deploy: EGI-Federation/documentation@856e744

providers/check-in/index.xml

@@ -547,8 +547,12 @@ integration with the <strong>development</strong> instance of Check-in. In
 development instance service requests can be self-reviewed without the need
 to wait for approval from an administrator. As with the demo instance, the
 development instance allows for testing authentication and authorisation
-without affecting the production Check-in service. <strong>NB: the list of
-supported Identity Providers in the development instance is limited.
+without affecting the production Check-in service. <strong>NB: The development
+environment is intended for testing the latest features of Check-in and
+may differ from the demo and production environments in terms of stability
+and functionality.
+Keep in mind that the supported Identity Providers in the development
+instance are limited.
 Therefore, we recommend using any of the social identity providers or the
 <a href="https://sso.egi.eu/admin/">EGI SSO</a> to test the login workflow when using
 the development instance.</strong></li>
@@ -2285,114 +2289,7 @@ setup earlier:</p>
 </span></span><span style="display:flex;"><span><span style="color:#000">$manageTokens</span> <span style="color:#ce5c00;font-weight:bold">=</span> <span style="color:#000">$issuer</span> <span style="color:#ce5c00;font-weight:bold">.</span> <span style="color:#4e9a06">"manage/user/services"</span><span style="color:#000;font-weight:bold">;</span>
 </span></span><span style="display:flex;"><span><span style="color:#000">$sessionName</span> <span style="color:#ce5c00;font-weight:bold">=</span> <span style="color:#4e9a06">"simple-oidc-client-php"</span><span style="color:#000;font-weight:bold">;</span>
 </span></span><span style="display:flex;"><span><span style="color:#000">$sessionLifetime</span> <span style="color:#ce5c00;font-weight:bold">=</span> <span style="color:#0000cf;font-weight:bold">60</span><span style="color:#ce5c00;font-weight:bold">*</span><span style="color:#0000cf;font-weight:bold">60</span><span style="color:#000;font-weight:bold">;</span> <span style="color:#8f5902;font-style:italic">// must be equal to access token validation time in seconds
-</span></span></span></code></pre></div><h3 id="client-migration-to-keycloak">Client Migration to Keycloak</h3>
-<p>The migration guide below applies to OIDC clients registered in the
-<strong>Development</strong>, <strong>Demo</strong> and <strong>Production</strong> environments of Check-in.</p>
-<p><strong>Development and Demo</strong>: Beginning June 24, 2022, clients using the legacy
-Check-in OIDC endpoints will no longer be supported.</p>
-<p><strong>Production</strong>: Beginning October 21, 2022, clients using the legacy Check-in
-OIDC endpoints will no longer be supported.</p>
-<div class="alert alert-info" role="alert">
-<h4 class="alert-heading">Note</h4>
-For OpenStack Services please read the
-OpenStack specific migration guide on
-<a href="../../cloud-compute/openstack/aai.md#client-migration-to-keycloak">Cloud Compute documentation</a>.
-</div>
-<h4 id="how-to-migrate-your-service-to-keycloak-1">How to Migrate your Service to Keycloak</h4>
-<p>All the clients that were registered in MITREid Connect have been moved to
-Keycloak preserving all the options (Client ID, Client Secret, Redirect URIs
-etc.), so you do not need to re-register your Service.</p>
-<h5 id="new-endpoints">New Endpoints</h5>
-<p>The first thing you need to do is to update the OIDC endpoints according to the
-<a href="#endpoints">Endpoints</a> table. If the Application/Library supports Dynamic
-Discovery, then you need to update on the <code>issuer</code>. Otherwise, you need to
-update all the Endpoints separately.</p>
-<h5 id="size-of-the-tokens">Size of the Tokens</h5>
-<p>The size of the Access/Refresh Tokens that are issued by Keycloak is larger of
-the respective Tokens created by MITREid Connect. For example, the size of an
-Access Token is around 1400 characters, depending on the information that are
-included in the payload of the JWT. So make sure that your OIDC implementation
-can handle larger Tokens.</p>
-<h5 id="logout">Logout</h5>
-<p>The Redirect URI query parameter in the logout request has been changed from
-<code>redirect</code> to <code>post_logout_redirect_uri</code> and must be URL encoded. Also, the
-value of the <code>post_logout_redirect_uri</code> must be defined in the <strong>Valid Redirect
-URIs</strong> of the Service configuration in the EGI Federation Registry.</p>
-<h5 id="token-introspection">Token Introspection</h5>
-<p>The Token Introspection is available to all the clients that are using any
-authentication method (<code>client_secret_basic</code>, <code>client_secret_post</code>,
-<code>client_secret_jwt</code> or <code>private_key_jwt</code>) (Confidential Clients) to the Token
-Endpoint. Public Clients (clients that do not use any authentication method)
-will not be able to get a successful response from the Introspection Endpoint.
-Saying that, the “Introspection” option in the EGI Federation Registry will be
-removed.</p>
-<h5 id="pkce">PKCE</h5>
-<p>If you are <strong>not</strong> using PKCE (Proof Key for Code Exchange), please make sure to
-<strong>disable</strong> the “PKCE Code Challenge Method” in the Service configuration in
-<a href="https://aai.egi.eu/federation">EGI Federation Registry</a>, otherwise you will get
-the following HTTP response during the authentication flow:</p>
-<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-http" data-lang="http"><span style="display:flex;"><span><span style="color:#a40000">error=invalid_request&error_description=Missing parameter: code_challenge_method
-</span></span></span></code></pre></div><h5 id="device-code-grant">Device Code Grant</h5>
-<p>If you are using a confidential client with the Device Code grant, please make
-sure that the <code>client_secret</code> is present in the request to the Device Code
-Endpoint either as HTTP Basic or HTTP POST parameter (see
-<a href="#1-device-authorization-request">Device Authorization Request</a>).</p>
-<h5 id="token-exchange-grant">Token Exchange Grant</h5>
-<p>If you are using the Token Exchange grant, please make sure that the <code>audience</code>
-(Optional) defines the logical name of the service that the token will be used
-for; when specified, it must match the client ID of a client registered in
-Check-in otherwise an <code>invalid_client</code> error is returned
-(<code>"description": "audience not found"</code>)</p>
-<h5 id="client-credentials-grant">Client Credentials Grant</h5>
-<p>If you are using the Client Credentials grant, there is a minor change in the
-responses from UserInfo and Introspection Endpoints. The <strong>Client ID</strong> of the
-client is <strong>not</strong> released as the <code>sub</code> claim any more and has replaced with by
-the <code>client_id</code> claim. The <code>sub</code> contains the identifier of the client which is
-unique, non-reassignable and scoped <code>@egi.eu</code>.</p>
-<h5 id="obtain-refresh-tokens">Obtain Refresh Tokens</h5>
-<p>If you have obtained an Refresh Token from EGI Check-in Token Portal or
-oidc-agent issued by the MITREid Connect instance, you will need to replace them
-by creating new Refresh Tokens issued by Keycloak.</p>
-<ul>
-<li>
-<p>If you have obtained Refresh Tokens using the EGI Check-in Token Portal,
-please check the following table:</p>
-<table>
-<thead>
-<tr>
-<th>Environment</th>
-<th>URL</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td>Production</td>
-<td><a href="https://aai.egi.eu/token">https://aai.egi.eu/token</a></td>
-</tr>
-<tr>
-<td>Demo</td>
-<td><a href="https://aai-demo.egi.eu/token">https://aai-demo.egi.eu/token</a></td>
-</tr>
-<tr>
-<td>Development</td>
-<td><a href="https://aai-dev.egi.eu/token">https://aai-dev.egi.eu/token</a></td>
-</tr>
-</tbody>
-</table>
-</li>
-<li>
-<p>If you have obtained Refresh Tokens using the oidc-agent, please use the
-following command:</p>
-<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ oidc-gen --pub --issuer <ISSUER> --scope ...
-</span></span></code></pre></div>
-<div class="alert alert-info" role="alert">
-<h4 class="alert-heading">Note</h4>
-You can find the <code>ISSUER</code> in the
-<a href="#endpoints">Endpoints</a> table.
-</div>
-</li>
-</ul>
-<h4 id="common-issues">Common issues</h4>
+</span></span></span></code></pre></div><h4 id="common-issues">Common issues</h4>
 <h5 id="error-messages-referring-to-missing-code_challenge-code_challenge_method-or-code_verifier-http-parameter">Error messages referring to missing <code>code_challenge</code>, <code>code_challenge_method</code> or <code>code_verifier</code> HTTP parameter</h5>
 <p>If you get error messages containing the PKCE HTTP parameters, probably the PKCE
 mode is enabled in your Service Configuration but the Application is not
@@ -2448,31 +2345,58 @@ in the vhost configuration:</p>
 <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#204a87;font-weight:bold">proxy_buffers</span> <span style="color:#0000cf;font-weight:bold">4</span> <span style="color:#0000cf;font-weight:bold">256k</span><span style="color:#000;font-weight:bold">;</span>
 </span></span><span style="display:flex;"><span><span style="color:#204a87;font-weight:bold">proxy_buffer_size</span> <span style="color:#0000cf;font-weight:bold">128k</span><span style="color:#000;font-weight:bold">;</span>
 </span></span><span style="display:flex;"><span><span style="color:#204a87;font-weight:bold">proxy_busy_buffers_size</span> <span style="color:#0000cf;font-weight:bold">256k</span><span style="color:#000;font-weight:bold">;</span>
-</span></span></code></pre></div><h2 id="integrating-science-gateways-with-rcauth-for-obtaining-proxy-certificates">Integrating Science Gateways with RCauth for obtaining (proxy) certificates</h2>
+</span></span></code></pre></div><h5 id="size-of-the-tokens">Size of the Tokens</h5>
+<p>The size of an Access Token is around 1400 characters, depending on the
+information (claims) included in the payload of the JWT. So make sure that
+your OIDC implementation can handle large Tokens.</p>
+<h5 id="token-introspection-errors">Token Introspection errors</h5>
+<p>The Token Introspection is available to all the clients that are using any
+authentication method (<code>client_secret_basic</code>, <code>client_secret_post</code>,
+<code>client_secret_jwt</code> or <code>private_key_jwt</code>) (Confidential Clients) to the Token
+Endpoint. Public Clients (clients that do not use any authentication method)
+will not be able to get a successful response from the Introspection Endpoint.</p>
+<h5 id="pkce-errors">PKCE errors</h5>
+<p>If you are <strong>not</strong> using PKCE (Proof Key for Code Exchange), please make sure to
+<strong>disable</strong> the “PKCE Code Challenge Method” in the Service configuration in
+<a href="https://aai.egi.eu/federation">EGI Federation Registry</a>, otherwise you will get
+the following HTTP response during the authentication flow:</p>
+<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-http" data-lang="http"><span style="display:flex;"><span><span style="color:#a40000">error=invalid_request&error_description=Missing parameter: code_challenge_method
+</span></span></span></code></pre></div><h5 id="device-code-grant">Device Code Grant</h5>
+<p>If you are using a confidential client with the Device Code grant, please make
+sure that the <code>client_secret</code> is present in the request to the Device Code
+Endpoint either as HTTP Basic or HTTP POST parameter (see
+<a href="#1-device-authorization-request">Device Authorization Request</a>).</p>
+<h5 id="token-exchange-grant">Token Exchange Grant</h5>
+<p>If you are using the Token Exchange grant, please make sure that the <code>audience</code>
+(Optional) defines the logical name of the service that the token will be used
+for; when specified, it must match the client ID of a client registered in
+Check-in otherwise an <code>invalid_client</code> error is returned
+(<code>"description": "audience not found"</code>)</p>
+<h2 id="integrating-science-gateways-with-rcauth-for-obtaining-proxy-certificates">Integrating Science Gateways with RCauth for obtaining (proxy) certificates</h2>
 <p>In order for Science Gateways (VO portals) to obtain RFC proxy certificates
 derived from <strong>personal</strong> end-entity certificates, an EGI Science Gateway can
 make use of the IGTF-approved IOTA-type RCauth.eu online CA. The actual
 integration goes via an intermediary service, called a Master Portal. EGI is
 running two Master Portal instances, one development, one production instance.</p>
-<ul class="nav nav-tabs" id="tabs-28" role="tablist">
+<ul class="nav nav-tabs" id="tabs-26" role="tablist">
 <li class="nav-item">
 <a class="nav-link active"
-id="tabs-28-0-tab" data-toggle="tab" href="#tabs-28-0" role="tab"
-aria-controls="tabs-28-0" aria-selected="true">
+id="tabs-26-0-tab" data-toggle="tab" href="#tabs-26-0" role="tab"
+aria-controls="tabs-26-0" aria-selected="true">
 Production
 </a>
 </li>
 <li class="nav-item">
 <a class="nav-link"
-id="tabs-28-1-tab" data-toggle="tab" href="#tabs-28-1" role="tab"
-aria-controls="tabs-28-1" aria-selected="false">
+id="tabs-26-1-tab" data-toggle="tab" href="#tabs-26-1" role="tab"
+aria-controls="tabs-26-1" aria-selected="false">
 Development
 </a>
 </li>
 </ul>
-<div class="tabx-content" id="tabs-28-content">
+<div class="tabx-content" id="tabs-26-content">
 <div class="tab-pane show active"
-id="tabs-28-0" role="tabpanel" aria-labelled-by="tabs-28-0-tab">
+id="tabs-26-0" role="tabpanel" aria-labelled-by="tabs-26-0-tab">
 <table>
 <thead>
 <tr>
@@ -2509,7 +2433,7 @@ id="tabs-28-0" role="tabpanel" aria-labelled-by="tabs-28-0-tab">
 </table>
 </div>
 <div class="tab-pane "
-id="tabs-28-1" role="tabpanel" aria-labelled-by="tabs-28-1-tab">
+id="tabs-26-1" role="tabpanel" aria-labelled-by="tabs-26-1-tab">
 <table>
 <thead>
 <tr>