Why: Prove the whole Phase-1 flow end-to-end (and the flag-off parity + tenant isolation) before any canary.
Done when:
- Add
OAuth2SsoLaunchIntegrationTest.java (Testcontainers Postgres + Redis), flag ON: (1) complete login for app A via /authorize/complete → capture fv_sso; (2) GET /authorize for app B (reauth_policy=silent) with ONLY the cookie → 200 + code; (3) exchange B's code at /token → tokens whose sub is pairwise-for-B and tenant_id is the user's real tenant (isolation preserved). Then flag OFF → step (2) returns action:authenticate (no silent mint).
source: docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md:83
Migrated from docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md (git history retains the original).
Why: Prove the whole Phase-1 flow end-to-end (and the flag-off parity + tenant isolation) before any canary.
Done when:
OAuth2SsoLaunchIntegrationTest.java(Testcontainers Postgres + Redis), flag ON: (1) complete login for app A via /authorize/complete → capture fv_sso; (2) GET /authorize for app B (reauth_policy=silent) with ONLY the cookie → 200 + code; (3) exchange B's code at /token → tokens whose sub is pairwise-for-B and tenant_id is the user's real tenant (isolation preserved). Then flag OFF → step (2) returns action:authenticate (no silent mint).source: docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md:83
Migrated from
docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md(git history retains the original).