BZ-1694825: Adjusted the configuration details of the OAuth server.

Author: huffmanca

authentication/configuring-internal-oauth.adoc

@@ -18,7 +18,7 @@ include::modules/oauth-internal-options.adoc[leveloffset=+1]
 
 include::modules/oauth-configuring-internal-oauth.adoc[leveloffset=+1]
 
-include::modules/oauth-register-additional-server.adoc[leveloffset=+1]
+include::modules/oauth-register-additional-client.adoc[leveloffset=+1]
 
 include::modules/oauth-server-metadata.adoc[leveloffset=+1]
 

modules/oauth-configuring-internal-oauth.adoc

@@ -5,52 +5,11 @@
 [id="oauth-configuring-internal-oauth-{context}"]
 = Configuring options for the internal OAuth server
 
-You can configure default options for the internal OAuth server's session,
-session secrets, token duration, and grant options.
+You can configure default options for the internal OAuth server's 
+token duration.
 
 .Procedure
 
-. Create the OAuth session secret file:
-+
-[source,yaml]
-----
-apiVersion: v1
-kind: SessionSecrets
-secrets: <1>
-- authentication: "..." <2>
-  encryption: "..." <3>
-- authentication: "..."
-  encryption: "..."
-...
-----
-<1> List of secrets used to authenticate and encrypt cookie sessions. Specify
-at least one secret. Each secret must set an authentication and
-encryption secret.
-<2> Signing secret, used to authenticate sessions using HMAC. Recommended to use
-a secret with 32 or 64 bytes.
-<3> Encrypting secret, used to encrypt sessions. Must be 16, 24, or 32
-characters long, to select AES-128, AES-192, or AES-256.
-
-
-. Set the session options:
-+
-[source,yaml]
-----
-oauthConfig:
-  ...
-  sessionConfig:
-    sessionMaxAgeSeconds: 300 <1>
-    sessionName: ssn <2>
-    sessionSecretsFile: "..." <3>
-----
-<1> Controls the maximum age of a session; sessions auto-expire once a token
-request is complete. If the `auto-grant` grant option is not enabled for the cluster, sessions
-must last as long as the user is expected to take to approve or reject a client
-authorization request.
-<2> Name of the cookie used to store the session.
-<3> File name containing serialized `SessionSecrets` object. If empty, a
-random signing and encryption secret is generated at each server start.
-
 . Set the token duration options:
 +
 [source,yaml]
@@ -59,22 +18,6 @@ oauthConfig:
   ...
   tokenConfig:
     accessTokenMaxAgeSeconds: 86400 <1>
-    authorizeTokenMaxAgeSeconds: 300 <2>
 ----
 <1> Set `accessTokenMaxAgeSeconds` to control the lifetime of access tokens.
 The default lifetime is 24 hours, or 86400 seconds.
-<2> Set `authorizeTokenMaxAgeSeconds` to control the lifetime of authorize
-codes. The default lifetime is five minutes, or 300 seconds.
-
-. Set the grant options:
-+
-[source,yaml]
-----
-oauthConfig:
-  ...
-  grantConfig:
-    method: auto <1>
-----
-<1> Specify the grant option: `auto` to automatically approve the grant and
-retry the request, `prompt` to prompt the user to approve or deny the grant, or
-`deny` to deny the grant and return a failure error to the client.

modules/oauth-internal-options.adoc

@@ -36,22 +36,3 @@ methods:
 `auto`:: Auto-approve the grant and retry the request.
 `prompt`:: Prompt the user to approve or deny the grant.
 `deny`:: Auto-deny the grant and return a failure error to the client.
-
-[id="oauth-session-options-{context}"]
-== OAuth session options
-
-The OAuth server uses a signed and encrypted cookie-based session during login
-and redirect flows. You can configure how long each session lasts and which
-secrets file to use for the session. With this file, you separate secret values
-from the configuration file and retain the ability to distribute the secrets,
-if required for debugging
-
-If you do not create this `sessionSecretsFile` file, a random signing and encryption
-secret is generated at each start of the master server. This means that any
-login attempts in progress have their sessions invalidated if the master is
-restarted. It also means they cannot decode sessions generated by one of the other masters.
-
-You can specify multiple secrets can be specified in the `sessionSecretsFile` to enable
-rotation. New sessions are signed and encrypted using the first secret in the
-list. Existing sessions are decrypted and authenticated by each secret until one
-succeeds.

modules/oauth-register-additional-server.adoc renamed to modules/oauth-register-additional-client.adoc

@@ -2,10 +2,10 @@
 //
 // * authentication/configuring-internal-oauth.adoc
 
-[id="oauth-register-additional-server-{context}"]
-= Register an additional OAuth server
+[id="oauth-register-additional-client-{context}"]
+= Register an additional OAuth client
 
-If you need an additional OAuth server to manage authentication for your
+If you need an additional OAuth client to manage authentication for your
 {product-title} cluster, you can register one.
 
 .Procedure

modules/oauth-server-metadata.adoc

@@ -5,19 +5,19 @@
 [id="oauth-server-metadata-{context}"]
 = OAuth server metadata
 
-Applications running in {product-title} may need to discover information about
-the built-in OAuth server. For example, they might need to discover what the
-address of the `<master>` server is without manual configuration.  To aid in
-this, {product-title} implements the IETF
+Applications running in {product-title} may need to discover information 
+about the built-in OAuth server. For example, they might need to discover 
+what the address of the `<namespace_route>` is without manual 
+configuration.  To aid in this, {product-title} implements the IETF
 link:https://tools.ietf.org/html/draft-ietf-oauth-discovery-10[OAuth 2.0 Authorization Server Metadata] draft specification.
 
-Thus, any application running inside the cluster can issue a `GET` request to
-*_\https://openshift.default.svc/.well-known/oauth-authorization-server_* to fetch
-the following information:
+Thus, any application running inside the cluster can issue a `GET` request 
+to *_\https://openshift.default.svc/.well-known/oauth-authorization-server_*
+to fetch the following information:
 
 ----
 {
-  "issuer": "https://<master>", <1>
+  "issuer": "https://<namespace_route>", <1>
   "authorization_endpoint": "https://<namespace_route>/oauth/authorize", <2>
   "token_endpoint": "https://<namespace_route>/oauth/token", <3>
   "scopes_supported": [ <4>