Summary
As a developer, I want the platform to act as an OAuth/OIDC provider, so that third-party apps can authenticate users
Blocked by: story-003-customer-accounts
Acceptance Criteria
1. Application Registration
- Register App: Organizers can register OAuth applications with redirect URIs and configure allowed scopes.
- Approval Flow: Registered applications are reviewed before activation.
2. Auth Flows
- Standard Flows: System supports standard OAuth 2.0 authorization code flow with token expiration and refresh.
- Scope Control: Scopes control what data third-party applications can access (e.g., read profile, read orders).
Test Plan
Tier 1 — Acceptance Tests
- AC1: Register OAuth application with redirect URI and scopes
- AC2: Application requires review and approval before activation
- AC3: Authorization code flow with token exchange, expiration, and refresh
- AC4: Scope-based access control restricts data access
Tier 2 — Edge Cases
- Invalid redirect URI rejects authorization attempt
- Expired token refresh issues new access token
- Revoked application access invalidates tokens
- Scope escalation attempt denied
- Concurrent token requests with same auth code (only one succeeds)
📄 Full spec: spec/elixir-phoenix-migration/10-product/stories/story-035-oauth-oidc-provider.md
Summary
As a developer, I want the platform to act as an OAuth/OIDC provider, so that third-party apps can authenticate users
Blocked by: story-003-customer-accounts
Acceptance Criteria
1. Application Registration
2. Auth Flows
Test Plan
Tier 1 — Acceptance Tests
Tier 2 — Edge Cases
📄 Full spec:
spec/elixir-phoenix-migration/10-product/stories/story-035-oauth-oidc-provider.md