:PROPERTIES:
:ID:       fe9118f2-3cf1-4a9c-b97d-d5d58f9d0769
:END:
#+TITLE: IROH Auth UI Enhancements
#+Author: Yann Esposito
#+Date: [2022-04-15]
- tags ::  [[id:91f33b35-6e4e-4213-b214-972ee20722df][Cisco]]
- source ::
- related :: [[id:1208f09c-d37d-4e6b-9110-151f3c6b7d34][Cisco FT SecureX Simplified Registration]]

* Registration

The new SecureX Registration page will only be visible by user without any
SecureX account.

So once they accept an invitation, create an org or when an org request
access is accepted, this Registration page will not be reachable.

But from the user perspective it makes more sense to still see this
intermediate page to have a place to display the list of pending
invitations and matching orgs (org whose admins use the same email domain address).

So we should present this page not only during the first interaction with
SecureX but also every time the user need to select his account.
We might also take care about presenting this page until there is a full
resolution of invites and matching orgs.

In fact on a more generic idea, the Registration Simplification Feature
team replaced only the ~account-create~ page.
But IROH-Auth generate HTML for the following pages:

- account-create; replaced by the Registration UI
- account-select; when an user select its account (org) between multiple choices
- invite; Confirm to accept the invitation page
- login; login page showing all the login buttons currently partially
  overwritten by SXSO via a routing rule

There are also some OAuth2 specific

- application-grant; OAuth2 authorization page
- device-grant; OAuth2 Application Grant page


The fact that IROH-Auth generate these pages from the backend make it a bit
harder to update the look and feel, and a lot harder to have dynamic
interactions within these pages.

** Account Selection

The first natural page to replace by the Registration UI is the account
selection page.

In fact it was discussed it in detail within the FT Simplify Registration
meeting how the user should not only see the invites but also the Orgs he
could select.

From the backend perspective, we need to create a new endpoint to the IROH Auth SPA API:

#+begin_src
/accounts
#+end_src

This endpoint should provide a list of Accounts. Each account will be an
object with:

- SecureX User
- SecureX Org
- A URL such that if the user go to this URL, he will be redirected with
  this account selected.

Mainly, this endpoint should provide all the data we use while creating the
current account selection page in the backend.

** Invite Confirmation Page

We need to think about how to replace it.

** Login Page

Already partially overwritten by an SXSO page, but this login page sometime
reappears. So work here might ever be not necessary, or perhaps we could
make a proper redirection powered by IROH-Auth. Currently, no code change
was made in IROH to change this page, there is just a rule that redirect
user from =/iroh/iroh-auth/login= to the SXSO specific SecureX login page.