009) - First-party platform apps (foss.global, task.vc)
2. Partner Apps (ORG-010, DEV-008) - AppStore model for third-party apps
3. Custom OIDC Apps (ORG-011) - Organization-created OAuth/OIDC clients

Related Stories

• ORG-009: Connect Global Apps
• ORG-010: Browse and Install Partner Apps
• ORG-011: Create Custom OIDC Apps
• DEV-005: Register OAuth Client App
• DEV-008: Submit App to AppStore

Related TODOs

• ts_idpclient/classes.idpclient.ts:30 - id: '', // TODO