While implementing the OAuth Authorization Grant Code Flow a while back for a mobile application, we did not notice that after the return from the /isam/sps/auth endpoint, ISAM WRP would kill the Web Session cookie (PD-S-SESSION-ID returning empty). But it did not impact in any way the mobile application which did not required anymore the web session to be maintained.

Now looking back at the OAuth Authorization Grant Code Flow for a Web application, I realize that this may prove problematic. In certain cases, a "parent" calling Web Application initiates this OAuth flow and if everything goes well, control is transferred over to the "child" Web Application being referred too in the configured/requested redirect_uri. This child Web Application in turns exchanges the short-live Authz grant code for an OAuth access token. Let's say later that it is desired to return to the "parent" Web application; I can foresee a challenge here as the ISAM WRP session cookie was killed by the /isam/sps/auth endpoint thus leaving the user the need to re-authenticate to ISAM WRP.

My use case can be summarized as follow: Have a mean to tell /isam/sps/auth endpoint not to kill the Web session for cases where the calling application web session needs to remain valid. I would like to prevent having to inject a new Web session in the browser (by means of the /session endpoint) as we would like the previous Web session to return in its original state (session).

Of course, they could be something I am not getting right.

Thanks