Adjust examples

docs/source/explanations/security.md

@@ -238,39 +238,29 @@ pip install httpx
 3. It is recommended to set the Client Secret as an environment variable, such
    as `OIDC_CLIENT_SECRET`, and reference that from configuration file as shown
    below.
-4. Obtain the OIDC provider's public key(s). These are published by the OIDC provider.
-   Starting from a URL like:
+4. Get the OIDC provider's well-known endpoint. These are expected shared configuration values published by the OIDC provider.
+   Typically it is a URL like:
 
    * [https://accounts.google.com/.well-known/openid-configuration](https://accounts.google.com/.well-known/openid-configuration)
    * [https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration)
    * [https://orcid.org/.well-known/openid-configuration](https://orcid.org/.well-known/openid-configuration)
 
-   Navigate to the link under the key `jwks_uri`. These public key(s) are designed
-   to prevent man-in-the-middle attacks. They may be rotated over time.
-
 The configuration file(s) must include the following.
 
 ```yaml
 authentication:
   providers:
-  - provider: SOME_NAME_HERE
+  - provider: example.com
     authenticator: tiled.authenticators:OIDCAuthenticator
     args:
-      # All of these are given by the OIDC provider you register
-      # your application.
-      client_id: ...
-      client_secret: ${OIDC_CLIENT_SECRET}  # reference an environment variable
-      # These come from the OIDC provider as described above.
-      token_uri: ...
-      authorization_endpoint: ...
-      public_keys:
-        - kty: ...
-          e: ...
-          use: ...
-          kid: ...
-          n: ...
-          alg: ...
-      confirmation_message: "You have logged in with ... as {id}."
+      # Values should come from your OIDC provider configuration
+      # The audience claim is checked by the OIDC Client (Tiled)
+      # It checks that the Authentication header that you are passed has not been intercepted
+      # And that elevated claims from other services do not apply here
+      audience: tiled # or similar
+      client_id: tiled_client
+      client_secret: ${OIDC_CLIENT_SECRET} # referencing an environment variable
+      well_known_uri: example.com/.well-known/openid-configuration
 ```
 
 There are example configurations for ORCID and Google in the directory

example_configs/google_auth.yml

@@ -4,27 +4,11 @@ authentication:
   - provider: google
     authenticator: tiled.authenticators:OIDCAuthenticator
     args:
+      audience: tiled  # something unique to ensure received headers are for you
       # These values come from https://console.cloud.google.com/apis/credential
       client_id: ${GOOGLE_CLIENT_ID}
       client_secret: ${GOOGLE_CLIENT_SECRET}
-      # These values come from https://accounts.google.com/.well-known/openid-configuration
-      # Obtain them directly from Google. They may change over time.
-      token_uri: "https://oauth2.googleapis.com/token"
-      authorization_endpoint: "https://accounts.google.com/o/oauth2/v2/auth"
-      public_keys:
-      - alg: RS256
-        e: AQAB
-        kid: ee1b9f88cfe3151ddd284a61bf8cecf659b130cf
-        kty: RSA
-        n: rTOxVQCdPMM6n3XRW7VW5e8bGCoimxT-m4cUyaTtLCIf1IqFJRhzc3rgdxsdpg5fjj1Ln2yG_r-3FbkFYJw1ebOCwJ_xlrIeL7FZWqKHl2u5tPKhYkBpPsh-SFZrlEv6X6W2tLcXaFs_8qeHbEasW3A7S6SiS6vMLvcEgufvHSHM1W61U6R9wzOo0lr3rBBOahZFr2Vym8P3eZZ9u_i07RFEqUEFhHXnHYHMLY2Ch9-JbZlCRVbBOfTxCPdOqOkZyFQfGOMj5XLbPHXLSBlmsNzFSv3KgPhZgvmfK113VUN3RFgnDZ5q_-4FK82j_L0FrYZUPRGBA9Crlvtxg_LJWQ
-        use: sig
-      - alg: RS256
-        e: AQAB
-        kid: 77cc0ef4c7181cf4c0dcef7b60ae28cc9022c76b
-        kty: RSA
-        n: yCR1Za9HjpT49GymRQlYSsNg8z7PZGFh5a26IaCo86xPuAcf6VumrKYG6aK9Y1Bh9qJ9MBV1oajmatTuXtc-FtqwqH9Jzbb_-mCYGylx08Mqr83ydV_fIa64ilpVlBz_LHDeDKIYNepQLGqlMNQ6iVuM9MX9NesN3_twudqgz_Ll3FZkpi0DsVOIwV-fOP3zH6h_e0YPbIIjIcxCUs3Pe0rkcjUVRf3yDfPQTjaNtUh9Qg6DGIi1xe5DU0egLvQv6CdbR3wMxNDp8unhForCaenlD8ulzB_tZT0ft6uxPOHEx29FpH6mzfIsbcTZ7VaBfw6KYUaPsZOCcspY14exow
-        use: sig
-      confirmation_message: "You have logged in with Google as {id}."
+      well_known_uri: https://accounts.google.com/.well-known/openid-configuration
 trees:
  # Just some arbitrary example data...
  # The point of this example is the authenticaiton above.

example_configs/orcid_auth.yml

@@ -4,21 +4,12 @@ authentication:
   - provider: orcid
     authenticator: tiled.authenticators:OIDCAuthenticator
     args:
+      audience: tiled  # something unique to ensure received headers are for you
       # These values come from https://orcid.org/developer-tools
       client_id: ${ORCID_CLIENT_ID}
       client_secret: ${ORCID_CLIENT_SECRET}
-      # These values come from https://orcid.org/.well-known/openid-configuration
-      # Obtain them directly from ORCID. They may change over time.
-      token_uri: "https://orcid.org/oauth/token"
-      authorization_endpoint: "https://orcid.org/oauth/authorize"
-      public_keys:
-        - kty: "RSA"
-          e: "AQAB"
-          use: "sig"
-          kid: "production-orcid-org-7hdmdswarosg3gjujo8agwtazgkp1ojs"
-          n: "jxTIntA7YvdfnYkLSN4wk__E2zf_wbb0SV_HLHFvh6a9ENVRD1_rHK0EijlBzikb-1rgDQihJETcgBLsMoZVQqGj8fDUUuxnVHsuGav_bf41PA7E_58HXKPrB2C0cON41f7K3o9TStKpVJOSXBrRWURmNQ64qnSSryn1nCxMzXpaw7VUo409ohybbvN6ngxVy4QR2NCC7Fr0QVdtapxD7zdlwx6lEwGemuqs_oG5oDtrRuRgeOHmRps2R6gG5oc-JqVMrVRv6F9h4ja3UgxCDBQjOVT1BFPWmMHnHCsVYLqbbXkZUfvP2sO1dJiYd_zrQhi-FtNth9qrLLv3gkgtwQ"
-          alg: RS256
-      confirmation_message: "You have logged in with ORCID as {id}."
+      well_known_uri: https://orcid.org/.well-known/openid-configuration
+
 trees:
  # Just some arbitrary example data...
  # The point of this example is the authenticaiton above.