proofzero
chore(passport): Custom domain upstream OAuth logins and authorizations
As part of the Custom domain OAuth provider configurations, a customer-provided clientId and client secret is used to authenticate and authorize account connections, so that the upstream authorization uses the customer's own branding and information as opposed to Rollup's.
For a Rollup identity that authorizes access to an app A not using custom domains, and app B using custom domains, both of which use upstream OAuth provider O and use the same account within that provider, then there will be a connected account with access tokens issued against two different audiences/clientIds.
Will have to reconcile these in our system (passport and access worker) and leverage the issuer of the access token we produce to facilitate upstream token refreshes and any reconnect flows, in case of disconnections.
A bunch of open questions still remain, for instance: What is shown to user who already has a connected account from O in their Rollup identity, and an app with custom domain enabled is asking for authorization to share connected accounts? Force reconnect with new clientID/client secret? Reuse existing?
- [ ] Outline all scenarios/flows where a customer's app interacts with anything (authn/authz state, data, etc) related to the upstream provider.
- [ ] Design solution and review with team to make sure all cases are being covered in the solution. Optimize for solution that requires the least UI changes.
- [ ] Implement
