Add app suite use case (#3391)

* doc for app-suite use case

DocsDevREADME.md

@@ -213,6 +213,7 @@ Fruits were domesticated at different times.
 - curl
 - Docker
 - Docker Compose
+- e-commerce
 - ECMAScript
 - Elasticsearch
 - esport

astro/src/content/docs/customize/look-and-feel/index.mdx

@@ -4,7 +4,7 @@ description: Learn about theming the FusionAuth hosted login pages.
 section: customize
 subcategory: look and feel
 navOrder: 0
-tags: auth as a service
+tags: auth as a service, app suite
 ---
 import ListHostedLoginPagesUseCases from 'src/content/docs/_shared/_list-hosted-login-pages-use-cases.mdx';
 import PremiumPlanBlurbApi from 'src/content/docs/_shared/_premium-plan-blurb-api.astro';
@@ -59,13 +59,13 @@ You apply a theme by configuring either a Tenant or an Application to use the th
 
 To apply a theme to a Tenant, navigate to <Breadcrumb>Tenants -> Your Tenant</Breadcrumb>, then select the <Breadcrumb>General</Breadcrumb> tab. Select the appropriate theme and save the tenant. This will apply the theme to every application in that tenant, unless there is a theme specified for an application.
 
-<img src="/img/docs/customize/look-and-feel/apply-theme-tenant.png" alt="Apply a theme to a tenant." width="1200" role="bottom-cropped" />
+![Apply a theme to a tenant.](/img/docs/customize/look-and-feel/apply-theme-tenant.png)
 
 <PremiumPlanBlurbApi feature="application themes" />
 
 To apply a theme to an application, navigate to <Breadcrumb>Applications -> Your Application</Breadcrumb>, then select the appropriate theme.
 
-<img src="/img/docs/customize/look-and-feel/apply-theme-application.png" alt="Apply a theme to an application." width="1200" role="bottom-cropped" />
+![Apply a theme to an application.](/img/docs/customize/look-and-feel/apply-theme-application.png)
 
 ## Troubleshooting
 

astro/src/content/docs/get-started/use-cases/app-suite.mdx

@@ -0,0 +1,129 @@
+---
+title: App Suite
+description: Let your users log in once and then transparently be logged into others.
+section: get started
+subcategory: use cases
+navOrder: 20
+---
+import ApplicationSwitchDiagram from 'src/diagrams/docs/get-started/use-cases/app-suite/application-switch.astro';
+import AppSuiteDescription from 'src/content/docs/get-started/use-cases/_app-suite-description.mdx';
+import Breadcrumb from 'src/components/Breadcrumb.astro';
+import InlineField from 'src/components/InlineField.astro';
+
+## Overview
+
+<AppSuiteDescription />
+
+## Problem 
+
+You have multiple applications you want to share across a common user base.
+
+These applications may:
+
+* be hosted at different domains or under different paths
+* use SAML or OIDC for authentication
+* be custom, commercial, or open source
+* be written using different technology stacks
+
+You want to let your users log in once, and switch between applications without having to log in again. Users may or may not have different roles for each application.
+
+## Solution
+
+With the app suite use case, after the user logs in to one application, they will transparently log in to every application via the magic sauce of FusionAuth SSO. You'll also have only one customer profile to manage. You can view their login activity across the applications.
+
+## Prerequisites
+
+You have configured your application or applications to [delegate authentication to FusionAuth](/docs/get-started/use-cases/auth-service) via the Authorization Code grant and the FusionAuth hosted login pages.
+
+## Example Scenario
+
+Suppose you have a thriving e-commerce business with much clown love and with multiple end user applications:
+
+* an e-commerce store where people can buy clown costumes
+* a virtual try-on app which lets you see yourself in the outfits before you buy
+* a forum for discussion about the latest trends
+* a ticketing system for customer support
+
+Here's a diagram of an app suite as a central hub for these different applications.
+
+![Diagram of an app suite as a central hub for a number of different applications.](/img/docs/get-started/use-cases/app-suite.png)
+
+All of these use FusionAuth for their login. Each is represented by a different application and client Id, but your users transparently log in each time they switch between applications.
+
+## Actors/Components
+
+* your user and their client application (mobile app or browser)
+* two or more applications
+* FusionAuth
+
+This use case is built on cookies and redirects to FusionAuth. The redirect is typically transparent to the end user.
+
+## Implementation Steps
+
+This is a two step implementation process to ensure customers can access all the applications. Steps to take:
+
+* Ensure end users have their FusionAuth SSO session enabled when they first authenticate.
+* When a user is not logged in to a particular application, forward the user to FusionAuth. They'll be transparently logged in and delivered back to the application.
+
+### Force SSO Session Creation
+
+The easiest way to force the SSO session to be created as a user logs in is to modify the login page. You do so by modifying the theme. In the default theme, a user can check or uncheck the `rememberDevice` checkbox, labelled by default "Keep me signed in". To force creation of the SSO session, update the theme to set the `rememberDevice` parameter to `true`. Modify the `OAuth Authorize` template [using the advanced theme editor](/docs/customize/look-and-feel/advanced-theme-editor)
+
+Here's a sample FreeMarker block you can use to update the default template.
+
+```
+[@hidden name="rememberDevice" value="true"/]
+```
+
+The duration of this SSO session is controlled in the Tenant settings. You can modify it by navigating to <Breadcrumb>Tenant -> Your Tenant -> OAuth</Breadcrumb> and updating the <InlineField>Session timeout</InlineField>.
+
+### Forward Unauthenticated Users
+
+Whenever a user is not logged in and accesses an application in your app suite, forward them to the login URL for FusionAuth. As your applications are already delegating authentication to FusionAuth, use the same logic or library functions to create an authorize URL. Here's an [explanation of how to create the URL and what each component means](/docs/lifecycle/authenticate-users/oauth/endpoints#authorization-code-grant-request).
+
+Here's a diagram of a user switching between the clownwear e-commerce store and the forum.
+
+<ApplicationSwitchDiagram alt="An example of an application switch." />
+
+If a user is browsing the e-commerce store, then clicks on the forum link, they will transparently be logged in to the forum application.
+
+Their client will get a token associated with the forum application, including the roles the user has for that application and claims such as the audience claim (`aud`) set correctly. The user will be logged in to the new application, as desired.
+
+## Expected Outcome
+
+Users switch between your applications transparently and securely. 
+
+## Edge Cases
+
+SSO login works across all apps in a tenant, including those the user isn't registered for. After redirection to and from FusionAuth, the user will be authenticated, but the `applicationId` and `roles` claims will be missing from the access token. Applications must check these claims when determining whether a user is authorized for an application. [Read more about the difference between authentication and authorization](/docs/get-started/core-concepts/authentication-authorization).
+
+When your user logs out, destroy the SSO session as well as each application session. You can do that using API calls or with FusionAuth's Front-Channel logout. [Read more about logout](/docs/lifecycle/authenticate-users/logout-session-management).
+
+Any applications with [self-service registration](/docs/lifecycle/register-users/basic-registration-forms) enabled will automatically register a user with default roles when the user is redirected to the login URL for that application. 
+
+If an application only wants to allow logins from a certain identity provider or impose other conditions, you'll need extra integration work. For example, imagine there's a time tracking app for your clownwear e-commerce store that employees log in to using Google Workspace federation. You don't want customers to be able to view this application. One way you can prevent this with a [login validation lambda](/docs/extend/code/lambdas/login-validation).
+
+The functionality described in this use case only works with [FusionAuth hosted login pages](/docs/get-started/core-concepts/hosted-login-vs-api-login#hosted-login-pages). If you use the Login API, you need to build your SSO implementation.
+
+Applications may have different authentication related requirements. Examples include:
+
+* multi-factor authentication (MFA)
+* required registration fields
+* registration verification
+
+If a user logs into an application and then switches to another app with different requirements, they will be forced to satisfy the second apps' requirements. For example, suppose that an e-commerce application requires MFA and the forum application does not. If the user initially logs into the forum application and then switches to the e-commerce application, they will be prompted to complete MFA.
+
+## Other Example Scenarios
+
+Applications which share customer or user accounts are a good fit for this use case. Examples include:
+
+* Multiple affiliated online games
+* An office suite with an online word processor, spreadsheet and presentation software
+* Travel booking software, where you might have one application for booking flights, another for hotels and a third for car rental
+
+## Additional Documentation
+
+* [Single sign-on guide](/docs/lifecycle/authenticate-users/single-sign-on)
+* [Logout and session guide](/docs/lifecycle/authenticate-users/logout-session-management)
+* [Theme customization](/docs/customize/look-and-feel/)
+

astro/src/content/docs/get-started/use-cases/auth-service.mdx

@@ -3,6 +3,7 @@ title: Auth as a Service
 description: Delegate your authentication to FusionAuth.
 section: get started
 subcategory: use cases
+navOrder: 10
 ---
 import LoginBefore from 'src/diagrams/quickstarts/login-before.astro';
 import LoginAfter from 'src/diagrams/quickstarts/login-after.astro';
@@ -62,11 +63,11 @@ Here's a high level sequence diagram of the application login process after Fusi
 
 You need to do the following to integrate with FusionAuth:
 
-* Create an application configuration in FusionAuth using the admin UI or the API. This corresponds to your clown goods ecommerce store and tells FusionAuth about the login behaviors you want.
+* Create an application configuration in FusionAuth using the admin UI or the API. This corresponds to your clown goods e-commerce store and tells FusionAuth about the login behaviors you want.
 * Choose an integration method. The right option depends on your applications architecture and technology. You can use an OIDC library, one of the FusionAuth SPA SDKs ([Angular](/docs/sdks/angular-sdk), [React](/docs/sdks/react-sdk), [Vue](/docs/sdks/vue-sdk)) or mobile SDKs ([Android](/docs/sdks/android-sdk), iOS coming soon), or a compatible FusionAuth [client library](/docs/sdks).
 * Configure the integration method. The exact steps will vary, but typically includes the client Id.
 * Update your application and add a link or button to send the user to FusionAuth when they need to log in. The correct URL is displayed in the <Breadcrumb>View</Breadcrumb> screen of the application config or you can build it using the [example authorization code grant](/docs/lifecycle/authenticate-users/oauth/#example-authorization-code-grant) documentation. Some OIDC libraries can generate this URL given a client Id.
-* When your application receives tokens, the user is successfully "logged in". You should ensure that the ecommerce application considers the user logged in. What exactly that means depends on each particular application, but often involves creating a session and storing user data inside of it.
+* When your application receives tokens, the user is successfully "logged in". You should ensure that the e-commerce application considers the user logged in. What exactly that means depends on each particular application, but often involves creating a session and storing user data inside of it.
 * Take additional steps such as examining tokens for roles or sending the token to the browser as a cookie. Again, the exact next steps depend on the application.
 
 ### Updating FusionAuth Configuration

astro/src/content/docs/get-started/use-cases/authorization-hub.mdx

@@ -3,6 +3,7 @@ title: Authorization Hub
 description: Integrate with third party platforms, using FusionAuth to safely store refresh tokens.
 section: get started
 subcategory: use cases
+navOrder: 100
 ---
 import Aside from 'src/components/Aside.astro';
 import StoreRefreshTokensDiagram from 'src/diagrams/docs/get-started/use-cases/authorization-hub/store-refresh-token.astro';
@@ -42,7 +43,7 @@ This is an example of [the Third-Party Service Authorization Mode](/docs/lifecyc
 
 ## Prerequisites
 
-You have configured your application or applications to delegate authentication to FusionAuth via the Authorization Code grant and the hosted login pages.
+You have configured your application or applications to [delegate authentication to FusionAuth](/docs/get-started/use-cases/auth-service) via the Authorization Code grant and the hosted login pages.
 
 You can also implement this use case without using the hosted login pages, using the FusionAuth APIs. The API you'd use is the `Complete the Login` [Identity Provider APIs](/docs/apis/identity-providers/), but that implementation is beyond the scope of this document.
 

astro/src/content/docs/lifecycle/authenticate-users/logout-session-management.mdx

@@ -5,6 +5,7 @@ navcategory: developer
 section: lifecycle
 subcategory: authenticate users
 codeRoot: https://raw.githubusercontent.com/FusionAuth/fusionauth-example-node-centralized-sessions/main
+tags: app suite
 ---
 import AccountLogout from 'src/content/docs/lifecycle/manage-users/account-management/_account-logout.mdx';
 import Aside from 'src/components/Aside.astro';

astro/src/content/docs/lifecycle/authenticate-users/single-sign-on.mdx

@@ -5,6 +5,7 @@ navcategory: developer
 section: lifecycle
 subcategory: authenticate users
 codeRoot: https://raw.githubusercontent.com/FusionAuth/fusionauth-example-node-sso/main
+tags: app suite
 ---
 import Aside from 'src/components/Aside.astro';
 import InlineField from 'src/components/InlineField.astro';
@@ -112,19 +113,19 @@ All of these will be configured on the <Breadcrumb>OAuth</Breadcrumb> tab.
 
 Here's what the Pied Piper application might look like when properly configured:
 
-<img src="/img/docs/lifecycle/authenticate-users/add-application-docs.png" alt="Example of configured application." width="1200" />
+![Example of configured application.](/img/docs/lifecycle/authenticate-users/add-application-docs.png)
 
 Click "Save" for each application.
 
 View each application by clicking the green magnifying glass when looking at the list of applications and note the `Client Id` and `Client Secret` values:
 
-<img src="/img/docs/lifecycle/authenticate-users/application-config-docs.png" alt="Looking up the Client Id and Client Secret values." width="1200" role="bottom-cropped" />
+![Looking up the Client Id and Client Secret values.](/img/docs/lifecycle/authenticate-users/application-config-docs.png)
 
 ## Set Up The User
 
 You'll need to make sure that a FusionAuth user is registered for both applications you created. You can use the default user created when installing FusionAuth or any other user. Here's an example of what the user details of a user registered for both the Pied Piper and Hooli applications will look like:
 
-<img src="/img/docs/lifecycle/authenticate-users/user-registration-docs.png" alt="Registering a user for both applications." width="1200" role="bottom-cropped" />
+![Registering a user for both applications.](/img/docs/lifecycle/authenticate-users/user-registration-docs.png)
 
 ## Set Up The Code
 
@@ -366,7 +367,7 @@ The default behavior is to log a user out of all applications when they log out
 
 Navigate to <Breadcrumb>Applications -> Your Application -> OAuth</Breadcrumb> and configure <InlineField>Logout behavior</InlineField> to have the value `Redirect Only`.
 
-<img src="/img/docs/lifecycle/authenticate-users/application-config-logout-behavior-docs.png" alt="Configuring the logout behavior for an application." width="1200" role="top-cropped" />
+![Configuring the logout behavior for an application.](/img/docs/lifecycle/authenticate-users/application-config-logout-behavior-docs.png)
 
 ## Limitations
 

astro/src/diagrams/docs/get-started/use-cases/app-suite/application-switch.astro

@@ -0,0 +1,29 @@
+---
+import Diagram from "src/components/mermaid/SequenceDiagram.astro";
+const { alt } = Astro.props;
+
+//language=Mermaid
+const diagram = `
+sequenceDiagram
+    participant User as Logged In User/Browser
+    participant Ecommerce as E-commerce Store
+    participant Forum 
+    participant FusionAuth
+
+    User ->> Ecommerce : Request Page
+    Ecommerce ->> User : Return Page
+    User ->> Ecommerce : Click On Forum Link
+    User ->> Forum : Request Page
+    Forum ->> Forum : Attempt To Verify User
+    Forum ->> User : Redirect To FusionAuth
+    User ->> FusionAuth : Request Login Page
+    FusionAuth ->> FusionAuth : Verify User Has Active SSO Session
+    FusionAuth ->> User : Return Forum Redirect URL With Authorization Code
+    User ->> Forum : Requests Redirect URL
+    Forum ->> FusionAuth : Requests Tokens
+    FusionAuth ->> Forum : Returns Tokens
+    Forum ->> Forum : Examines Tokens, Determines User Is Logged In
+    Forum ->> User : Returns Forum Page
+`;
+---
+<Diagram code={diagram} alt={alt} />