diff --git a/docs/signin.md b/docs/signin.md
index e7368137ae..348e29cbdf 100644
--- a/docs/signin.md
+++ b/docs/signin.md
@@ -58,7 +58,7 @@ We get credential (200)
```json
{
"user_id": "@alice:matrix.org",
- "access_token": "MDAxOGxvY2F0aW9uIG1hdHREDACTEDb2l0MDgxNjptYXRyaXgub3JnCjAwMTZjaWQgdHlwZSA9IGFjY2VzcwowMDIxY2lkIG5vbmNlID0gfnYrSypfdTtkNXIuNWx1KgowMDJmc2lnbmF0dXJlIOsh1XqeAkXexh4qcofl_aR4kHJoSOWYGOhE7-ubX-DZCg",
+ "access_token": "MDAxOGxvY2F0aW9uIG1hdHREDACTEDb2l0MDgxNjptYXRyaXgub3JnCjAwMTZjaWQgdHlwZSA9IGFjY2VzcwowMDIxY2lr",
"home_server": "matrix.org",
"device_id": "GTVREDALBF",
"well_known": {
@@ -117,7 +117,7 @@ We get the credentials (200)
```json
{
"user_id": "@alice:matrix.org",
- "access_token": "MDAxOGxvY2F0aW9uIG1hdHJpeC5vcmREDACTEDZXJfaWQgPSBAYmVub2l0MDgxNjptYXRyaXgub3JnCjAwMTZjaWQgdHlwZSA9IGFjY2VzcwowMDIxY2lkIG5vbmNlID0gNjtDY0MwRlNPSFFoOC5wOgowMDJmc2lnbmF0dXJlIGiTRm1mYLLxQywxOh3qzQVT8HoEorSokEP2u-bAwtnYCg",
+ "access_token": "MDAxOGxvY2F0aW9uIG1hdHJpeC5vcmREDACTEDZXJfaWQgPSBAYmVub2l0MDgxNjptYXRyaXgub3Jnfrfdegfszsefddvf",
"home_server": "matrix.org",
"device_id": "WBSREDASND",
"well_known": {
@@ -145,12 +145,63 @@ Not supported yet in RiotX
"flows": [
{
"type": "m.login.sso"
+ },
+ {
+ "type": "m.login.token"
}
]
}
```
-In this case, the user can click on "Sign in with SSO" and the web screen will be displayed on the page `https://homeserver.with.sso/_matrix/static/client/login/` and the credentials will be passed back to the native code through the JS bridge
+In this case, the user can click on "Sign in with SSO" and the native web browser, or a ChromeCustomTab if the device supports it, will be launched on the page
+
+> https://homeserver.with.sso/_matrix/client/r0/login/sso/redirect?redirectUrl=riotx%3A%2F%2Friotx
+
+The parameter `redirectUrl` is set to `riotx://riotx`.
+
+ChromeCustomTabs are an intermediate way to display a WebPage, between a WebView and using the external browser. More info can be found [here](https://developer.chrome.com/multidevice/android/customtabs)
+
+The browser will then take care of the SSO login, which may include creating a third party account, entering an email, or any other possibility.
+
+During the process, user may be asked to validate an email by clicking on a link it contains. The link has to be opened in the browser which initiates the authentication. This is why we cannot use WebView anymore.
+
+Once the process is finished, the web page will call the `redirectUrl` with an extra parameter `loginToken`
+
+> riotx://riotx?loginToken=MDAxOWxvY2F0aW9uIG1vemlsbGEub3JnCjAwMTNpZGVudGlmaWVy
+
+This navigation is intercepted by RiotX by the `LoginActivity`, which will then ask the homeserver to convert this `loginToken` to an access token
+
+RiotX is generating a `txn_id` parameter, to avoid a replay of the request if the loginToken has been leaked.
+*Note*: for the moment RiotX does not send any `session` parameter in this request.
+
+> curl -X POST --data $'{"type":"m.login.token","token":"MDAxOWxvY2F0aW9uIG1vemlsbGEub3JnCjAwMTNpZGVudGlmaWVy","txn_id":"5114076e-40f0-477f-aa50-8ea2442d9dc1"}' 'https://homeserver.with.sso/_matrix/client/r0/login'
+
+```json
+{
+ "type": "m.login.token",
+ "token": "MDAxOWxvY2F0aW9uIG1vemlsbGEub3JnCjAwMTNpZGVudGlmaWVy",
+ "txn_id": "5114076e-40f0-477f-aa50-8ea2442d9dc1"
+}
+```
+
+We get the credentials (200)
+
+```json
+{
+ "user_id": "@alice:homeserver.with.sso",
+ "access_token": "MDAxOWxvY2F0aW9uIG1vemlsbGEub3JnCjAwMTNpZGVudGlmaWVyIGtleQowMDEwY2lkIGdlbiA9IDEKMDAyY2NpZCB1c2",
+ "home_server": "homeserver.with.sso",
+ "device_id": "DETBTVAHCH",
+ "well_known": {
+ "m.homeserver": {
+ "base_url": "https:\/\/homeserver.with.sso\/"
+ },
+ "m.identity_server": {
+ "base_url": "https:\/\/vector.im"
+ }
+ }
+}
+```
## Reset password