Decide how to securely do notifications from a Directory

[mmccool]

If we do native HTTP approaches, there might be a problem with sleeping devices. Polling is not efficient.
So a scheme like MQTT would make more sense, but we need to use a secure variant.
We could also support a scheme where the device could explicitly ask for updates (eg get a history of notifications it might have missed). The devices that don't use an HTTP-native notification would be expected to check in.

[mmccool]

Needs to work through firewalls. SSEs do. Webhooks not. Conexxus uses SSE for this use case, as well as websockets (using SSE streams). So SSE seems like the best option. But... AWS does not support SSE in lambdas. The SSE over websockets is interesting but not currently a supported subprotocol.

[mmccool]

Conclusion: let's use SSE. Need to implement a prototype, however.

[farshidtz]

Relevant issue to discuss the functional requirements: #28

[farshidtz]

Added a draft PR to describe the interaction on top of SSE.

One technical limitation is that early SSE implementations (including HTML5 EventSource) do not allow setting custom headers in the initial HTTP request.

Authorization header is required in few Oauth2 flows and passing it as a query parameter is not advised:
https://tools.ietf.org/html/rfc6750#section-2.3

Because of the security weaknesses associated with the URI method
(see Section 5), including the high likelihood that the URL
containing the access token will be logged, it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body.
Resource servers MAY support this method.

There are of course polyfills for browsers and modern libraries which allow setting Authorization header.