Address comments on Securing Apps

Closes #27867 Signed-off-by: AndyMunro <amunro@redhat.com>
2024-03-14 05:15:58 -04:00 · 2024-03-14 05:15:58 -04:00 · e40227fa50
commit e40227fa50
parent 0e717f735e
5 changed files with 34 additions and 23 deletions
--- a/docs/documentation/securing_apps/topics/client-registration/client-registration-cli.adoc
+++ b/docs/documentation/securing_apps/topics/client-registration/client-registration-cli.adoc
@ -7,7 +7,7 @@ It is necessary to create or obtain a client configuration for any application t
 You can configure application clients from a command line with the Client Registration CLI, and you can use it in shell scripts.
-To allow a particular user to use `Client Registration CLI` the {project_name} administrator typically uses the Admin Console to configure a new user with proper roles or to configure a new client and client secret to grant access to the Client Registration REST API.
+To allow a particular user to use `Client Registration CLI`, the {project_name} administrator typically uses the Admin Console to configure a new user with proper roles or to configure a new client and client secret to grant access to the Client Registration REST API.
 [[_configuring_a_user_for_client_registration_cli]]
@ -18,8 +18,13 @@ To allow a particular user to use `Client Registration CLI` the {project_name} a
 . Log in to the Admin Console (for example, http://localhost:8080{kc_admins_path}) as [command]`admin`.
 . Select a realm to administer.
 . If you want to use an existing user, select that user to edit; otherwise, create a new user.
-. Select *Role Mappings > Client Roles > realm-management*. If you are in the master realm, select *NAME-realm*, where `NAME` is the name of the target realm. You can grant access to any other realm to users in the master realm.
+
-. Select *Available Roles > manage-client* to grant a full set of client management permissions. Another option is to choose *view-clients* for read-only or *create-client* to create new clients.
+. Select *Role Mapping*, *Assign role*. From the option list, click *Filter by clients*. In the search bar, type `manage-clients`. Select the role, or if you are in the master realm, select the one with *NAME-realm*, where `NAME` is the name of the target realm. You can grant access to any other realm to users in the master realm.
 . Click *Assign* to grant a full set of client management permissions. Another option is to choose *view-clients* for read-only or *create-client* to create new clients.
 . Select *Available Roles*, *manage-client* to grant a full set of client management permissions. Another option is to choose *view-clients* for read-only or *create-client* to create new clients.
 +
 [NOTE]
 ====
@ -28,8 +33,7 @@ These permissions grant the user the capability to perform operations without th
 It is possible to not assign any [command]`realm-management` roles to a user. In that case, a user can still log in with the Client Registration CLI but cannot use it without an Initial Access Token. Trying to perform any operations without a token results in a *403 Forbidden* error.
-The Administrator can issue Initial Access Tokens from the Admin Console through the *Realm Settings > Client Registration > Initial Access Token* menu.
+The administrator can issue Initial Access Tokens from the Admin Console in the Clients area on the *Initial Access Token* tab.
 [[_configuring_a_client_for_use_with_client_registration_cli]]
 === Configuring a client for use with the Client Registration CLI
@ -39,21 +43,25 @@ By default, the server recognizes the Client Registration CLI as the [filename]`
 .Procedure
 . Create a client (for example, [filename]`reg-cli`) if you want to use a separate client configuration for the Client Registration CLI.
-. Toggle the *Standard Flow Enabled* setting it to *Off*.
+. Uncheck *Standard Flow Enabled*.
-. Strengthen the security by configuring the client [filename]`Access Type` as [filename]`Confidential` and selecting *Credentials > ClientId and Secret*.
+. Strengthen the security by toggling *Client authentication* to *On*.
 . Choose the type of account that you want to use.
 .. If you want to use a service account associated with the client, check *Service accounts roles*.
 .. If you prefer to use a regular user account, check *Direct access grants*.
 . Click *Next*.
 . Click *Save*.
 . Click the *Credentials* tab.
 +
-[NOTE]
+Configure either [filename]`Client Id and Secret` or [filename]`Signed JWT`.
-====
+. If you are using service account roles, click the *Service Account Roles* tab.
-You can configure either [filename]`Client Id and Secret` or [filename]`Signed JWT` under the *Credentials* tab .
+
-====
+Select the roles to configure the access for the service account. For the details on what roles to select, see <<_configuring_a_user_for_client_registration_cli>>.
-. Enable service accounts if you want to use a service account associated with the client by selecting a client to edit in the *Clients* section of the `Admin Console`.
+. Click *Save*.
 .. Under *Settings*, change the *Access Type* to *Confidential*, toggle the *Service Accounts Enabled* setting to *On*, and click *Save*.
 .. Click *Service Account Roles* and select desired roles to configure the access for the service account. For the details on what roles to select, see <<_configuring_a_user_for_client_registration_cli>>.
 . Toggle the *Direct Access Grants Enabled* setting it to *On* if you want to use a regular user account instead of a service account.
 . If the client is configured as [filename]`Confidential`, provide the configured secret when running [command]`kcreg config credentials` by using the [command]`--secret` option.
 . Specify which [filename]`clientId` to use (for example, [command]`--client reg-cli`) when running [command]`kcreg config credentials`.
 . With the service account enabled, you can omit specifying the user when running [command]`kcreg config credentials` and only provide the client secret or keystore information.
 When you run the [command]`kcreg config credentials`, use the [command]`--secret` option to supply the configured secret.
 * Specify which [filename]`clientId` to use (for example, [command]`--client reg-cli`) when running [command]`kcreg config credentials`.
 * With the service account enabled, you can omit specifying the user when running [command]`kcreg config credentials` and only provide the client secret or keystore information.
 [[_installing_client_registration_cli]]
 === Installing the Client Registration CLI
--- a/docs/documentation/securing_apps/topics/oidc/fapi-support.adoc
+++ b/docs/documentation/securing_apps/topics/oidc/fapi-support.adoc
@ -29,7 +29,7 @@ When enforcing the requirements of the FAPI CIBA specification, there is a need
 ==== Open Finance Brasil Financial-grade API Security Profile
-{project_name} is compliant with the https://openfinancebrasil.atlassian.net/wiki/spaces/OF/pages/82083996/EN+Open+Finance+Brasil+Financial-grade+API+Security+Profile+1.0+Implementers+Draft+3[Open Finance Brasil Financial-grade API Security Profile 1.0 Implementers Draft 3].
+{project_name} is compliant with the https://openfinancebrasil.atlassian.net/wiki/spaces/OF/pages/245760001/EN+Open+Finance+Brasil+Financial-grade+API+Security+Profile+1.0+Implementers+Draft+3[Open Finance Brasil Financial-grade API Security Profile 1.0 Implementers Draft 3].
 This one is stricter in some requirements than the <<_fapi-support,FAPI 1 Advanced>> specification and hence it may be needed to configure link:{adminguide_link}#_client_policies[Client Policies]
 in the more strict way to enforce some of the requirements. Especially:
--- a/docs/documentation/securing_apps/topics/oidc/java/java-adapters-product.adoc
+++ b/docs/documentation/securing_apps/topics/oidc/java/java-adapters-product.adoc
@ -30,6 +30,6 @@ Spring Security provides comprehensive support for OAuth 2 and OpenID Connect. F
 https://spring.io/projects/spring-security[Spring Security documentation].
 Alternatively, for Spring Boot 2.x the Spring Boot adapter from Red Hat Single Sign-On 7.6 can be used in combination with the {project_name} server. For more information, see the
-https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/securing_applications_and_services_guide/oidc#jboss_adapter[Red Hat Single Sign-On documentation].
+https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/securing_applications_and_services_guide/oidc#spring_boot_adapter[Red Hat Single Sign-On documentation].
--- a/docs/documentation/securing_apps/topics/oidc/javascript-adapter.adoc
+++ b/docs/documentation/securing_apps/topics/oidc/javascript-adapter.adoc
@ -386,8 +386,11 @@ Options is an optional Object, where:
 * redirectUri - Specifies the uri to redirect to after login.
 * prompt - This parameter allows to slightly customize the login flow on the {project_name} server side.
-For example enforce displaying the login screen in case of value `login`. See link:{adapterguide_link}#_params_forwarding[Parameters Forwarding Section]
+For example, enforce displaying the login screen in case of value `login`.
 ifeval::[{project_community}==true]
 See the link:{adapterguide_link}#_params_forwarding[Parameters Forwarding Section]
 for the details and all the possible values of the `prompt` parameter.
 endif::[]
 * maxAge - Used just if user is already authenticated. Specifies maximum time since the authentication of user happened. If user is already authenticated for longer time than `maxAge`, the SSO is ignored and he will need to re-authenticate again.
 * loginHint - Used to pre-fill the username/email field on the login form.
 * scope - Override the scope configured in `init` with a different value for this specific login.
--- a/docs/documentation/securing_apps/topics/oidc/nodejs-adapter.adoc
+++ b/docs/documentation/securing_apps/topics/oidc/nodejs-adapter.adoc
@ -10,11 +10,11 @@ endif::[]
 To use the Node.js adapter, first you must create a client for your application in the {project_name} Admin Console. The adapter supports public, confidential, and bearer-only access type. Which one to choose depends on the use-case scenario.
-Once the client is created click the `Installation` tab, select `{project_name} OIDC JSON` for `Format Option`, and then click `Download`. The downloaded `keycloak.json` file should be at the root folder of your project.
+Once the client is created, click *Action* at the top right and choose *Download adapter config*. For *Format, choose *Keycloak OIDC JSON* and click *Download*. The downloaded `keycloak.json` file is at the root folder of your project.
 ==== Installation
-Assuming you've already installed https://nodejs.org[Node.js], create a folder for your application:
+Assuming you have already installed https://nodejs.org[Node.js], create a folder for your application:
    mkdir myapp && cd myapp