- OAuth authorize: pass account_did (g.device_id) in both success
and error redirects so client apps can track the device
- Magic link login: set did_auth:{device_id} in Redis so client
apps detect login even when their prompt=none cache says "no"
- Logout + SSO-logout: clear did_auth:{device_id} from Redis
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Account's authorize endpoint now supports prompt=none: returns
error=login_required redirect when user isn't logged in instead of
bouncing to interactive login. Removed /propagate endpoint since
client apps now detect auth state via prompt=none handshake.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Device cookies handle subsequent auth changes (logout/re-login),
but the initial login needs the chain to create grants on each app
and link them to device cookies. Dead apps skipped via health check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
OAuth authorize stores device_id on grants. New /internal/check-device
endpoint lets client apps detect login/logout by checking device's
grant state + user.last_login_at. Propagation chain removed — each
app detects auth changes independently via its device cookie.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Health-check each app via internal URL before redirecting.
Dead apps are silently skipped so the chain doesn't break.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
After magic link login, account bounces through each client app's
/auth/login to establish local sessions via OAuth. Each app does its
OAuth flow (instant since account is logged in) then redirects back
to /auth/propagate for the next app in the chain.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Account creates OAuthGrant per authorization, revokes on logout.
Client apps verify grants via /auth/internal/verify-grant endpoint.
Removes iframe-based logout page.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Account is now the OAuth authorization server with magic link login,
OAuth2 authorize endpoint, SSO logout, and session management.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
