split openid docs into operations and programming guides

Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>
jetty · Nov 22, 2024 · ea839f3 · ea839f3
1 parent 8aa4460
commit ea839f3
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 35 deletions.
diff --git a/documentation/jetty/modules/operations-guide/pages/modules/standard.adoc b/documentation/jetty/modules/operations-guide/pages/modules/standard.adoc
@@ -886,3 +886,14 @@ The module properties are:
 ----
 include::{jetty-home}/modules/well-known.mod[tags=documentation]
 ----
+
+[[openid]]
+== Module `openid`
+
+The openid module enables support for OpenID Connect (OIDC) authentication in Jetty.
+It allows Jetty to authenticate users via an OpenID Connect identity provider, making it possible to integrate features like "Sign in with Google" or "Sign in with Microsoft," among others.
+This simplifies user authentication while leveraging the security and convenience of external identity providers.
+
+----
+include::{jetty-home}/modules/openid.mod[tags=documentation]
+----
diff --git a/documentation/jetty/modules/operations-guide/pages/security/openid-support.adoc b/documentation/jetty/modules/operations-guide/pages/security/openid-support.adoc
@@ -0,0 +1,54 @@
+//
+// ========================================================================
+// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+// ========================================================================
+//
+
+[[openid-support]]
+= OpenID Support
+
+For more information about Jetty OpenID configuration also see the xref:programming-guide:security/openid-support.adoc[OpenID Support] section in the programming guide.
+
+== OpenID Provider Configuration
+To enable OpenID support, you first need to activate the `openid` module in your implementation.
+
+----
+$ java -jar $JETTY_HOME/start.jar --add-to-start=openid
+----
+
+To configure OpenID Authentication with Jetty you will need to specify the OpenID Provider's issuer identifier (case-sensitive URL using the `https` scheme) and the OAuth 2.0 Client ID and Client Secret.
+If the OpenID Provider does not allow metadata discovery you will also need to specify the token endpoint and authorization endpoint of the OpenID Provider.
+These can be set as properties in the `start.ini` or `start.d/openid.ini` files.
+
+== WebApp Specific Configuration in web.xml
+
+The `web.xml` file needs some specific configuration to use OpenID.
+There must be a `login-config` element with an `auth-method` value of `OPENID`, and a `realm-name` value of the exact URL string used to set the OpenID Provider.
+
+To set the error page, an init param is set at `"org.eclipse.jetty.security.openid.error_page"`, its value should be a path relative to the webapp where authentication errors should be redirected.
+
+Example:
+
+[,xml,subs=attributes+]
+----
+<login-config>
+  <auth-method>OPENID</auth-method>
+  <realm-name>https://accounts.google.com</realm-name>
+</login-config>
+<context-param>
+  <param-name>org.eclipse.jetty.security.openid.error_page</param-name>
+  <param-value>/error</param-value>
+</context-param>
+----
+
+== Supporting Multiple OpenID Providers.
+
+You may override the `jetty-openid.xml` file in `$JETTY_BASE/etc/jetty-openid.xml` to add additional `OpenIdConfiguration` instances as beans on the server.
+If there are multiple OpenID configuration instances found on the server then the `OpenIdAuthenticationFactory` will select the one with an `issuer` matching the `<realm-name>` of the `web.xml` for a given web app.
diff --git a/documentation/jetty/modules/programming-guide/pages/security/openid-support.adoc b/documentation/jetty/modules/programming-guide/pages/security/openid-support.adoc
@@ -27,39 +27,6 @@ These may look like
 
  *  `https://example.com/j_security_check`
 
-== Distribution Configuration
-
-=== OpenID Provider Configuration
-To enable OpenID support, you first need to activate the `openid` module in your implementation.
-
-----
-$ java -jar $JETTY_HOME/start.jar --add-to-start=openid
-----
-
-To configure OpenID Authentication with Jetty you will need to specify the OpenID Provider's issuer identifier (case-sensitive URL using the `https` scheme) and the OAuth 2.0 Client ID and Client Secret.
-If the OpenID Provider does not allow metadata discovery you will also need to specify the token endpoint and authorization endpoint of the OpenID Provider.
-These can be set as properties in the `start.ini` or `start.d/openid.ini` files.
-
-=== WebApp Specific Configuration in web.xml
-
-The `web.xml` file needs some specific configuration to use OpenID.
-There must be a `login-config` element with an `auth-method` value of `OPENID`, and a `realm-name` value of the exact URL string used to set the OpenID Provider.
-
-To set the error page, an init param is set at `"org.eclipse.jetty.security.openid.error_page"`, its value should be a path relative to the webapp where authentication errors should be redirected.
-
-Example:
-
-[,xml,subs=attributes+]
-----
-<login-config>
-  <auth-method>OPENID</auth-method>
-  <realm-name>https://accounts.google.com</realm-name>
-</login-config>
-<context-param>
-  <param-name>org.eclipse.jetty.security.openid.error_page</param-name>
-  <param-value>/error</param-value>
-</context-param>
-----
 
 == Embedded Configuration
 
@@ -72,7 +39,6 @@ If the OpenID Provider allows metadata discovery then you can use.
 include::code:example$src/main/java/org/eclipse/jetty/docs/programming/security/OpenIdDocs.java[tags=createConfigurationWithDiscovery]
 ----
 
-
 Otherwise, you can manually enter the necessary information:
 
 [,java,indent=0]
@@ -109,7 +75,7 @@ For the Google OpenID Provider it can be useful to request the scopes `profile`
 
 Additional scopes can be requested through the `start.ini` or `start.d/openid.ini` files, or with `OpenIdConfiguration.addScopes(...);` in embedded code.
 
-== Roles
+== Authorization
 
 If security roles are required they can be configured through a wrapped `LoginService` which is deferred to for role information by the `OpenIdLoginService`.
 

diff --git a/jetty-integrations/jetty-openid/src/main/config/modules/openid.mod b/jetty-integrations/jetty-openid/src/main/config/modules/openid.mod
@@ -19,6 +19,7 @@ etc/jetty-openid-baseloginservice.xml
 etc/jetty-openid.xml
 
 [ini-template]
+# tag::documentation[]
 ## The OpenID Identity Provider's issuer ID (the entire URL *before* ".well-known/openid-configuration")
 # jetty.openid.provider=https://id.example.com/
 
@@ -48,3 +49,4 @@ etc/jetty-openid.xml
 
 ## Whether the user should be logged out after the idToken expires.
 # jetty.openid.logoutWhenIdTokenIsExpired=false
+# end::documentation[]