SSO Update the documentation

docs/signin.md

@@ -58,7 +58,7 @@ We get credential (200)
 ```json
 {
   "user_id": "@alice:matrix.org",
-  "access_token": "MDAxOGxvY2F0aW9uIG1hdHREDACTEDb2l0MDgxNjptYXRyaXgub3JnCjAwMTZjaWQgdHlwZSA9IGFjY2VzcwowMDIxY2lkIG5vbmNlID0gfnYrSypfdTtkNXIuNWx1KgowMDJmc2lnbmF0dXJlIOsh1XqeAkXexh4qcofl_aR4kHJoSOWYGOhE7-ubX-DZCg",
+  "access_token": "MDAxOGxvY2F0aW9uIG1hdHREDACTEDb2l0MDgxNjptYXRyaXgub3JnCjAwMTZjaWQgdHlwZSA9IGFjY2VzcwowMDIxY2lr",
   "home_server": "matrix.org",
   "device_id": "GTVREDALBF",
   "well_known": {
@@ -117,7 +117,7 @@ We get the credentials (200)
 ```json
 {
   "user_id": "@alice:matrix.org",
-  "access_token": "MDAxOGxvY2F0aW9uIG1hdHJpeC5vcmREDACTEDZXJfaWQgPSBAYmVub2l0MDgxNjptYXRyaXgub3JnCjAwMTZjaWQgdHlwZSA9IGFjY2VzcwowMDIxY2lkIG5vbmNlID0gNjtDY0MwRlNPSFFoOC5wOgowMDJmc2lnbmF0dXJlIGiTRm1mYLLxQywxOh3qzQVT8HoEorSokEP2u-bAwtnYCg",
+  "access_token": "MDAxOGxvY2F0aW9uIG1hdHJpeC5vcmREDACTEDZXJfaWQgPSBAYmVub2l0MDgxNjptYXRyaXgub3Jnfrfdegfszsefddvf",
   "home_server": "matrix.org",
   "device_id": "WBSREDASND",
   "well_known": {
@@ -145,12 +145,63 @@ Not supported yet in RiotX
   "flows": [
     {
       "type": "m.login.sso"
+    },
+    {
+      "type": "m.login.token"
     }
   ]
 }
 ```
 
-In this case, the user can click on "Sign in with SSO" and the web screen will be displayed on the page `https://homeserver.with.sso/_matrix/static/client/login/` and the credentials will be passed back to the native code through the JS bridge
+In this case, the user can click on "Sign in with SSO" and the native web browser, or a ChromeCustomTab if the device supports it, will be launched on the page
+
+> https://homeserver.with.sso/_matrix/client/r0/login/sso/redirect?redirectUrl=riotx%3A%2F%2Friotx
+
+The parameter `redirectUrl` is set to `riotx://riotx`.
+
+ChromeCustomTabs are an intermediate way to display a WebPage, between a WebView and using the external browser. More info can be found [here](https://developer.chrome.com/multidevice/android/customtabs)
+
+The browser will then take care of the SSO login, which may include creating a third party account, entering an email, or any other possibility.
+
+During the process, user may be asked to validate an email by clicking on a link it contains. The link has to be opened in the browser which initiates the authentication. This is why we cannot use WebView anymore.
+
+Once the process is finished, the web page will call the `redirectUrl` with an extra parameter `loginToken`
+
+> riotx://riotx?loginToken=MDAxOWxvY2F0aW9uIG1vemlsbGEub3JnCjAwMTNpZGVudGlmaWVy
+
+This navigation is intercepted by RiotX by the `LoginActivity`, which will then ask the homeserver to convert this `loginToken` to an access token
+
+RiotX is generating a `txn_id` parameter, to avoid a replay of the request if the loginToken has been leaked.
+*Note*: for the moment RiotX does not send any `session` parameter in this request.
+
+> curl -X POST --data $'{"type":"m.login.token","token":"MDAxOWxvY2F0aW9uIG1vemlsbGEub3JnCjAwMTNpZGVudGlmaWVy","txn_id":"5114076e-40f0-477f-aa50-8ea2442d9dc1"}' 'https://homeserver.with.sso/_matrix/client/r0/login'
+
+```json
+{
+  "type": "m.login.token",
+  "token": "MDAxOWxvY2F0aW9uIG1vemlsbGEub3JnCjAwMTNpZGVudGlmaWVy",
+  "txn_id": "5114076e-40f0-477f-aa50-8ea2442d9dc1"
+}
+```
+
+We get the credentials (200)
+
+```json
+{
+  "user_id": "@alice:homeserver.with.sso",
+  "access_token": "MDAxOWxvY2F0aW9uIG1vemlsbGEub3JnCjAwMTNpZGVudGlmaWVyIGtleQowMDEwY2lkIGdlbiA9IDEKMDAyY2NpZCB1c2",
+  "home_server": "homeserver.with.sso",
+  "device_id": "DETBTVAHCH",
+  "well_known": {
+    "m.homeserver": {
+      "base_url": "https:\/\/homeserver.with.sso\/"
+    },
+    "m.identity_server": {
+      "base_url": "https:\/\/vector.im"
+    }
+  }
+}
+```
 
 ## Reset password