Aims
- We want to enable any recipe to work as the login mechanism for single sign on, without any change to that recipe.
- The protocol we will use us OAuth, Authorization code grant flow with PKCE + OIDC
- We want to have single sign in and single logout. We also want to give control to the user to switch off certain apps from single logout / sign in
- TODO: Should session re-authentication in one app cause the same in all other logged in apps?
- TODO: Would the user need to create a frontend UI + backend API for the single sign on domain? Or will we take full control of it like how Auth0 etc do?
- SuperTokens would have to be aware of multiple client in this case. One client would be one website (like Youtube is one website for google in their SSO clients)