:PROPERTIES:
:ID:       b30f9e63-e655-40e6-9a58-5a390a7921bb
:END:
#+TITLE: Cisco: Org Level OAuth2 Clients
#+Author: Yann Esposito
#+Date: [2022-05-02]
- tags :: [[id:ce893df9-32a4-44e0-9eb5-b9817141ee6a][cisco]]
- source ::

* Org Level Clients

*Goal*: When the creator of an OAuth2 client leaves the company.
we wish to keep the client working while disabling the user.

** Technical Solution

We should provide a field that marks a client as being owned by the org and
not by a particular user.

What does this mean:

1. Every admin of the org should be able to see and edit the client
2. During the creation of the client we should add an option such that we
   know this client is an org-level client

Looking at the code, it means that we should just change the
~iroh-auth.oauth2-client-service.core/accessible-for?~ function.

We should probably add a new optional field to ease both the creation and
the search for org-level clients.

I propose to add an optional ~org-level?~ field.
If true during the creation then we should set the ~owner-id~ to be equal to
the ~org-id~.

** Security concerns

While not mandatory, handling an ownership change should mean we would like
to provide a way to change the client's secret.
So we should provide a *Client Secret Reset* mechanism.
Probably a single POST endpoint that would generate a new password.
And as we would not want to break the clients during a password change, the
client should probably support two passwords temporarily.
So having a configurable by the user grace period during which the old
password will still be accepted.

So it means adding the following optional fields to the client object:

- ~old-password~: the old password on password change
- ~old-password-valid-until~: the date after which the old password will be rejected.

The time during which two passwords could be accepted could last up to a few weeks.

* Tasks
- [ ] Support org-level client:
    1. add an ~org-level?~ boolean field. If this field is true then the
       client must not have any ~owner-id~ field.
    2. org-level clients should be visible to all admins, for reading and searching
    3. we should provide a new route to promote normal clients to org-level clients.
- [ ] OPTIONAL Support client-secret reset