releases/ClaudeDo
2
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases 12 Wiki Activity

docs(online-inbox): KunsZitadel is server-side only; desktop uses an OIDC client flow

Browse Source 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
mika kuns
2026-06-10 10:02:12 +02:00
parent 1ac9ced0bd
commit 96da9fbae5
2 changed files with 22 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/superpowers/specs/2026-06-10-online-inbox-design.md
View File

@@ -83,8 +83,15 @@ us:
Zitadel package reference.
`ZitadelAuthProvider` reads the refresh token from `OnlineTokenStore`, exchanges it for an
access token via the Zitadel package, caches the access token until near expiry. **Marked
with a `// TODO(online-inbox): wire <zitadel package> once client config is known.`**
access token, caches the access token until near expiry. **Marked with a
`// TODO(online-inbox)` until the flow is wired.**
> **Auth correction (2026-06-10):** the `KunsZitadel` nuget package is a *server-side*
> resource-server helper (`AddKunsZitadel` → `JwtBearer` token *validation*). It belongs on
> the VPS API, NOT the desktop. The desktop must *acquire* tokens, so `ZitadelAuthProvider`
> uses a client OIDC flow — `IdentityModel.OidcClient` (auth-code + PKCE, loopback redirect)
> or the device-authorization grant — against Zitadel's OIDC endpoints, then persists the
> refresh token via `OnlineTokenStore`.
### `OnlineSyncService` (the loop)
- Hosted only when `online_inbox.enabled == true` (guarded at registration).
@@ -100,7 +107,7 @@ with a `// TODO(online-inbox): wire <zitadel package> once client config is know
## UI (later increment, after VPS report)
- Settings modal → new "Online Inbox" section: enable toggle, API base URL, **Sign in /
Sign out** (Zitadel browser flow via the package), connection status.
Sign out** (Zitadel browser/device flow via the OIDC client lib), connection status.
- Login produces a refresh token; UI sends it to the Worker via a new hub method
`SetOnlineInboxAuth(refreshToken)` → Worker writes it through `OnlineTokenStore`.
- Config read/write via hub methods `GetOnlineInboxConfig` / `SetOnlineInboxConfig`
@@ -126,6 +133,10 @@ with a `// TODO(online-inbox): wire <zitadel package> once client config is know
## Open items (need the VPS report)
- Exact Zitadel authority / client id / scopes / OAuth flow (device-code vs auth-code+PKCE).
- Exact Zitadel authority/issuer, client id, scopes, and **which grant the Zitadel app is
registered for** (auth-code+PKCE with which loopback redirect URI, or device-code). This
drives the desktop OIDC client implementation.
- Final API base URL.
- Whether the Zitadel package is nuget (desktop) — confirm package id + API shape.
- Desktop client OIDC library decision: `IdentityModel.OidcClient` (recommended) vs
hand-rolled device-code. (`KunsZitadel` is server-side only — see the auth correction
above; it's for the VPS API.)