Complete spec for webapp sharing #351
Description
The current spec does not have much to say about web app sharing, the protocol object has very little information in it, and the small POCs that have been done has used redirects with credentials in the URL, to achieve the sharing. This is against the auth-patterns used in other parts of the spec so we need to figure this out.
For browser initiated navigation, we can not use Bearer auth, so we would need to do a form POST with Content-Type: application/x-www-form-urlencoded[0] for auth tokens and such.
The spec now also mandates a top level url for webapps, in my mind this does not make a lot of sense. You may well have, for instance, JupyterHub running at one place, CodiMD in another and Collabora in a third, so forcing an OCM server to serve all of these from one place is a big ask. I think it may be good to replace the webapp URL with something more akin to a registry of apps in the discovery, where you can add aditional information on how to access the various apps.
You may also want Jupyter notebooks to open in a new window, while CodiMD should be a redirect in the same window, and Collabora should be in an iframe using wopi. That means we need a flexible embedMode parameter on a share that can relay such information and detail the requirements related to CORS for the sending server, so that the iframe embedding can actually work.