[docs-only]Document ocis as a IDP (#7452)

Co-authored-by: Phil Davis <[email protected]>
Co-authored-by: Artur Neumann <[email protected]>
Co-authored-by: Martin <[email protected]>

apis/grpc_apis/ocis/messages/eventhistory/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.eventhistory.v0"
 url: /apis/grpc_apis/ocis_messages_eventhistory_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/grpc_apis/ocis/messages/policies/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.policies.v0"
 url: /apis/grpc_apis/ocis_messages_policies_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/grpc_apis/ocis/messages/search/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.search.v0"
 url: /apis/grpc_apis/ocis_messages_search_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/grpc_apis/ocis/messages/settings/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.settings.v0"
 url: /apis/grpc_apis/ocis_messages_settings_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/grpc_apis/ocis/messages/store/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.store.v0"
 url: /apis/grpc_apis/ocis_messages_store_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/grpc_apis/ocis/messages/thumbnails/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.thumbnails.v0"
 url: /apis/grpc_apis/ocis_messages_thumbnails_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/grpc_apis/ocis/services/eventhistory/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.eventhistory.v0"
 url: /apis/grpc_apis/ocis_services_eventhistory_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/grpc_apis/ocis/services/policies/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.policies.v0"
 url: /apis/grpc_apis/ocis_services_policies_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/grpc_apis/ocis/services/search/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.search.v0"
 url: /apis/grpc_apis/ocis_services_search_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/grpc_apis/ocis/services/settings/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.settings.v0"
 url: /apis/grpc_apis/ocis_services_settings_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/grpc_apis/ocis/services/store/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.store.v0"
 url: /apis/grpc_apis/ocis_services_store_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/grpc_apis/ocis/services/thumbnails/v0/grpc.md

@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.thumbnails.v0"
 url: /apis/grpc_apis/ocis_services_thumbnails_v0
-date: 2023-10-31T06:34:25Z
+date: 2023-10-31T08:09:13Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

apis/http/authorization.md

@@ -0,0 +1,142 @@
+---
+title: Authorization
+weight: 40
+geekdocRepo: https://github.com/owncloud/ocis
+geekdocEditPath: edit/master/docs/apis/http/
+geekdocFilePath: authorization.md
+---
+
+In its default configuration, Infinite Scale supports three authentication methods as outlined on the [OIDC official site](https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3):
+1. Authorization Code Flow
+2. Implicit Flow
+3. Hybrid Flow
+
+For detailed information on Infinite Scale's support for OpenID Connect (OIDC), please consult the [OIDC section](../../ocis/identity-provider/oidc.md).
+To authenticate a client app using OIDC, both `client_id` and `client_secret` are essential. Infinite Scale does not offer dynamic registration. The required data for the default [ownCloud clients](https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/oidc.html#client-ids-secrets-and-redirect-uris) can be found in the link and are availble for the following apps:
+- Desktop
+- Android
+- iOS
+
+While selecting an ownCloud client for authentication, take note of specific limitations such as the `Redirect URI`:
+
+| Source | Redirect URI |
+|------|--------|
+|Android|oc://android.owncloud.com|
+|iOS|oc://ios.owncloud.com|
+|Desktop|http://127.0.0.1 <br> http://localhost |
+
+In this example, the desktop app's `client_id` and `client_secret` are being used.
+
+```bash
+client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
+client_secret=UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
+```
+
+## Authorization Code Flow
+
+1. Requesting authorization
+
+   To initiate the OIDC Code Flow, you can use tools like curl and a web browser.
+   The user should be directed to a URL to authenticate and give their consent (bypassing consent is against the standard):
+
+    ```plaintext
+    https://ocis.test/signin/v1/identifier/_/authorize?client_id=client_id&scope=openid+profile+email+offline_access&response_type=code&redirect_uri=http://path-to-redirect-uri
+    ```
+
+    After a successful authentication, the browser will redirect to a URL that looks like this:
+
+    ```plaintext
+    http://path-to-redirect-uri?code=mfWsjEL0mc8gx0ftF9LFkGb__uFykaBw&scope=openid%20profile%20email%20offline_access&session_state=32b08dd...&state=
+    ```
+
+    For the next step extract the code from the URL.
+
+    In the above example,
+    the code is `mfWsjEL0mc8gx0ftF9LFkGb__uFykaBw`
+
+2. Requesting an access token
+
+   The next step in the OIDC Code Flow involves an HTTP POST request
+   to the token endpoint of the **Infinite Scale Identity Server**.
+
+    ```bash
+    curl -vk -X POST https://ocis.test/konnect/v1/token \
+    -d "grant_type=authorization_code" \
+    -d "code=3a3PTcO-WWXfN3l1mDN4u7G5PzWFxatU" \
+    -d "redirect_uri=http:path-to-redirect-uri" \
+    -d "client_id=client_id" \
+    -d "client_secret=client_secret"
+    ```
+
+   Response looks like this:
+    ```json
+    {
+    "access_token": "eyJhbGciOid...",
+    "token_type": "Bearer",
+    "id_token": "eyJhbGciOi...",
+    "refresh_token": "eyJhbGciOiJ...",
+    "expires_in": 300
+    }
+    ```
+
+3. Refreshing an access token
+
+   If the access token has expired, you can get a new one using the refresh token.
+    ```bash
+    curl -vk -X POST https://ocis.test/konnect/v1/token \
+    -d "grant_type=refresh_token" \
+    -d "refresh_token=eyJhbGciOiJ..." \
+    -d "redirect_uri=http://path-to-redirect-uri" \
+    -d "client_id=client_id" \
+    -d "client_secret=client_secret"
+    ```
+
+   Response looks like this:
+    ```json
+    {
+    "access_token": "eyJhbGciOi...",
+    "token_type": "Bearer",
+    "expires_in": 300
+    }
+    ```
+
+## Implicit Code Flow
+
+When using the implicit flow, tokens are provided in a URI fragment of the redirect URL.
+Valid values for the `response_type` request parameter are:
+
+- token
+- id_token token
+
+{{< hint type=warning title="Important Warning" >}}
+If you are using the implicit flow, `nonce` parameter is required in the initial `/authorize` request.
+`nonce=pL3UkpAQPZ8bTMGYOmxHY/dQABin8yrqipZ7iN0PY18=`
+
+bash command to generate cryptographically random value
+```bash
+openssl rand -base64 32
+```
+{{< /hint >}}
+
+The user should be directed to a URL to authenticate and give their consent (bypassing consent is against the standard):
+```bash
+https://ocis.test/signin/v1/identifier/_/authorize?client_id=client_id&scope=openid+profile+email+offline_access&response_type=id_token+token&redirect_uri=http://path-to-redirect-uri&nonce=pL3UkpAQPZ8bTMGYOmxHY/dQABin8yrqipZ7iN0PY18=
+ ```
+
+After a successful authentication, the browser will redirect to a URL that looks like this:
+```bash
+http://path-to-redirect-uri#access_token=eyJhbGciOiJQUzI...&expires_in=300&id_token=eyJhbGciOiJ...&scope=email%20openid%20profile&session_state=c8a1019f5e054d...&state=&token_type=Bearer
+```
+
+For the next step, extract the access_token from the URL.
+```bash
+access_token = 'eyJhbGciOiJQ...'
+ ```
+
+## Hybrid Flow
+The Hybrid Flow in OpenID Connect melds features from both the Implicit and Authorization Code flows. It allows clients to directly retrieve certain tokens from the Authorization Endpoint, yet also offers the option to acquire additional tokens from the Token Endpoint.
+
+The Authorization Server redirects back to the client with appropriate parameters in the response, based on the value of the response_type request parameter:
+- code token
+- code id_token
+- code id_token token

helpers/extended_vars.yaml

@@ -40,7 +40,7 @@ variables:
   default_value: ""
   description: 'Go micro registry type to use. Supported types are: ''nats'', ''kubernetes'',
     ''etcd'', ''consul'', ''memory'' and ''mdns''. Will be selected automatically.
-    Only change on supervision of ownCloud Support.'
+    Only change under supervision of ownCloud Support.'
   do_ignore: false
 - rawname: registryAddressEnv
   path: ocis-pkg/registry/registry.go:42

ocis/identity-provider/oidc.md

@@ -0,0 +1,106 @@
+---
+title: "OIDC"
+date: 2023-10-10T00:00:00+00:00
+weight: 21
+geekdocRepo: https://github.com/owncloud/ocis
+geekdocEditPath: edit/master/docs/ocis/identity-provider
+geekdocFilePath: oidc.md
+geekdocCollapseSection: true
+---
+
+Infinite Scale has implemented OpenID Connect (OIDC) for authentication.
+OIDC defines a discovery mechanism, called OpenID Connect Discovery,
+where an OpenID server publishes its metadata at a well-known URL, typically:
+
+`https://ocis.test/.well-known/openid-configuration`
+
+This URL returns a JSON listing of the OpenID/OAuth endpoints, supported scopes and claims, public keys used to sign the tokens, and other details.
+The clients can use this information to construct a request to the OpenID server.
+The field names and values are defined in the [OpenID Connect Discovery Specification](https://openid.net/specs/openid-connect-discovery-1_0.html).
+Here is an example of data returned:
+```json
+{
+  "issuer": "https://ocis.test",
+  "authorization_endpoint": "https://ocis.test/signin/v1/identifier/_/authorize",
+  "token_endpoint": "https://ocis.test/konnect/v1/token",
+  "userinfo_endpoint": "https://ocis.test/konnect/v1/userinfo",
+  "end_session_endpoint": "https://ocis.test/signin/v1/identifier/_/endsession",
+  "check_session_iframe": "https://ocis.test/konnect/v1/session/check-session.html",
+  "jwks_uri": "https://ocis.test/konnect/v1/jwks.json",
+  "scopes_supported": [
+    "openid",
+    "offline_access",
+    "profile",
+    "email",
+    "LibgreGraph.UUID",
+    "LibreGraph.RawSub"
+  ],
+  "response_types_supported": [
+    "id_token token",
+    "id_token",
+    "code id_token",
+    "code id_token token"
+  ],
+  "subject_types_supported": [
+    "public"
+  ],
+  "id_token_signing_alg_values_supported": [
+    "RS256",
+    "RS384",
+    "RS512",
+    "PS256",
+    "PS384",
+    "PS512"
+  ],
+  "userinfo_signing_alg_values_supported": [
+    "RS256",
+    "RS384",
+    "RS512",
+    "PS256",
+    "PS384",
+    "PS512"
+  ],
+  "request_object_signing_alg_values_supported": [
+    "ES256",
+    "ES384",
+    "ES512",
+    "RS256",
+    "RS384",
+    "RS512",
+    "PS256",
+    "PS384",
+    "PS512",
+    "none",
+    "EdDSA"
+  ],
+  "token_endpoint_auth_methods_supported": [
+    "client_secret_basic",
+    "none"
+  ],
+  "token_endpoint_auth_signing_alg_values_supported": [
+    "RS256",
+    "RS384",
+    "RS512",
+    "PS256",
+    "PS384",
+    "PS512"
+  ],
+  "claims_parameter_supported": true,
+  "claims_supported": [
+    "iss",
+    "sub",
+    "aud",
+    "exp",
+    "iat",
+    "name",
+    "family_name",
+    "given_name",
+    "email",
+    "email_verified"
+  ],
+  "request_parameter_supported": true,
+  "request_uri_parameter_supported": false
+}
+```
+
+Refer to the [Authorization](../../apis/http/authorization.md) section for example usages and details.

services/_includes/adoc/antivirus_configvars.adoc

@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-10-31-06-34-43]
+[#deprecation-note-2023-10-31-08-09-29]
 [caption=]
 .Deprecation notes for the antivirus service
 [width="100%",cols="~,~,~,~",options="header"]

services/_includes/adoc/app-provider_configvars.adoc

@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-10-31-06-34-43]
+[#deprecation-note-2023-10-31-08-09-29]
 [caption=]
 .Deprecation notes for the app-provider service
 [width="100%",cols="~,~,~,~",options="header"]

services/_includes/adoc/app-registry_configvars.adoc

@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-10-31-06-34-43]
+[#deprecation-note-2023-10-31-08-09-29]
 [caption=]
 .Deprecation notes for the app-registry service
 [width="100%",cols="~,~,~,~",options="header"]