2 Commits

Author	SHA1	Message	Date
giles	6bb26522a1	Add OAuth grants for per-device session revocation ... - OAuthGrant model tracks each client authorization, tied to the account session (issuer_session) that issued it - OAuth authorize creates grant + code together - Client apps store grant_token in session, verify via account's internal /auth/internal/verify-grant endpoint (Redis-cached 60s) - Account logout revokes only grants from that device's session - Replaces iframe-based logout with server-side grant revocation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 12:30:08 +00:00
giles	46f44f6171	OAuth SSO infrastructure + account app support ... - OAuthCode model + migration for authorization code flow - OAuth client blueprint (auto-registered for non-federation apps) - Per-app first-party session cookies (fixes Safari ITP) - /oauth/authorize endpoint support in URL helpers - account_url() helper + Jinja global - Templates: federation_url('/auth/...') → account_url('/...') - Widget registry: account page links use account_url Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 09:55:27 +00:00