From b2c020ce1625fc3dd43c3d6a46782968cf9ae442 Mon Sep 17 00:00:00 2001
From: Brian Rosenberg <brosenberg@mitre.org>
Date: Thu, 20 Jul 2023 12:43:31 -0400
Subject: [PATCH 1/6] Add oidc guide

---
 docs/docs/OpenID-Connect-Guide.md             | 181 +++++++
 docs/mkdocs.yml                               |   1 +
 docs/site/404.html                            |   4 +
 docs/site/Acknowledgements/index.html         |   4 +
 docs/site/Admin-Guide/index.html              |   4 +
 docs/site/CPP-Batch-Component-API/index.html  |   4 +
 .../CPP-Streaming-Component-API/index.html    |   4 +
 docs/site/Component-API-Overview/index.html   |   4 +
 .../Component-Descriptor-Reference/index.html |   4 +
 docs/site/Contributor-Guide/index.html        |   4 +
 docs/site/Derivative-Media-Guide/index.html   |   4 +
 .../Development-Environment-Guide/index.html  |   4 +
 docs/site/Feed-Forward-Guide/index.html       |   4 +
 docs/site/GPU-Support-Guide/index.html        |   4 +
 docs/site/Install-Guide/index.html            |   4 +
 docs/site/Java-Batch-Component-API/index.html |   4 +
 docs/site/License-And-Distribution/index.html |   4 +
 docs/site/Markup-Guide/index.html             |   4 +
 docs/site/Media-Segmentation-Guide/index.html |   8 +-
 docs/site/Node-Guide/index.html               |   4 +
 docs/site/Object-Storage-Guide/index.html     |   4 +
 docs/site/OpenID-Connect-Guide/index.html     | 446 ++++++++++++++++++
 .../Python-Batch-Component-API/index.html     |   4 +
 docs/site/REST-API/index.html                 |   4 +
 docs/site/Release-Notes/index.html            |   4 +
 docs/site/TiesDb-Guide/index.html             |   4 +
 docs/site/User-Guide/index.html               |   8 +-
 .../Workflow-Manager-Architecture/index.html  |   4 +
 docs/site/index.html                          |   6 +-
 docs/site/search.html                         |   4 +
 docs/site/search/search_index.json            |  30 ++
 docs/site/sitemap.xml                         |  55 ++-
 32 files changed, 801 insertions(+), 30 deletions(-)
 create mode 100644 docs/docs/OpenID-Connect-Guide.md
 create mode 100644 docs/site/OpenID-Connect-Guide/index.html

diff --git a/docs/docs/OpenID-Connect-Guide.md b/docs/docs/OpenID-Connect-Guide.md
new file mode 100644
index 000000000000..38b33900c6db
--- /dev/null
+++ b/docs/docs/OpenID-Connect-Guide.md
@@ -0,0 +1,181 @@
+**NOTICE:** This software (or technical data) was produced for the U.S. Government under contract,
+and is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023
+The MITRE Corporation. All Rights Reserved.
+
+# OpenID Connect Overview
+Workflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of
+the web UI and clients of the REST API.
+
+
+## Configuration
+In order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact
+process for this varies by provider.  As part of the registration process, a client ID and client
+secret should be provided. Those values should be set in the `OIDC_CLIENT_ID` and
+`OIDC_CLIENT_SECRET` environment variables. During the registration process the provider will
+likely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manger
+with `/login/oauth2/code/provider` appended.
+
+The documentation for the OIDC provider should specify the base URI a client should use to
+authenticate users. The URI should be set in the `OIDC_ISSUER_URI` environment variable. To verify
+the URI is correct, check that the JSON discovery document is returned when sending an HTTP GET
+request to the URI with `/.well-known/openid-configuration` appended.
+
+After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a
+claim with a specific value to determine if the user is authorized to access Workflow Manager and
+with what role. The `OIDC_USER_CLAIM_NAME` and `OIDC_ADMIN_CLAIM_NAME` environment variables
+specify the name of claim that must be present. The `OIDC_USER_CLAIM_VALUE` and
+`OIDC_ADMIN_CLAIM_VALUE` environment variables specify the required value of the claim.
+
+
+
+### Environment Variables
+
+- `OIDC_ISSUER_URI` (Required): URI for the OIDC provider that will be used to authenticate users
+    through the web UI. If `OIDC_JWT_ISSUER_URI` is not set, `OIDC_ISSUER_URI` will also be used to
+    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of
+    `OIDC_ISSUER_URI` with `/.well-known/openid-configuration` appended.
+- `OIDC_JWT_ISSUER_URI` (Optional): Works the same way as `OIDC_ISSUER_URI`, except that the
+    configuration will only be used to authenticate REST clients. When not provided,
+    `OIDC_ISSUER_URI` will be used.
+- `OIDC_CLIENT_ID` (Required): The client ID that Workflow Manager will use to authenticate with
+    the OIDC provider.
+- `OIDC_CLIENT_SECRET` (Required): The client secret Workflow Manager will use to authenticate
+    with the OIDC provider.
+- `OIDC_USER_CLAIM_NAME` (Optional): Specifies the name of the claim from the authentication token
+    that is required for a user or REST client to be granted access to Workflow Manager with the
+    `USER` role.
+- `OIDC_USER_CLAIM_VALUE` (Optional): Specifies the required value of the claim specified in
+    `OIDC_USER_CLAIM_NAME`. If the claim is a list, only one of the values in the list must match.
+- `OIDC_ADMIN_CLAIM_NAME` (Optional): Specifies the name of the claim from the authentication token
+    that is required for a user or REST client to be granted access to Workflow Manager with the
+    `ADMIN` role.
+- `OIDC_ADMIN_CLAIM_VALUE` (Optional): Specifies the required value of the claim specified in
+    `OIDC_ADMIN_CLAIM_NAME`. If the claim is a list, only one of the values in the list must match.
+- `OIDC_SCOPES` (Optional): A comma-separated list the scopes to be requested from the OIDC
+    provider when authenticating a user through the web UI. The OIDC specification requires one of
+    the scopes to be `openid`, so if this environment variable is omitted or `openid` is not in the
+    list, it will be automatically added.
+- `OIDC_USER_NAME_ATTR` (Optional): The name of the claim containing the user name. Defaults to
+    `sub`.
+
+
+
+## Example with Keycloak
+
+The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.
+It is just an example and should not be used in production.
+
+1\. Start Keycloak in development mode:
+```bash
+docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \
+    quay.io/keycloak/keycloak:21.1.1 start-dev
+```
+
+2\. Go to <http://localhost:9090/admin> in a browser and login with username `admin` and
+    password `admin`.
+
+3\. Create a new realm:
+
+- Click the dropdown box in the upper left that says "master".
+- Click "Create Realm".
+- Enter a realm name.
+- Click "Create".
+- Use the realm name you entered to set Workflow Manager's `OIDC_ISSUER_URI` environment
+    variable to: `http://localhost:9090/realms/<realm-name>`
+
+
+4\. Create the client Workflow Manager will use to authenticate users:
+
+- Click "Clients" in the left menu.
+- Click "Create client".
+- Make sure "Client type" is "OpenID Connect".
+- Enter a client ID.
+- Click "Next".
+- Enable "Client authentication".
+- Make sure "Standard flow" is checked.
+- Click "Next"
+- In "Valid redirect URIs" enter the base URL for Workflow Manager with
+    `/login/oauth2/code/provider` appended.
+- In "Valid post logout redirect URIs" enter the base URL for Workflow Manager.
+- Click "Save"
+- Set Workflow Manager's `OIDC_CLIENT_ID` environment variable to the client ID you entered.
+- On the "Client details" page for the new client go to the "Credentials" tab.
+- Click the eye icon next to "Client secret".
+- Set Workflow Manager's `OIDC_CLIENT_SECRET` environment variable to the value displayed in
+    "Client secret".
+
+5\. Create a Keycloak role that maps to a Workflow Manager role:
+
+- Click "Realm roles" in the left menu.
+- Click "Create role".
+- Enter a "Role name".
+- Click "Save".
+- If the Keycloak role should make the user an `ADMIN` in Workflow Manager, set Workflow
+    Manager's `OIDC_ADMIN_CLAIM_VALUE` to the role name you just entered. If it should be a
+    `USER`, then set the `OIDC_USER_CLAIM_VALUE` environment variable.
+- Only one of `OIDC_ADMIN_CLAIM_VALUE` and `OIDC_USER_CLAIM_VALUE` need to be set. If you would
+    like to set up both roles repeat this step.
+
+6\. Include the Keycloak role(s) in the access token:
+
+- Click "Client scopes" in the left menu.
+- Click "roles".
+- Click the "Mappers" tab.
+- Click "Add mapper"
+- Click "From predefined mappers".
+- Check "groups".
+- Click "Add".
+- The default name "Token Claim Name" is "groups". This can be changed.
+- If you created an `ADMIN` role in step 5 set `OIDC_ADMIN_CLAIM_NAME` to the value in
+    "Token Claim Name". If you created a `USER` role, do the same for `OIDC_USER_CLAIM_NAME`.
+
+7\. Optionally, configure Workflow Manager to display the user name instead of the ID.
+
+- Set Workflow Manager's `OIDC_USER_NAME_ATTR` environment variable to `preferred_username`.
+
+8\. Create users:
+
+- Click "Users" in the left menu.
+- Click "Create new user".
+- Enter a "Username".
+- Click "Create".
+- Click the "Credentials" tab.
+- Click "Set password".
+- Set a password.
+- Uncheck "Temporary".
+- Click "Save".
+- Click the "Role mapping" tab.
+- Click "Assign role".
+- Check one of the roles create in step 5.
+- Click "Assign".
+
+9\. You should now be able to start Workflow Manager. When you initially navigate to Workflow
+   Manager, you will be redirected to the Keycloak log in page. You can log in using the
+   users created in step 8.
+
+10\. Add REST clients:
+
+- Click "Clients" in the left menu.
+- Click "Create client".
+- Set a "Client ID".
+- Click "Next".
+- Enable "Client authentication".
+- Enable "Service accounts roles".
+- Click "Next".
+- Click "Save".
+- Click the "Service account roles" tab.
+- Click "Assign role".
+- Check a role created in step 5.
+- Click "Assign".
+
+
+### Test REST authentication
+Using the client id/secret from step 10 and the realm name from step 3, run the following command:
+```bash
+curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://localhost:9090/realms/<realm-name>/protocol/openid-connect/token'
+```
+The response JSON will contain a token in the `"access_token"` property. That token need to
+included as a bearer token in REST requests to Workflow Manager. For example:
+```bash
+curl -H "Authorization: Bearer <access-token>" http://localhost:8080/workflow-manager/rest/jobs/1
+```
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index 0eff10635daa..655ed3b55ae8 100644
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -19,6 +19,7 @@ pages:
     - Install Guide: Install-Guide.md
     - Admin Guide: Admin-Guide.md
     - User Guide: User-Guide.md
+    - OpenID Connect Guide: OpenID-Connect-Guide.md
     - Media Segmentation Guide: Media-Segmentation-Guide.md
     - Feed Forward Guide: Feed-Forward-Guide.md
     - Derivative Media Guide: Derivative-Media-Guide.md
diff --git a/docs/site/404.html b/docs/site/404.html
index 29732762964d..24ef7ae7b8e0 100644
--- a/docs/site/404.html
+++ b/docs/site/404.html
@@ -82,6 +82,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="/OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="/Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Acknowledgements/index.html b/docs/site/Acknowledgements/index.html
index 1ff837a7305d..1884a1b13752 100644
--- a/docs/site/Acknowledgements/index.html
+++ b/docs/site/Acknowledgements/index.html
@@ -92,6 +92,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Admin-Guide/index.html b/docs/site/Admin-Guide/index.html
index c53d31dfe855..1f2c95c6753e 100644
--- a/docs/site/Admin-Guide/index.html
+++ b/docs/site/Admin-Guide/index.html
@@ -109,6 +109,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/CPP-Batch-Component-API/index.html b/docs/site/CPP-Batch-Component-API/index.html
index b49cfa433aa7..62e90affeec3 100644
--- a/docs/site/CPP-Batch-Component-API/index.html
+++ b/docs/site/CPP-Batch-Component-API/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/CPP-Streaming-Component-API/index.html b/docs/site/CPP-Streaming-Component-API/index.html
index 7d4272ac0cbc..ba99dd58fbe2 100644
--- a/docs/site/CPP-Streaming-Component-API/index.html
+++ b/docs/site/CPP-Streaming-Component-API/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Component-API-Overview/index.html b/docs/site/Component-API-Overview/index.html
index 65361d3e5b86..aaf4643fc9fc 100644
--- a/docs/site/Component-API-Overview/index.html
+++ b/docs/site/Component-API-Overview/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Component-Descriptor-Reference/index.html b/docs/site/Component-Descriptor-Reference/index.html
index c80bbebfc1ce..8a81f9231420 100644
--- a/docs/site/Component-Descriptor-Reference/index.html
+++ b/docs/site/Component-Descriptor-Reference/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Contributor-Guide/index.html b/docs/site/Contributor-Guide/index.html
index 38ac0755163d..44307a4b0fe1 100644
--- a/docs/site/Contributor-Guide/index.html
+++ b/docs/site/Contributor-Guide/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Derivative-Media-Guide/index.html b/docs/site/Derivative-Media-Guide/index.html
index 6c55b35e35b3..e187a8d7848c 100644
--- a/docs/site/Derivative-Media-Guide/index.html
+++ b/docs/site/Derivative-Media-Guide/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Development-Environment-Guide/index.html b/docs/site/Development-Environment-Guide/index.html
index af722927ac2f..cbdd6a3387f0 100644
--- a/docs/site/Development-Environment-Guide/index.html
+++ b/docs/site/Development-Environment-Guide/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Feed-Forward-Guide/index.html b/docs/site/Feed-Forward-Guide/index.html
index 17434a4f0db5..1821eb42809d 100644
--- a/docs/site/Feed-Forward-Guide/index.html
+++ b/docs/site/Feed-Forward-Guide/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class=" current">
diff --git a/docs/site/GPU-Support-Guide/index.html b/docs/site/GPU-Support-Guide/index.html
index bbe01ca7d483..59007efcc413 100644
--- a/docs/site/GPU-Support-Guide/index.html
+++ b/docs/site/GPU-Support-Guide/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Install-Guide/index.html b/docs/site/Install-Guide/index.html
index dbf0432b74b2..eb755e0450ce 100644
--- a/docs/site/Install-Guide/index.html
+++ b/docs/site/Install-Guide/index.html
@@ -95,6 +95,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Java-Batch-Component-API/index.html b/docs/site/Java-Batch-Component-API/index.html
index 29fbc786e690..6c8635c75ed5 100644
--- a/docs/site/Java-Batch-Component-API/index.html
+++ b/docs/site/Java-Batch-Component-API/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/License-And-Distribution/index.html b/docs/site/License-And-Distribution/index.html
index 1ee673df002d..e4c13d3b9d5e 100644
--- a/docs/site/License-And-Distribution/index.html
+++ b/docs/site/License-And-Distribution/index.html
@@ -105,6 +105,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Markup-Guide/index.html b/docs/site/Markup-Guide/index.html
index ce6dfd974e56..2478df3dee11 100644
--- a/docs/site/Markup-Guide/index.html
+++ b/docs/site/Markup-Guide/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Media-Segmentation-Guide/index.html b/docs/site/Media-Segmentation-Guide/index.html
index 9ddc40773da8..8ef3f400bb70 100644
--- a/docs/site/Media-Segmentation-Guide/index.html
+++ b/docs/site/Media-Segmentation-Guide/index.html
@@ -86,6 +86,10 @@
                 <li class="">
                     
     <a class="" href="../User-Guide/index.html">User Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
                 </li>
                 <li class=" current">
                     
@@ -333,7 +337,7 @@ <h2 id="min_gap_between_segments-property">"MIN_GAP_BETWEEN_SEGMENTS" Property</
         <a href="../Feed-Forward-Guide/index.html" class="btn btn-neutral float-right" title="Feed Forward Guide">Next <span class="icon icon-circle-arrow-right"></span></a>
       
       
-        <a href="../User-Guide/index.html" class="btn btn-neutral" title="User Guide"><span class="icon icon-circle-arrow-left"></span> Previous</a>
+        <a href="../OpenID-Connect-Guide/index.html" class="btn btn-neutral" title="OpenID Connect Guide"><span class="icon icon-circle-arrow-left"></span> Previous</a>
       
     </div>
   
@@ -361,7 +365,7 @@ <h2 id="min_gap_between_segments-property">"MIN_GAP_BETWEEN_SEGMENTS" Property</
     <span class="rst-current-version" data-toggle="rst-current-version">
       
       
-        <span><a href="../User-Guide/index.html" style="color: #fcfcfc;">&laquo; Previous</a></span>
+        <span><a href="../OpenID-Connect-Guide/index.html" style="color: #fcfcfc;">&laquo; Previous</a></span>
       
       
         <span style="margin-left: 15px"><a href="../Feed-Forward-Guide/index.html" style="color: #fcfcfc">Next &raquo;</a></span>
diff --git a/docs/site/Node-Guide/index.html b/docs/site/Node-Guide/index.html
index 243889c7ca8e..9cde6f8ec3c3 100644
--- a/docs/site/Node-Guide/index.html
+++ b/docs/site/Node-Guide/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Object-Storage-Guide/index.html b/docs/site/Object-Storage-Guide/index.html
index 90f21b1e7316..8619d63480fb 100644
--- a/docs/site/Object-Storage-Guide/index.html
+++ b/docs/site/Object-Storage-Guide/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/OpenID-Connect-Guide/index.html b/docs/site/OpenID-Connect-Guide/index.html
new file mode 100644
index 000000000000..db5ddafaae08
--- /dev/null
+++ b/docs/site/OpenID-Connect-Guide/index.html
@@ -0,0 +1,446 @@
+<!DOCTYPE html>
+<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
+<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  
+  
+  <link rel="shortcut icon" href="../img/favicon.ico">
+  <title>OpenID Connect Guide - OpenMPF</title>
+  <link href='https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700' rel='stylesheet' type='text/css'>
+
+  <link rel="stylesheet" href="../css/theme.css" type="text/css" />
+  <link rel="stylesheet" href="../css/theme_extra.css" type="text/css" />
+  <link rel="stylesheet" href="../css/highlight.css">
+  
+  <script>
+    // Current page data
+    var mkdocs_page_name = "OpenID Connect Guide";
+    var mkdocs_page_input_path = "OpenID-Connect-Guide.md";
+    var mkdocs_page_url = "/OpenID-Connect-Guide/index.html";
+  </script>
+  
+  <script src="../js/jquery-2.1.1.min.js"></script>
+  <script src="../js/modernizr-2.8.3.min.js"></script>
+  <script type="text/javascript" src="../js/highlight.pack.js"></script> 
+  
+</head>
+
+<body class="wy-body-for-nav" role="document">
+
+  <div class="wy-grid-for-nav">
+
+    
+    <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav">
+      <div class="wy-side-nav-search">
+        <a href="../index.html" class="icon icon-home"> OpenMPF</a>
+        <div role="search">
+  <form id ="rtd-search-form" class="wy-form" action="../search.html" method="get">
+    <input type="text" name="q" placeholder="Search docs" />
+  </form>
+</div>
+      </div>
+
+      <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
+	<ul class="current">
+	  
+          
+            <li class="toctree-l1">
+		
+    <a class="" href="../index.html">Home</a>
+	    </li>
+          
+            <li class="toctree-l1">
+		
+    <span class="caption-text">General</span>
+    <ul class="subnav">
+                <li class="">
+                    
+    <a class="" href="../Release-Notes/index.html">Release Notes</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../License-And-Distribution/index.html">License and Distribution</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Acknowledgements/index.html">Acknowledgements</a>
+                </li>
+    </ul>
+	    </li>
+          
+            <li class="toctree-l1">
+		
+    <span class="caption-text">Guides</span>
+    <ul class="subnav">
+                <li class="">
+                    
+    <a class="" href="../Install-Guide/index.html">Install Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Admin-Guide/index.html">Admin Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../User-Guide/index.html">User Guide</a>
+                </li>
+                <li class=" current">
+                    
+    <a class="current" href="index.html">OpenID Connect Guide</a>
+    <ul class="subnav">
+            
+    <li class="toctree-l3"><a href="#openid-connect-overview">OpenID Connect Overview</a></li>
+    
+        <ul>
+        
+            <li><a class="toctree-l4" href="#configuration">Configuration</a></li>
+        
+            <li><a class="toctree-l4" href="#example-with-keycloak">Example with Keycloak</a></li>
+        
+        </ul>
+    
+
+    </ul>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Feed-Forward-Guide/index.html">Feed Forward Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Derivative-Media-Guide/index.html">Derivative Media Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Object-Storage-Guide/index.html">Object Storage Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Markup-Guide/index.html">Markup Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../TiesDb-Guide/index.html">TiesDb Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../REST-API/index.html">REST API</a>
+                </li>
+    </ul>
+	    </li>
+          
+            <li class="toctree-l1">
+		
+    <span class="caption-text">Component Development</span>
+    <ul class="subnav">
+                <li class="">
+                    
+    <a class="" href="../Component-API-Overview/index.html">Component API Overview</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Component-Descriptor-Reference/index.html">Component Descriptor Reference</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../CPP-Batch-Component-API/index.html">C++ Batch Component API</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Python-Batch-Component-API/index.html">Python Batch Component API</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Java-Batch-Component-API/index.html">Java Batch Component API</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../GPU-Support-Guide/index.html">GPU Support Guide</a>
+                </li>
+    </ul>
+	    </li>
+          
+            <li class="toctree-l1">
+		
+    <span class="caption-text">Additional Developer Resources</span>
+    <ul class="subnav">
+                <li class="">
+                    
+    <a class="" href="../Contributor-Guide/index.html">Contributor Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Development-Environment-Guide/index.html">Development Environment Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Node-Guide/index.html">Node Guide</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../Workflow-Manager-Architecture/index.html">Workflow Manager Architecture</a>
+                </li>
+                <li class="">
+                    
+    <a class="" href="../CPP-Streaming-Component-API/index.html">C++ Streaming Component API</a>
+                </li>
+    </ul>
+	    </li>
+          
+        </ul>
+      </div>
+      &nbsp;
+    </nav>
+
+    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
+
+      
+      <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
+        <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
+        <a href="../index.html">OpenMPF</a>
+      </nav>
+
+      
+      <div class="wy-nav-content">
+        <div class="rst-content">
+          <div role="navigation" aria-label="breadcrumbs navigation">
+  <ul class="wy-breadcrumbs">
+    <li><a href="../index.html">Docs</a> &raquo;</li>
+    
+      
+        
+          <li>Guides &raquo;</li>
+        
+      
+    
+    <li>OpenID Connect Guide</li>
+    <li class="wy-breadcrumbs-aside">
+      
+    </li>
+  </ul>
+  <hr/>
+</div>
+          <div role="main">
+            <div class="section">
+              
+                <p><strong>NOTICE:</strong> This software (or technical data) was produced for the U.S. Government under contract,
+and is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023
+The MITRE Corporation. All Rights Reserved.</p>
+<h1 id="openid-connect-overview">OpenID Connect Overview</h1>
+<p>Workflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of
+the web UI and clients of the REST API.</p>
+<h2 id="configuration">Configuration</h2>
+<p>In order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact
+process for this varies by provider.  As part of the registration process, a client ID and client
+secret should be provided. Those values should be set in the <code>OIDC_CLIENT_ID</code> and
+<code>OIDC_CLIENT_SECRET</code> environment variables. During the registration process the provider will
+likely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manger
+with <code>/login/oauth2/code/provider</code> appended.</p>
+<p>The documentation for the OIDC provider should specify the base URI a client should use to
+authenticate users. The URI should be set in the <code>OIDC_ISSUER_URI</code> environment variable. To verify
+the URI is correct, check that the JSON discovery document is returned when sending an HTTP GET
+request to the URI with <code>/.well-known/openid-configuration</code> appended.</p>
+<p>After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a
+claim with a specific value to determine if the user is authorized to access Workflow Manager and
+with what role. The <code>OIDC_USER_CLAIM_NAME</code> and <code>OIDC_ADMIN_CLAIM_NAME</code> environment variables
+specify the name of claim that must be present. The <code>OIDC_USER_CLAIM_VALUE</code> and
+<code>OIDC_ADMIN_CLAIM_VALUE</code> environment variables specify the required value of the claim.</p>
+<h3 id="environment-variables">Environment Variables</h3>
+<ul>
+<li><code>OIDC_ISSUER_URI</code> (Required): URI for the OIDC provider that will be used to authenticate users
+    through the web UI. If <code>OIDC_JWT_ISSUER_URI</code> is not set, <code>OIDC_ISSUER_URI</code> will also be used to
+    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of
+    <code>OIDC_ISSUER_URI</code> with <code>/.well-known/openid-configuration</code> appended.</li>
+<li><code>OIDC_JWT_ISSUER_URI</code> (Optional): Works the same way as <code>OIDC_ISSUER_URI</code>, except that the
+    configuration will only be used to authenticate REST clients. When not provided,
+    <code>OIDC_ISSUER_URI</code> will be used.</li>
+<li><code>OIDC_CLIENT_ID</code> (Required): The client ID that Workflow Manager will use to authenticate with
+    the OIDC provider.</li>
+<li><code>OIDC_CLIENT_SECRET</code> (Required): The client secret Workflow Manager will use to authenticate
+    with the OIDC provider.</li>
+<li><code>OIDC_USER_CLAIM_NAME</code> (Optional): Specifies the name of the claim from the authentication token
+    that is required for a user or REST client to be granted access to Workflow Manager with the
+    <code>USER</code> role.</li>
+<li><code>OIDC_USER_CLAIM_VALUE</code> (Optional): Specifies the required value of the claim specified in
+    <code>OIDC_USER_CLAIM_NAME</code>. If the claim is a list, only one of the values in the list must match.</li>
+<li><code>OIDC_ADMIN_CLAIM_NAME</code> (Optional): Specifies the name of the claim from the authentication token
+    that is required for a user or REST client to be granted access to Workflow Manager with the
+    <code>ADMIN</code> role.</li>
+<li><code>OIDC_ADMIN_CLAIM_VALUE</code> (Optional): Specifies the required value of the claim specified in
+    <code>OIDC_ADMIN_CLAIM_NAME</code>. If the claim is a list, only one of the values in the list must match.</li>
+<li><code>OIDC_SCOPES</code> (Optional): A comma-separated list the scopes to be requested from the OIDC
+    provider when authenticating a user through the web UI. The OIDC specification requires one of
+    the scopes to be <code>openid</code>, so if this environment variable is omitted or <code>openid</code> is not in the
+    list, it will be automatically added.</li>
+<li><code>OIDC_USER_NAME_ATTR</code> (Optional): The name of the claim containing the user name. Defaults to
+    <code>sub</code>.</li>
+</ul>
+<h2 id="example-with-keycloak">Example with Keycloak</h2>
+<p>The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.
+It is just an example and should not be used in production.</p>
+<p>1. Start Keycloak in development mode:</p>
+<pre><code class="language-bash">docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \
+    quay.io/keycloak/keycloak:21.1.1 start-dev
+</code></pre>
+<p>2. Go to <a href="http://localhost:9090/admin">http://localhost:9090/admin</a> in a browser and login with username <code>admin</code> and
+    password <code>admin</code>.</p>
+<p>3. Create a new realm:</p>
+<ul>
+<li>Click the dropdown box in the upper left that says "master".</li>
+<li>Click "Create Realm".</li>
+<li>Enter a realm name.</li>
+<li>Click "Create".</li>
+<li>Use the realm name you entered to set Workflow Manager's <code>OIDC_ISSUER_URI</code> environment
+    variable to: <code>http://localhost:9090/realms/&lt;realm-name&gt;</code></li>
+</ul>
+<p>4. Create the client Workflow Manager will use to authenticate users:</p>
+<ul>
+<li>Click "Clients" in the left menu.</li>
+<li>Click "Create client".</li>
+<li>Make sure "Client type" is "OpenID Connect".</li>
+<li>Enter a client ID.</li>
+<li>Click "Next".</li>
+<li>Enable "Client authentication".</li>
+<li>Make sure "Standard flow" is checked.</li>
+<li>Click "Next"</li>
+<li>In "Valid redirect URIs" enter the base URL for Workflow Manager with
+    <code>/login/oauth2/code/provider</code> appended.</li>
+<li>In "Valid post logout redirect URIs" enter the base URL for Workflow Manager.</li>
+<li>Click "Save"</li>
+<li>Set Workflow Manager's <code>OIDC_CLIENT_ID</code> environment variable to the client ID you entered.</li>
+<li>On the "Client details" page for the new client go to the "Credentials" tab.</li>
+<li>Click the eye icon next to "Client secret".</li>
+<li>Set Workflow Manager's <code>OIDC_CLIENT_SECRET</code> environment variable to the value displayed in
+    "Client secret".</li>
+</ul>
+<p>5. Create a Keycloak role that maps to a Workflow Manager role:</p>
+<ul>
+<li>Click "Realm roles" in the left menu.</li>
+<li>Click "Create role".</li>
+<li>Enter a "Role name".</li>
+<li>Click "Save".</li>
+<li>If the Keycloak role should make the user an <code>ADMIN</code> in Workflow Manager, set Workflow
+    Manager's <code>OIDC_ADMIN_CLAIM_VALUE</code> to the role name you just entered. If it should be a
+    <code>USER</code>, then set the <code>OIDC_USER_CLAIM_VALUE</code> environment variable.</li>
+<li>Only one of <code>OIDC_ADMIN_CLAIM_VALUE</code> and <code>OIDC_USER_CLAIM_VALUE</code> need to be set. If you would
+    like to set up both roles repeat this step.</li>
+</ul>
+<p>6. Include the Keycloak role(s) in the access token:</p>
+<ul>
+<li>Click "Client scopes" in the left menu.</li>
+<li>Click "roles".</li>
+<li>Click the "Mappers" tab.</li>
+<li>Click "Add mapper"</li>
+<li>Click "From predefined mappers".</li>
+<li>Check "groups".</li>
+<li>Click "Add".</li>
+<li>The default name "Token Claim Name" is "groups". This can be changed.</li>
+<li>If you created an <code>ADMIN</code> role in step 5 set <code>OIDC_ADMIN_CLAIM_NAME</code> to the value in
+    "Token Claim Name". If you created a <code>USER</code> role, do the same for <code>OIDC_USER_CLAIM_NAME</code>.</li>
+</ul>
+<p>7. Optionally, configure Workflow Manager to display the user name instead of the ID.</p>
+<ul>
+<li>Set Workflow Manager's <code>OIDC_USER_NAME_ATTR</code> environment variable to <code>preferred_username</code>.</li>
+</ul>
+<p>8. Create users:</p>
+<ul>
+<li>Click "Users" in the left menu.</li>
+<li>Click "Create new user".</li>
+<li>Enter a "Username".</li>
+<li>Click "Create".</li>
+<li>Click the "Credentials" tab.</li>
+<li>Click "Set password".</li>
+<li>Set a password.</li>
+<li>Uncheck "Temporary".</li>
+<li>Click "Save".</li>
+<li>Click the "Role mapping" tab.</li>
+<li>Click "Assign role".</li>
+<li>Check one of the roles create in step 5.</li>
+<li>Click "Assign".</li>
+</ul>
+<p>9. You should now be able to start Workflow Manager. When you initially navigate to Workflow
+   Manager, you will be redirected to the Keycloak log in page. You can log in using the
+   users created in step 8.</p>
+<p>10. Add REST clients:</p>
+<ul>
+<li>Click "Clients" in the left menu.</li>
+<li>Click "Create client".</li>
+<li>Set a "Client ID".</li>
+<li>Click "Next".</li>
+<li>Enable "Client authentication".</li>
+<li>Enable "Service accounts roles".</li>
+<li>Click "Next".</li>
+<li>Click "Save".</li>
+<li>Click the "Service account roles" tab.</li>
+<li>Click "Assign role".</li>
+<li>Check a role created in step 5.</li>
+<li>Click "Assign".</li>
+</ul>
+<h3 id="test-rest-authentication">Test REST authentication</h3>
+<p>Using the client id/secret from step 10 and the realm name from step 3, run the following command:</p>
+<pre><code class="language-bash">curl -d grant_type=client_credentials -u '&lt;client-id&gt;:&lt;client-secret&gt;' 'http://localhost:9090/realms/&lt;realm-name&gt;/protocol/openid-connect/token'
+</code></pre>
+<p>The response JSON will contain a token in the <code>"access_token"</code> property. That token need to
+included as a bearer token in REST requests to Workflow Manager. For example:</p>
+<pre><code class="language-bash">curl -H &quot;Authorization: Bearer &lt;access-token&gt;&quot; http://localhost:8080/workflow-manager/rest/jobs/1
+</code></pre>
+              
+            </div>
+          </div>
+          <footer>
+  
+    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
+      
+        <a href="../Media-Segmentation-Guide/index.html" class="btn btn-neutral float-right" title="Media Segmentation Guide">Next <span class="icon icon-circle-arrow-right"></span></a>
+      
+      
+        <a href="../User-Guide/index.html" class="btn btn-neutral" title="User Guide"><span class="icon icon-circle-arrow-left"></span> Previous</a>
+      
+    </div>
+  
+
+  <hr/>
+
+  <div role="contentinfo">
+    <!-- Copyright etc -->
+    
+      <p>OpenMPF</p>
+    
+  </div>
+
+  Built with <a href="http://www.mkdocs.org">MkDocs</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
+</footer>
+      
+        </div>
+      </div>
+
+    </section>
+
+  </div>
+
+  <div class="rst-versions" role="note" style="cursor: pointer">
+    <span class="rst-current-version" data-toggle="rst-current-version">
+      
+      
+        <span><a href="../User-Guide/index.html" style="color: #fcfcfc;">&laquo; Previous</a></span>
+      
+      
+        <span style="margin-left: 15px"><a href="../Media-Segmentation-Guide/index.html" style="color: #fcfcfc">Next &raquo;</a></span>
+      
+    </span>
+</div>
+    <script>var base_url = '..';</script>
+    <script src="../js/theme.js"></script>
+      <script src="../js/mustache.js"></script>
+      <script src="../search/require.js"></script>
+      <script src="../search/search.js"></script>
+
+</body>
+</html>
diff --git a/docs/site/Python-Batch-Component-API/index.html b/docs/site/Python-Batch-Component-API/index.html
index bba1465a9833..53ef16cbfeff 100644
--- a/docs/site/Python-Batch-Component-API/index.html
+++ b/docs/site/Python-Batch-Component-API/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/REST-API/index.html b/docs/site/REST-API/index.html
index 8712d367ba00..15d93af1537b 100644
--- a/docs/site/REST-API/index.html
+++ b/docs/site/REST-API/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/Release-Notes/index.html b/docs/site/Release-Notes/index.html
index 1752c4423b90..e2348fe322c2 100644
--- a/docs/site/Release-Notes/index.html
+++ b/docs/site/Release-Notes/index.html
@@ -140,6 +140,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/TiesDb-Guide/index.html b/docs/site/TiesDb-Guide/index.html
index b49dd169de8d..c8d39b8a2368 100644
--- a/docs/site/TiesDb-Guide/index.html
+++ b/docs/site/TiesDb-Guide/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/User-Guide/index.html b/docs/site/User-Guide/index.html
index b1acbcf31399..55e80b823b77 100644
--- a/docs/site/User-Guide/index.html
+++ b/docs/site/User-Guide/index.html
@@ -128,6 +128,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
@@ -463,7 +467,7 @@ <h2 id="rest-api">REST API</h2>
   
     <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
       
-        <a href="../Media-Segmentation-Guide/index.html" class="btn btn-neutral float-right" title="Media Segmentation Guide">Next <span class="icon icon-circle-arrow-right"></span></a>
+        <a href="../OpenID-Connect-Guide/index.html" class="btn btn-neutral float-right" title="OpenID Connect Guide">Next <span class="icon icon-circle-arrow-right"></span></a>
       
       
         <a href="../Admin-Guide/index.html" class="btn btn-neutral" title="Admin Guide"><span class="icon icon-circle-arrow-left"></span> Previous</a>
@@ -497,7 +501,7 @@ <h2 id="rest-api">REST API</h2>
         <span><a href="../Admin-Guide/index.html" style="color: #fcfcfc;">&laquo; Previous</a></span>
       
       
-        <span style="margin-left: 15px"><a href="../Media-Segmentation-Guide/index.html" style="color: #fcfcfc">Next &raquo;</a></span>
+        <span style="margin-left: 15px"><a href="../OpenID-Connect-Guide/index.html" style="color: #fcfcfc">Next &raquo;</a></span>
       
     </span>
 </div>
diff --git a/docs/site/Workflow-Manager-Architecture/index.html b/docs/site/Workflow-Manager-Architecture/index.html
index 5800a002ac17..2ca900ba1294 100644
--- a/docs/site/Workflow-Manager-Architecture/index.html
+++ b/docs/site/Workflow-Manager-Architecture/index.html
@@ -89,6 +89,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="../OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="../Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/index.html b/docs/site/index.html
index 7d2e52a500e7..210b80f41dd5 100644
--- a/docs/site/index.html
+++ b/docs/site/index.html
@@ -95,6 +95,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
@@ -380,5 +384,5 @@ <h1 id="overview">Overview</h1>
 
 <!--
 MkDocs version : 0.17.5
-Build Date UTC : 2023-07-06 17:06:54
+Build Date UTC : 2023-07-20 16:41:58
 -->
diff --git a/docs/site/search.html b/docs/site/search.html
index e7da081eb955..42d254ae9a96 100644
--- a/docs/site/search.html
+++ b/docs/site/search.html
@@ -82,6 +82,10 @@
                 </li>
                 <li class="">
                     
+    <a class="" href="OpenID-Connect-Guide/index.html">OpenID Connect Guide</a>
+                </li>
+                <li class="">
+                    
     <a class="" href="Media-Segmentation-Guide/index.html">Media Segmentation Guide</a>
                 </li>
                 <li class="">
diff --git a/docs/site/search/search_index.json b/docs/site/search/search_index.json
index f09acf1c7034..68a323fa90cd 100644
--- a/docs/site/search/search_index.json
+++ b/docs/site/search/search_index.json
@@ -260,6 +260,36 @@
             "text": "This page allows a user to try out the  various REST API endpoints  provided by the workflow manager. It is intended to serve as a learning tool for technical users who wish to design and build systems that interact with the OpenMPF.  After selecting a functional category, such as \"meta\", \"jobs\", \"statistics\", \"nodes\", \"pipelines\", or \"system-message\", each REST endpoint for that category is shown in a list. Selecting one of them will cause it to expand and reveal more information about the request and response structures. If the request takes any parameters then a section will appear that allows the user to manually specify them.   In the example above, the \"/rest/jobs/{id}\" endpoint was selected. It takes a required \"id\" parameter that corresponds to a previously run job and returns a JSON representation of that job's information. The screenshot below shows the result of specifying an \"id\" of \"1\", providing the \"mpf\" user credentials when prompted, and then clicking the \"Try it out!\" button:   The HTTP response information is shown below the \"Try it out!\" button. Note that the structure of the \"Response Body\" is the same as the response model shown in the \"Response Class\" directly underneath the \"/rest/jobs/{id}\" label.",
             "title": "REST API"
         },
+        {
+            "location": "/OpenID-Connect-Guide/index.html",
+            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manger\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nEnvironment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Start Keycloak in development mode:\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n2. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n3. Create a new realm:\n\n\n\n\nClick the dropdown box in the upper left that says \"master\".\n\n\nClick \"Create Realm\".\n\n\nEnter a realm name.\n\n\nClick \"Create\".\n\n\nUse the realm name you entered to set Workflow Manager's \nOIDC_ISSUER_URI\n environment\n    variable to: \nhttp://localhost:9090/realms/<realm-name>\n\n\n\n\n4. Create the client Workflow Manager will use to authenticate users:\n\n\n\n\nClick \"Clients\" in the left menu.\n\n\nClick \"Create client\".\n\n\nMake sure \"Client type\" is \"OpenID Connect\".\n\n\nEnter a client ID.\n\n\nClick \"Next\".\n\n\nEnable \"Client authentication\".\n\n\nMake sure \"Standard flow\" is checked.\n\n\nClick \"Next\"\n\n\nIn \"Valid redirect URIs\" enter the base URL for Workflow Manager with\n    \n/login/oauth2/code/provider\n appended.\n\n\nIn \"Valid post logout redirect URIs\" enter the base URL for Workflow Manager.\n\n\nClick \"Save\"\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\nOn the \"Client details\" page for the new client go to the \"Credentials\" tab.\n\n\nClick the eye icon next to \"Client secret\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the value displayed in\n    \"Client secret\".\n\n\n\n\n5. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nClick \"Realm roles\" in the left menu.\n\n\nClick \"Create role\".\n\n\nEnter a \"Role name\".\n\n\nClick \"Save\".\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n6. Include the Keycloak role(s) in the access token:\n\n\n\n\nClick \"Client scopes\" in the left menu.\n\n\nClick \"roles\".\n\n\nClick the \"Mappers\" tab.\n\n\nClick \"Add mapper\"\n\n\nClick \"From predefined mappers\".\n\n\nCheck \"groups\".\n\n\nClick \"Add\".\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 5 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n7. Optionally, configure Workflow Manager to display the user name instead of the ID.\n\n\n\n\nSet Workflow Manager's \nOIDC_USER_NAME_ATTR\n environment variable to \npreferred_username\n.\n\n\n\n\n8. Create users:\n\n\n\n\nClick \"Users\" in the left menu.\n\n\nClick \"Create new user\".\n\n\nEnter a \"Username\".\n\n\nClick \"Create\".\n\n\nClick the \"Credentials\" tab.\n\n\nClick \"Set password\".\n\n\nSet a password.\n\n\nUncheck \"Temporary\".\n\n\nClick \"Save\".\n\n\nClick the \"Role mapping\" tab.\n\n\nClick \"Assign role\".\n\n\nCheck one of the roles create in step 5.\n\n\nClick \"Assign\".\n\n\n\n\n9. You should now be able to start Workflow Manager. When you initially navigate to Workflow\n   Manager, you will be redirected to the Keycloak log in page. You can log in using the\n   users created in step 8.\n\n\n10. Add REST clients:\n\n\n\n\nClick \"Clients\" in the left menu.\n\n\nClick \"Create client\".\n\n\nSet a \"Client ID\".\n\n\nClick \"Next\".\n\n\nEnable \"Client authentication\".\n\n\nEnable \"Service accounts roles\".\n\n\nClick \"Next\".\n\n\nClick \"Save\".\n\n\nClick the \"Service account roles\" tab.\n\n\nClick \"Assign role\".\n\n\nCheck a role created in step 5.\n\n\nClick \"Assign\".\n\n\n\n\nTest REST authentication\n\n\nUsing the client id/secret from step 10 and the realm name from step 3, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://localhost:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token need to\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/jobs/1",
+            "title": "OpenID Connect Guide"
+        },
+        {
+            "location": "/OpenID-Connect-Guide/index.html#openid-connect-overview",
+            "text": "Workflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.",
+            "title": "OpenID Connect Overview"
+        },
+        {
+            "location": "/OpenID-Connect-Guide/index.html#configuration",
+            "text": "In order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the  OIDC_CLIENT_ID  and OIDC_CLIENT_SECRET  environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manger\nwith  /login/oauth2/code/provider  appended.  The documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the  OIDC_ISSUER_URI  environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with  /.well-known/openid-configuration  appended.  After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The  OIDC_USER_CLAIM_NAME  and  OIDC_ADMIN_CLAIM_NAME  environment variables\nspecify the name of claim that must be present. The  OIDC_USER_CLAIM_VALUE  and OIDC_ADMIN_CLAIM_VALUE  environment variables specify the required value of the claim.",
+            "title": "Configuration"
+        },
+        {
+            "location": "/OpenID-Connect-Guide/index.html#environment-variables",
+            "text": "OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If  OIDC_JWT_ISSUER_URI  is not set,  OIDC_ISSUER_URI  will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n     OIDC_ISSUER_URI  with  /.well-known/openid-configuration  appended.  OIDC_JWT_ISSUER_URI  (Optional): Works the same way as  OIDC_ISSUER_URI , except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n     OIDC_ISSUER_URI  will be used.  OIDC_CLIENT_ID  (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.  OIDC_CLIENT_SECRET  (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.  OIDC_USER_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     USER  role.  OIDC_USER_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_USER_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_ADMIN_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     ADMIN  role.  OIDC_ADMIN_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_ADMIN_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_SCOPES  (Optional): A comma-separated list the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be  openid , so if this environment variable is omitted or  openid  is not in the\n    list, it will be automatically added.  OIDC_USER_NAME_ATTR  (Optional): The name of the claim containing the user name. Defaults to\n     sub .",
+            "title": "Environment Variables"
+        },
+        {
+            "location": "/OpenID-Connect-Guide/index.html#example-with-keycloak",
+            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Start Keycloak in development mode:  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  2. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  3. Create a new realm:   Click the dropdown box in the upper left that says \"master\".  Click \"Create Realm\".  Enter a realm name.  Click \"Create\".  Use the realm name you entered to set Workflow Manager's  OIDC_ISSUER_URI  environment\n    variable to:  http://localhost:9090/realms/<realm-name>   4. Create the client Workflow Manager will use to authenticate users:   Click \"Clients\" in the left menu.  Click \"Create client\".  Make sure \"Client type\" is \"OpenID Connect\".  Enter a client ID.  Click \"Next\".  Enable \"Client authentication\".  Make sure \"Standard flow\" is checked.  Click \"Next\"  In \"Valid redirect URIs\" enter the base URL for Workflow Manager with\n     /login/oauth2/code/provider  appended.  In \"Valid post logout redirect URIs\" enter the base URL for Workflow Manager.  Click \"Save\"  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.  On the \"Client details\" page for the new client go to the \"Credentials\" tab.  Click the eye icon next to \"Client secret\".  Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the value displayed in\n    \"Client secret\".   5. Create a Keycloak role that maps to a Workflow Manager role:   Click \"Realm roles\" in the left menu.  Click \"Create role\".  Enter a \"Role name\".  Click \"Save\".  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   6. Include the Keycloak role(s) in the access token:   Click \"Client scopes\" in the left menu.  Click \"roles\".  Click the \"Mappers\" tab.  Click \"Add mapper\"  Click \"From predefined mappers\".  Check \"groups\".  Click \"Add\".  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 5 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   7. Optionally, configure Workflow Manager to display the user name instead of the ID.   Set Workflow Manager's  OIDC_USER_NAME_ATTR  environment variable to  preferred_username .   8. Create users:   Click \"Users\" in the left menu.  Click \"Create new user\".  Enter a \"Username\".  Click \"Create\".  Click the \"Credentials\" tab.  Click \"Set password\".  Set a password.  Uncheck \"Temporary\".  Click \"Save\".  Click the \"Role mapping\" tab.  Click \"Assign role\".  Check one of the roles create in step 5.  Click \"Assign\".   9. You should now be able to start Workflow Manager. When you initially navigate to Workflow\n   Manager, you will be redirected to the Keycloak log in page. You can log in using the\n   users created in step 8.  10. Add REST clients:   Click \"Clients\" in the left menu.  Click \"Create client\".  Set a \"Client ID\".  Click \"Next\".  Enable \"Client authentication\".  Enable \"Service accounts roles\".  Click \"Next\".  Click \"Save\".  Click the \"Service account roles\" tab.  Click \"Assign role\".  Check a role created in step 5.  Click \"Assign\".",
+            "title": "Example with Keycloak"
+        },
+        {
+            "location": "/OpenID-Connect-Guide/index.html#test-rest-authentication",
+            "text": "Using the client id/secret from step 10 and the realm name from step 3, run the following command:  curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://localhost:9090/realms/<realm-name>/protocol/openid-connect/token'  The response JSON will contain a token in the  \"access_token\"  property. That token need to\nincluded as a bearer token in REST requests to Workflow Manager. For example:  curl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/jobs/1",
+            "title": "Test REST authentication"
+        },
         {
             "location": "/Media-Segmentation-Guide/index.html",
             "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract, and is subject to the\nRights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023 The MITRE Corporation. All Rights Reserved.\n\n\nDetection Chaining\n\n\nThe OpenMPF has the ability to chain detection tasks together in a detection pipeline. As each detection stage in the pipeline completes, the volume of data to be processed in the next stage may be reduced. Generally, any detection tasks executed prior to the final detection task in the pipeline are referred to as preprocessors or filters. For example, consider the following pipeline which demonstrates the use of a motion preprocessor:\n\n\n\n\nIn the pipeline above, the motion preprocessor reduces the volume of data which is passed to the face detector. This is particularly useful when the input media collection contains videos captured by a fixed-location camera.  For example, a camera targeting a chokepoint such as a hallway door. The motion preprocessor will filter the input media so that only regions of video containing motion are passed on to the face detector.\n\n\nDetection pipelines may be created with, or without, preprocessors and filters using the Create Custom Pipelines view.\n\n\n\n\nWARNING: Preprocessors and filters may ultimately eliminate the entirety of a media file. When an entire media file is eliminated, none of the subsequent stages in the pipeline will operate on that file. Therefore, it is important to consider the consequences of using preprocessors/filters. For example, when the motion detection receives an image or audio file, its default behavior is to return a response indicating that the file did not contain any motion tracks. If the pipeline continued to face detection then none of the image files would be eligible for that kind of detection.\n\n\n\n\n\"USE_PREPROCESSOR\" Property\n\n\nIn order to mitigate the risk of eliminating useful media files simply because they are not supported by a detector using its default settings, some algorithms expose a \"USE_PREPROCESSOR\" property. When a user creates an action based on a detector with this property, the user may assign this property a nonzero value in order to indicate that the detector should behave as a preprocessor as opposed to a filter. When acting as a preprocessor, a detector will not emit an empty detection set when provided with an unsupported media type, rather it will return a single track spanning the duration of the media file. Thus, when configured with the \"USE_PREPROCESSOR\" setting, the motion detector will not prevent images from passing on to the next stage in the pipeline, for example.\n\n\nSegmenting Media\n\n\nThe OpenMPF allows users to configure video segmenting properties for actions in a pipeline. Audio files (which do not have the concept of \"frames\") and image files (which are treated like single-frame videos) are not affected by these properties.\n\n\nSegmenting is performed before a detection action in order to split work across the available detection services running on the various nodes in the OpenMPF cluster. In general, each instance of a detection service can process one video segment at a time. Multiple services can process separate segments at the same time, thus enabling parallel processing. There are two fundamental segmenting scenarios:\n\n\n\n\nSegmenting must be performed on a video which has not passed through a preprocessor or filter.\n\n\nSegmenting must be performed on a video which has passed through a preprocessor or filter.\n\n\n\n\nIn the first scenario the segmenting logic is less complex. The segmenter will create a supersegment corresponding to the entire length of the video (in frames), and it will then divide the supersegment into segments which respect the provided \"TARGET_SEGMENT_LENGTH\" and \"MIN_SEGMENT_LENGTH\" properties.\n\n\nIn the second scenario the segmenting logic is more complex. The segmenter first examines the start and stop times associated with all of the overlapping tracks produced by the previous detection action in the pipeline and proceeds to merge those intervals and segment the result. The goal is to generate a minimum number of segments that don't include unnecessary frames (frames that don't belong to any tracks). For example:\n\n\n\n\n\"TARGET_SEGMENT_LENGTH\" Property\n\n\nThis property indicates the preferred number of frames which will be provided to the detection component. For example, a value of \"100\" indicates that the input video should be split into 100-frame segments. Note that the properties \"MIN_SEGMENT_LENGTH\" and \"MIN_GAP_BETWEEN_SEGMENTS\" may ultimately cause segments to vary from the preferred segment size.\n\n\n\"MIN_SEGMENT_LENGTH\" Property\n\n\nIf a segment length is less than this value, the segment will be merged into the segment that precedes it. If no segment precedes it, the short segment will stand on its own. Short segments are not discarded.\n\n\nExample 1: Adjacent Segment Present\n\n\n\n\n\n\nIn this example, a preprocessor has completed and produced a single track.\n\n\nThe next detection action specifies the following parameters:\n\n\n\"TARGET_SEGMENT_LENGTH\" = 100\n\n\n\"MIN_SEGMENT_LENGTH\" = 75\n\n\n\n\n\n\nThree segments are initially produced from the input track with lengths corresponding to 100 frames, 100 frames, and 50 frames.\n\n\nSince segment 3 is not at least the minimum specified segment length, it is merged with segment 2.\n\n\nUltimately, two segments are produced.\n\n\n\n\nExample 2: No Adjacent Segment\n\n\n\n\n\n\nIn this example, a preprocessor has completed and produced two non-overlapping tracks.\n\n\nThe next detection action specifies the following parameters:\n\n\n\"TARGET_SEGMENT_LENGTH\" = 100\n\n\n\"MIN_SEGMENT_LENGTH\" = 75\n\n\n\"MIN_GAP_BETWEEN_SEGMENTS\" = 50\n\n\n\n\n\n\nThe segmenter begins by merging any segments which are less than \"MIN_GAP_BETWEEN_SEGMENTS\" apart. There are none.\n\n\nThe segmenter then splits the existing segments using the \"MIN_SEGMENT_LENGTH\" and \"TARGET_SEGMENT_LENGTH\" values.\n\n\nThe segmenter iterates through each segment produced. If the segment satisfies the minimum length constraint, it moves to the next segment.\n\n\nWhen it reaches the third segment and finds the length of 50 frames is not at least the minimum length, it merges that segment with the previous adjacent segment.\n\n\nWhen it reaches the final segment and finds that the length of 25 frames is not at least the minimum length, it creates a short segment since there is no adjacent preceding segment to merge it with.\n\n\n\n\n\n\nUltimately, three segments are produced.\n\n\n\n\n\"MIN_GAP_BETWEEN_SEGMENTS\" Property\n\n\nThis property is important to pipelines which contain preprocessors or filters and controls the minimum gap which must appear between consecutive segments. The purpose of this property is to prevent scenarios where a preprocessor or filter produces a large number of short segments separated by only a few frames. By merging the segments together prior to performing further segmentation, the number of work units produced by the segmenting plan can be reduced, thereby reducing pipeline execution time.\n\n\nConsider the following diagram, which further illustrates the purpose of this property:\n\n\n\n\n\n\nThe user submits a video to a pipeline containing a motion preprocessor followed by another extractor (e.g., face).\n\n\nThe video is initially split into segments using the properties provided by the motion preprocessor. Specifically, the preprocessor action specifies the following parameters and four segments are produced:\n\n\n\"TARGET_SEGMENT_LENGTH\" = \"250\"\n\n\n\"MIN_SEGMENT_LENGTH\" = \"150\"\n\n\n\"MERGE_TRACKS\" = \"true\"\n\n\n\n\n\n\nThe segments are submitted to the motion preprocessor, and five distinct and non-overlapping tracks are returned based on the frames of the segments in which motion is detected.\n\n\nBecause the \"MERGE_TRACKS\" property is set to \"true\", tracks are merged across segment boundaries if applicable.\n   This rule is applied to each pair of tracks that are only one frame apart (adjacent). Consequently, only three\n   tracks are ultimately derived from the video. (The number of tracks is reduced from five to three between the\n   \"Preprocessor\" and \"Track Merger\" phases of the diagram.) When two tracks are merged, the confidence value will be\n   set to the maximum confidence value of the two tracks and their track properties will be merged. If the two tracks\n   both have a track property with the same name but different values, the values will be concatenated with a\n   semicolon as the separator.\n\n\nThe non-overlapping tracks are then used to form the video segments for the next detection action. This action specifies the following parameters:\n\n\n\"TARGET_SEGMENT_LENGTH\" = \"75\"\n\n\n\"MIN_SEGMENT_LENGTH\" = \"26\"\n\n\n\"MIN_GAP_BETWEEN_SEGMENTS\" = \"100\"\n\n\n\n\n\n\nThe segmenting logic merges tracks which are less than \"MIN_GAP_BETWEEN_SEGMENTS\" frames apart into one long segment. Once all tracks have been merged, each track is segmented with respect to the provided \"TARGET_SEGMENT_LENGTH\" and \"MIN_SEGMENT_LENGTH\" properties. Ultimately, ten segments are produced. (Track #1 and Track #2 in the \"Track Merger\" phase of the diagram are combined, which is why Segment #3 in the \"Segmenter\" phase of the diagram includes the 25 frames that span the gap between those two tracks.)",
diff --git a/docs/site/sitemap.xml b/docs/site/sitemap.xml
index 1fc02116cfc1..e1221dd8adb7 100644
--- a/docs/site/sitemap.xml
+++ b/docs/site/sitemap.xml
@@ -2,127 +2,132 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
      <loc>/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Release-Notes/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/License-And-Distribution/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Acknowledgements/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Install-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Admin-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/User-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
+     <changefreq>daily</changefreq>
+    </url>
+    <url>
+     <loc>/OpenID-Connect-Guide/index.html</loc>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Media-Segmentation-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Feed-Forward-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Derivative-Media-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Object-Storage-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Markup-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/TiesDb-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/REST-API/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-API-Overview/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-Descriptor-Reference/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Batch-Component-API/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Python-Batch-Component-API/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Java-Batch-Component-API/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/GPU-Support-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Contributor-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Development-Environment-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Node-Guide/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Workflow-Manager-Architecture/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Streaming-Component-API/index.html</loc>
-     <lastmod>2023-07-06</lastmod>
+     <lastmod>2023-07-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>
\ No newline at end of file

From 1a49580bb13140eb792b0806542ff401d0990fbd Mon Sep 17 00:00:00 2001
From: Brian Rosenberg <brosenberg@mitre.org>
Date: Mon, 24 Jul 2023 10:27:31 -0400
Subject: [PATCH 2/6] Fix Docker issues

---
 docs/docs/OpenID-Connect-Guide.md         | 142 +++++++++-------------
 docs/site/OpenID-Connect-Guide/index.html | 123 +++++++------------
 docs/site/index.html                      |   2 +-
 docs/site/search/search_index.json        |   8 +-
 docs/site/sitemap.xml                     |  52 ++++----
 5 files changed, 133 insertions(+), 194 deletions(-)

diff --git a/docs/docs/OpenID-Connect-Guide.md b/docs/docs/OpenID-Connect-Guide.md
index 38b33900c6db..45897b444eeb 100644
--- a/docs/docs/OpenID-Connect-Guide.md
+++ b/docs/docs/OpenID-Connect-Guide.md
@@ -57,7 +57,11 @@ specify the name of claim that must be present. The `OIDC_USER_CLAIM_VALUE` and
     list, it will be automatically added.
 - `OIDC_USER_NAME_ATTR` (Optional): The name of the claim containing the user name. Defaults to
     `sub`.
-
+- `OIDC_REDIRECT_URI` (Optional): Specifies the URL the user's browser will be redirected to after
+    logging in to the OIDC provider. If provided, the URL must end in `/login/oauth2/code/provider`.
+    This would generally be used when the host name Workflow Manager uses to connect to the OIDC
+    provider is different from the OIDC provider's public host name. The value can use the
+    [template variables supported by Spring.](https://docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html#oauth2Client-auth-code-redirect-uri)
 
 
 ## Example with Keycloak
@@ -65,117 +69,83 @@ specify the name of claim that must be present. The `OIDC_USER_CLAIM_VALUE` and
 The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.
 It is just an example and should not be used in production.
 
-1\. Start Keycloak in development mode:
+1\. Get the Docker gateway IP address by running the command below. It will be used in later steps.
+```bash
+docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge
+```
+
+2\. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.
+    The values for the OIDC environment variables are dependent on how you set up Keycloak in the
+    following steps.
 ```bash
 docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \
     quay.io/keycloak/keycloak:21.1.1 start-dev
 ```
 
-2\. Go to <http://localhost:9090/admin> in a browser and login with username `admin` and
+3\. Go to <http://localhost:9090/admin> in a browser and login with username `admin` and
     password `admin`.
 
-3\. Create a new realm:
-
-- Click the dropdown box in the upper left that says "master".
-- Click "Create Realm".
-- Enter a realm name.
-- Click "Create".
-- Use the realm name you entered to set Workflow Manager's `OIDC_ISSUER_URI` environment
-    variable to: `http://localhost:9090/realms/<realm-name>`
-
-
-4\. Create the client Workflow Manager will use to authenticate users:
-
-- Click "Clients" in the left menu.
-- Click "Create client".
-- Make sure "Client type" is "OpenID Connect".
-- Enter a client ID.
-- Click "Next".
-- Enable "Client authentication".
-- Make sure "Standard flow" is checked.
-- Click "Next"
-- In "Valid redirect URIs" enter the base URL for Workflow Manager with
-    `/login/oauth2/code/provider` appended.
-- In "Valid post logout redirect URIs" enter the base URL for Workflow Manager.
-- Click "Save"
+4\. Create a new realm:
+
+- Create a new realm using the drop down box in upper left that says "master".
+- Use the realm name you entered and the gateway IP address from step 1 to set Workflow
+    Manager's `OIDC_ISSUER_URI` environment variable to:
+    `http://<docker-gateway-ip>:9090/realms/<realm-name>`
+
+5\. Create the client Workflow Manager will use to authenticate users:
+
+- The "Client type" needs to be set to "OpenID Connect".
+- "Client authentication" must be enabled.
+- "Standard flow" must be enabled.
+- Set "Valid redirect URIs" to `http://localhost:8080/workflow-manager/login/oauth2/code/provider`
+- Set "Valid post logout redirect URIs" to `http://localhost:8080/workflow-manager`
 - Set Workflow Manager's `OIDC_CLIENT_ID` environment variable to the client ID you entered.
-- On the "Client details" page for the new client go to the "Credentials" tab.
-- Click the eye icon next to "Client secret".
-- Set Workflow Manager's `OIDC_CLIENT_SECRET` environment variable to the value displayed in
-    "Client secret".
+- Set Workflow Manager's `OIDC_CLIENT_SECRET` environment variable to the "Client secret" in the
+    "Credentials" tab.
 
-5\. Create a Keycloak role that maps to a Workflow Manager role:
+6\. Create a Keycloak role that maps to a Workflow Manager role:
 
-- Click "Realm roles" in the left menu.
-- Click "Create role".
-- Enter a "Role name".
-- Click "Save".
+- Use the "Realm roles" link in the left menu to create a new role.
 - If the Keycloak role should make the user an `ADMIN` in Workflow Manager, set Workflow
     Manager's `OIDC_ADMIN_CLAIM_VALUE` to the role name you just entered. If it should be a
     `USER`, then set the `OIDC_USER_CLAIM_VALUE` environment variable.
 - Only one of `OIDC_ADMIN_CLAIM_VALUE` and `OIDC_USER_CLAIM_VALUE` need to be set. If you would
     like to set up both roles repeat this step.
 
-6\. Include the Keycloak role(s) in the access token:
+7\. Include the Keycloak role(s) in the access token:
 
-- Click "Client scopes" in the left menu.
-- Click "roles".
-- Click the "Mappers" tab.
-- Click "Add mapper"
-- Click "From predefined mappers".
-- Check "groups".
-- Click "Add".
+- In the "Client scopes" menu add a mapper to the "roles" scope.
+- Use the "groups" prefined mapper
 - The default name "Token Claim Name" is "groups". This can be changed.
-- If you created an `ADMIN` role in step 5 set `OIDC_ADMIN_CLAIM_NAME` to the value in
+- If you created an `ADMIN` role in step 6 set `OIDC_ADMIN_CLAIM_NAME` to the value in
     "Token Claim Name". If you created a `USER` role, do the same for `OIDC_USER_CLAIM_NAME`.
 
-7\. Optionally, configure Workflow Manager to display the user name instead of the ID.
-
-- Set Workflow Manager's `OIDC_USER_NAME_ATTR` environment variable to `preferred_username`.
-
-8\. Create users:
-
-- Click "Users" in the left menu.
-- Click "Create new user".
-- Enter a "Username".
-- Click "Create".
-- Click the "Credentials" tab.
-- Click "Set password".
-- Set a password.
-- Uncheck "Temporary".
-- Click "Save".
-- Click the "Role mapping" tab.
-- Click "Assign role".
-- Check one of the roles create in step 5.
-- Click "Assign".
-
-9\. You should now be able to start Workflow Manager. When you initially navigate to Workflow
-   Manager, you will be redirected to the Keycloak log in page. You can log in using the
-   users created in step 8.
-
-10\. Add REST clients:
-
-- Click "Clients" in the left menu.
-- Click "Create client".
-- Set a "Client ID".
-- Click "Next".
-- Enable "Client authentication".
-- Enable "Service accounts roles".
-- Click "Next".
-- Click "Save".
-- Click the "Service account roles" tab.
-- Click "Assign role".
-- Check a role created in step 5.
-- Click "Assign".
+8\. Optionally, set Workflow Manager's `OIDC_USER_NAME_ATTR` to `preferred_username` to display the
+    user name instead of the ID.
+
+9\. Create Users
+
+- After creating a user, set a password in the "Credentials" tab.
+- Use the "Role mapping" tab to add the user to one of roles created in step 6.
+
+10\. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
+     redirected to the Keycloak log in page. You can log in using the users created in step 9.
+
+11\. Add REST clients:
+
+- Use the "Clients" menu to create a new client.
+- The client needs to have "Client authentication" and "Service accounts roles" enabled.
+- Use the "Service account roles" tab to add the client to one of the roles created in step 5.
 
 
 ### Test REST authentication
-Using the client id/secret from step 10 and the realm name from step 3, run the following command:
+Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the
+realm name from step 4, run the following command:
 ```bash
-curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://localhost:9090/realms/<realm-name>/protocol/openid-connect/token'
+curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'
 ```
 The response JSON will contain a token in the `"access_token"` property. That token need to
 included as a bearer token in REST requests to Workflow Manager. For example:
 ```bash
-curl -H "Authorization: Bearer <access-token>" http://localhost:8080/workflow-manager/rest/jobs/1
+curl -H "Authorization: Bearer <access-token>" http://localhost:8080/workflow-manager/rest/actions
 ```
diff --git a/docs/site/OpenID-Connect-Guide/index.html b/docs/site/OpenID-Connect-Guide/index.html
index db5ddafaae08..f6ff22c6243d 100644
--- a/docs/site/OpenID-Connect-Guide/index.html
+++ b/docs/site/OpenID-Connect-Guide/index.html
@@ -281,115 +281,84 @@ <h3 id="environment-variables">Environment Variables</h3>
     list, it will be automatically added.</li>
 <li><code>OIDC_USER_NAME_ATTR</code> (Optional): The name of the claim containing the user name. Defaults to
     <code>sub</code>.</li>
+<li><code>OIDC_REDIRECT_URI</code> (Optional): Specifies the URL the user's browser will be redirected to after
+    logging in to the OIDC provider. If provided, the URL must end in <code>/login/oauth2/code/provider</code>.
+    This would generally be used when the host name Workflow Manager uses to connect to the OIDC
+    provider is different from the OIDC provider's public host name. The value can use the
+    <a href="https://docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html#oauth2Client-auth-code-redirect-uri">template variables supported by Spring.</a></li>
 </ul>
 <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <p>The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.
 It is just an example and should not be used in production.</p>
-<p>1. Start Keycloak in development mode:</p>
+<p>1. Get the Docker gateway IP address by running the command below. It will be used in later steps.</p>
+<pre><code class="language-bash">docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge
+</code></pre>
+<p>2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.
+    The values for the OIDC environment variables are dependent on how you set up Keycloak in the
+    following steps.</p>
 <pre><code class="language-bash">docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \
     quay.io/keycloak/keycloak:21.1.1 start-dev
 </code></pre>
-<p>2. Go to <a href="http://localhost:9090/admin">http://localhost:9090/admin</a> in a browser and login with username <code>admin</code> and
+<p>3. Go to <a href="http://localhost:9090/admin">http://localhost:9090/admin</a> in a browser and login with username <code>admin</code> and
     password <code>admin</code>.</p>
-<p>3. Create a new realm:</p>
+<p>4. Create a new realm:</p>
 <ul>
-<li>Click the dropdown box in the upper left that says "master".</li>
-<li>Click "Create Realm".</li>
-<li>Enter a realm name.</li>
-<li>Click "Create".</li>
-<li>Use the realm name you entered to set Workflow Manager's <code>OIDC_ISSUER_URI</code> environment
-    variable to: <code>http://localhost:9090/realms/&lt;realm-name&gt;</code></li>
+<li>Create a new realm using the drop down box in upper left that says "master".</li>
+<li>Use the realm name you entered and the gateway IP address from step 1 to set Workflow
+    Manager's <code>OIDC_ISSUER_URI</code> environment variable to:
+    <code>http://&lt;docker-gateway-ip&gt;:9090/realms/&lt;realm-name&gt;</code></li>
 </ul>
-<p>4. Create the client Workflow Manager will use to authenticate users:</p>
+<p>5. Create the client Workflow Manager will use to authenticate users:</p>
 <ul>
-<li>Click "Clients" in the left menu.</li>
-<li>Click "Create client".</li>
-<li>Make sure "Client type" is "OpenID Connect".</li>
-<li>Enter a client ID.</li>
-<li>Click "Next".</li>
-<li>Enable "Client authentication".</li>
-<li>Make sure "Standard flow" is checked.</li>
-<li>Click "Next"</li>
-<li>In "Valid redirect URIs" enter the base URL for Workflow Manager with
-    <code>/login/oauth2/code/provider</code> appended.</li>
-<li>In "Valid post logout redirect URIs" enter the base URL for Workflow Manager.</li>
-<li>Click "Save"</li>
+<li>The "Client type" needs to be set to "OpenID Connect".</li>
+<li>"Client authentication" must be enabled.</li>
+<li>"Standard flow" must be enabled.</li>
+<li>Set "Valid redirect URIs" to <code>http://localhost:8080/workflow-manager/login/oauth2/code/provider</code></li>
+<li>Set "Valid post logout redirect URIs" to <code>http://localhost:8080/workflow-manager</code></li>
 <li>Set Workflow Manager's <code>OIDC_CLIENT_ID</code> environment variable to the client ID you entered.</li>
-<li>On the "Client details" page for the new client go to the "Credentials" tab.</li>
-<li>Click the eye icon next to "Client secret".</li>
-<li>Set Workflow Manager's <code>OIDC_CLIENT_SECRET</code> environment variable to the value displayed in
-    "Client secret".</li>
+<li>Set Workflow Manager's <code>OIDC_CLIENT_SECRET</code> environment variable to the "Client secret" in the
+    "Credentials" tab.</li>
 </ul>
-<p>5. Create a Keycloak role that maps to a Workflow Manager role:</p>
+<p>6. Create a Keycloak role that maps to a Workflow Manager role:</p>
 <ul>
-<li>Click "Realm roles" in the left menu.</li>
-<li>Click "Create role".</li>
-<li>Enter a "Role name".</li>
-<li>Click "Save".</li>
+<li>Use the "Realm roles" link in the left menu to create a new role.</li>
 <li>If the Keycloak role should make the user an <code>ADMIN</code> in Workflow Manager, set Workflow
     Manager's <code>OIDC_ADMIN_CLAIM_VALUE</code> to the role name you just entered. If it should be a
     <code>USER</code>, then set the <code>OIDC_USER_CLAIM_VALUE</code> environment variable.</li>
 <li>Only one of <code>OIDC_ADMIN_CLAIM_VALUE</code> and <code>OIDC_USER_CLAIM_VALUE</code> need to be set. If you would
     like to set up both roles repeat this step.</li>
 </ul>
-<p>6. Include the Keycloak role(s) in the access token:</p>
+<p>7. Include the Keycloak role(s) in the access token:</p>
 <ul>
-<li>Click "Client scopes" in the left menu.</li>
-<li>Click "roles".</li>
-<li>Click the "Mappers" tab.</li>
-<li>Click "Add mapper"</li>
-<li>Click "From predefined mappers".</li>
-<li>Check "groups".</li>
-<li>Click "Add".</li>
+<li>In the "Client scopes" menu add a mapper to the "roles" scope.</li>
+<li>Use the "groups" prefined mapper</li>
 <li>The default name "Token Claim Name" is "groups". This can be changed.</li>
-<li>If you created an <code>ADMIN</code> role in step 5 set <code>OIDC_ADMIN_CLAIM_NAME</code> to the value in
+<li>If you created an <code>ADMIN</code> role in step 6 set <code>OIDC_ADMIN_CLAIM_NAME</code> to the value in
     "Token Claim Name". If you created a <code>USER</code> role, do the same for <code>OIDC_USER_CLAIM_NAME</code>.</li>
 </ul>
-<p>7. Optionally, configure Workflow Manager to display the user name instead of the ID.</p>
-<ul>
-<li>Set Workflow Manager's <code>OIDC_USER_NAME_ATTR</code> environment variable to <code>preferred_username</code>.</li>
-</ul>
-<p>8. Create users:</p>
+<p>8. Optionally, set Workflow Manager's <code>OIDC_USER_NAME_ATTR</code> to <code>preferred_username</code> to display the
+    user name instead of the ID.</p>
+<p>9. Create Users</p>
 <ul>
-<li>Click "Users" in the left menu.</li>
-<li>Click "Create new user".</li>
-<li>Enter a "Username".</li>
-<li>Click "Create".</li>
-<li>Click the "Credentials" tab.</li>
-<li>Click "Set password".</li>
-<li>Set a password.</li>
-<li>Uncheck "Temporary".</li>
-<li>Click "Save".</li>
-<li>Click the "Role mapping" tab.</li>
-<li>Click "Assign role".</li>
-<li>Check one of the roles create in step 5.</li>
-<li>Click "Assign".</li>
+<li>After creating a user, set a password in the "Credentials" tab.</li>
+<li>Use the "Role mapping" tab to add the user to one of roles created in step 6.</li>
 </ul>
-<p>9. You should now be able to start Workflow Manager. When you initially navigate to Workflow
-   Manager, you will be redirected to the Keycloak log in page. You can log in using the
-   users created in step 8.</p>
-<p>10. Add REST clients:</p>
+<p>10. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
+     redirected to the Keycloak log in page. You can log in using the users created in step 9.</p>
+<p>11. Add REST clients:</p>
 <ul>
-<li>Click "Clients" in the left menu.</li>
-<li>Click "Create client".</li>
-<li>Set a "Client ID".</li>
-<li>Click "Next".</li>
-<li>Enable "Client authentication".</li>
-<li>Enable "Service accounts roles".</li>
-<li>Click "Next".</li>
-<li>Click "Save".</li>
-<li>Click the "Service account roles" tab.</li>
-<li>Click "Assign role".</li>
-<li>Check a role created in step 5.</li>
-<li>Click "Assign".</li>
+<li>Use the "Clients" menu to create a new client.</li>
+<li>The client needs to have "Client authentication" and "Service accounts roles" enabled.</li>
+<li>Use the "Service account roles" tab to add the client to one of the roles created in step 5.</li>
 </ul>
 <h3 id="test-rest-authentication">Test REST authentication</h3>
-<p>Using the client id/secret from step 10 and the realm name from step 3, run the following command:</p>
-<pre><code class="language-bash">curl -d grant_type=client_credentials -u '&lt;client-id&gt;:&lt;client-secret&gt;' 'http://localhost:9090/realms/&lt;realm-name&gt;/protocol/openid-connect/token'
+<p>Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the
+realm name from step 4, run the following command:</p>
+<pre><code class="language-bash">curl -d grant_type=client_credentials -u '&lt;client-id&gt;:&lt;client-secret&gt;' 'http://&lt;docker-gateway-ip&gt;:9090/realms/&lt;realm-name&gt;/protocol/openid-connect/token'
 </code></pre>
 <p>The response JSON will contain a token in the <code>"access_token"</code> property. That token need to
 included as a bearer token in REST requests to Workflow Manager. For example:</p>
-<pre><code class="language-bash">curl -H &quot;Authorization: Bearer &lt;access-token&gt;&quot; http://localhost:8080/workflow-manager/rest/jobs/1
+<pre><code class="language-bash">curl -H &quot;Authorization: Bearer &lt;access-token&gt;&quot; http://localhost:8080/workflow-manager/rest/actions
 </code></pre>
               
             </div>
diff --git a/docs/site/index.html b/docs/site/index.html
index 210b80f41dd5..86116c01571c 100644
--- a/docs/site/index.html
+++ b/docs/site/index.html
@@ -384,5 +384,5 @@ <h1 id="overview">Overview</h1>
 
 <!--
 MkDocs version : 0.17.5
-Build Date UTC : 2023-07-20 16:41:58
+Build Date UTC : 2023-07-24 14:26:38
 -->
diff --git a/docs/site/search/search_index.json b/docs/site/search/search_index.json
index 68a323fa90cd..3941683050eb 100644
--- a/docs/site/search/search_index.json
+++ b/docs/site/search/search_index.json
@@ -262,7 +262,7 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html",
-            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manger\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nEnvironment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Start Keycloak in development mode:\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n2. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n3. Create a new realm:\n\n\n\n\nClick the dropdown box in the upper left that says \"master\".\n\n\nClick \"Create Realm\".\n\n\nEnter a realm name.\n\n\nClick \"Create\".\n\n\nUse the realm name you entered to set Workflow Manager's \nOIDC_ISSUER_URI\n environment\n    variable to: \nhttp://localhost:9090/realms/<realm-name>\n\n\n\n\n4. Create the client Workflow Manager will use to authenticate users:\n\n\n\n\nClick \"Clients\" in the left menu.\n\n\nClick \"Create client\".\n\n\nMake sure \"Client type\" is \"OpenID Connect\".\n\n\nEnter a client ID.\n\n\nClick \"Next\".\n\n\nEnable \"Client authentication\".\n\n\nMake sure \"Standard flow\" is checked.\n\n\nClick \"Next\"\n\n\nIn \"Valid redirect URIs\" enter the base URL for Workflow Manager with\n    \n/login/oauth2/code/provider\n appended.\n\n\nIn \"Valid post logout redirect URIs\" enter the base URL for Workflow Manager.\n\n\nClick \"Save\"\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\nOn the \"Client details\" page for the new client go to the \"Credentials\" tab.\n\n\nClick the eye icon next to \"Client secret\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the value displayed in\n    \"Client secret\".\n\n\n\n\n5. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nClick \"Realm roles\" in the left menu.\n\n\nClick \"Create role\".\n\n\nEnter a \"Role name\".\n\n\nClick \"Save\".\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n6. Include the Keycloak role(s) in the access token:\n\n\n\n\nClick \"Client scopes\" in the left menu.\n\n\nClick \"roles\".\n\n\nClick the \"Mappers\" tab.\n\n\nClick \"Add mapper\"\n\n\nClick \"From predefined mappers\".\n\n\nCheck \"groups\".\n\n\nClick \"Add\".\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 5 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n7. Optionally, configure Workflow Manager to display the user name instead of the ID.\n\n\n\n\nSet Workflow Manager's \nOIDC_USER_NAME_ATTR\n environment variable to \npreferred_username\n.\n\n\n\n\n8. Create users:\n\n\n\n\nClick \"Users\" in the left menu.\n\n\nClick \"Create new user\".\n\n\nEnter a \"Username\".\n\n\nClick \"Create\".\n\n\nClick the \"Credentials\" tab.\n\n\nClick \"Set password\".\n\n\nSet a password.\n\n\nUncheck \"Temporary\".\n\n\nClick \"Save\".\n\n\nClick the \"Role mapping\" tab.\n\n\nClick \"Assign role\".\n\n\nCheck one of the roles create in step 5.\n\n\nClick \"Assign\".\n\n\n\n\n9. You should now be able to start Workflow Manager. When you initially navigate to Workflow\n   Manager, you will be redirected to the Keycloak log in page. You can log in using the\n   users created in step 8.\n\n\n10. Add REST clients:\n\n\n\n\nClick \"Clients\" in the left menu.\n\n\nClick \"Create client\".\n\n\nSet a \"Client ID\".\n\n\nClick \"Next\".\n\n\nEnable \"Client authentication\".\n\n\nEnable \"Service accounts roles\".\n\n\nClick \"Next\".\n\n\nClick \"Save\".\n\n\nClick the \"Service account roles\" tab.\n\n\nClick \"Assign role\".\n\n\nCheck a role created in step 5.\n\n\nClick \"Assign\".\n\n\n\n\nTest REST authentication\n\n\nUsing the client id/secret from step 10 and the realm name from step 3, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://localhost:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token need to\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/jobs/1",
+            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manger\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nEnvironment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name Workflow Manager uses to connect to the OIDC\n    provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\nUse the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager's \nOIDC_ISSUER_URI\n environment variable to:\n    \nhttp://<docker-gateway-ip>:9090/realms/<realm-name>\n\n\n\n\n5. Create the client Workflow Manager will use to authenticate users:\n\n\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\nSet \"Valid redirect URIs\" to \nhttp://localhost:8080/workflow-manager/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080/workflow-manager\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" prefined mapper\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\n11. Add REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 5.\n\n\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token need to\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
             "title": "OpenID Connect Guide"
         },
         {
@@ -277,17 +277,17 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#environment-variables",
-            "text": "OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If  OIDC_JWT_ISSUER_URI  is not set,  OIDC_ISSUER_URI  will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n     OIDC_ISSUER_URI  with  /.well-known/openid-configuration  appended.  OIDC_JWT_ISSUER_URI  (Optional): Works the same way as  OIDC_ISSUER_URI , except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n     OIDC_ISSUER_URI  will be used.  OIDC_CLIENT_ID  (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.  OIDC_CLIENT_SECRET  (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.  OIDC_USER_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     USER  role.  OIDC_USER_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_USER_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_ADMIN_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     ADMIN  role.  OIDC_ADMIN_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_ADMIN_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_SCOPES  (Optional): A comma-separated list the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be  openid , so if this environment variable is omitted or  openid  is not in the\n    list, it will be automatically added.  OIDC_USER_NAME_ATTR  (Optional): The name of the claim containing the user name. Defaults to\n     sub .",
+            "text": "OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If  OIDC_JWT_ISSUER_URI  is not set,  OIDC_ISSUER_URI  will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n     OIDC_ISSUER_URI  with  /.well-known/openid-configuration  appended.  OIDC_JWT_ISSUER_URI  (Optional): Works the same way as  OIDC_ISSUER_URI , except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n     OIDC_ISSUER_URI  will be used.  OIDC_CLIENT_ID  (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.  OIDC_CLIENT_SECRET  (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.  OIDC_USER_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     USER  role.  OIDC_USER_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_USER_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_ADMIN_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     ADMIN  role.  OIDC_ADMIN_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_ADMIN_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_SCOPES  (Optional): A comma-separated list the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be  openid , so if this environment variable is omitted or  openid  is not in the\n    list, it will be automatically added.  OIDC_USER_NAME_ATTR  (Optional): The name of the claim containing the user name. Defaults to\n     sub .  OIDC_REDIRECT_URI  (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in  /login/oauth2/code/provider .\n    This would generally be used when the host name Workflow Manager uses to connect to the OIDC\n    provider is different from the OIDC provider's public host name. The value can use the\n     template variables supported by Spring.",
             "title": "Environment Variables"
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#example-with-keycloak",
-            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Start Keycloak in development mode:  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  2. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  3. Create a new realm:   Click the dropdown box in the upper left that says \"master\".  Click \"Create Realm\".  Enter a realm name.  Click \"Create\".  Use the realm name you entered to set Workflow Manager's  OIDC_ISSUER_URI  environment\n    variable to:  http://localhost:9090/realms/<realm-name>   4. Create the client Workflow Manager will use to authenticate users:   Click \"Clients\" in the left menu.  Click \"Create client\".  Make sure \"Client type\" is \"OpenID Connect\".  Enter a client ID.  Click \"Next\".  Enable \"Client authentication\".  Make sure \"Standard flow\" is checked.  Click \"Next\"  In \"Valid redirect URIs\" enter the base URL for Workflow Manager with\n     /login/oauth2/code/provider  appended.  In \"Valid post logout redirect URIs\" enter the base URL for Workflow Manager.  Click \"Save\"  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.  On the \"Client details\" page for the new client go to the \"Credentials\" tab.  Click the eye icon next to \"Client secret\".  Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the value displayed in\n    \"Client secret\".   5. Create a Keycloak role that maps to a Workflow Manager role:   Click \"Realm roles\" in the left menu.  Click \"Create role\".  Enter a \"Role name\".  Click \"Save\".  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   6. Include the Keycloak role(s) in the access token:   Click \"Client scopes\" in the left menu.  Click \"roles\".  Click the \"Mappers\" tab.  Click \"Add mapper\"  Click \"From predefined mappers\".  Check \"groups\".  Click \"Add\".  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 5 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   7. Optionally, configure Workflow Manager to display the user name instead of the ID.   Set Workflow Manager's  OIDC_USER_NAME_ATTR  environment variable to  preferred_username .   8. Create users:   Click \"Users\" in the left menu.  Click \"Create new user\".  Enter a \"Username\".  Click \"Create\".  Click the \"Credentials\" tab.  Click \"Set password\".  Set a password.  Uncheck \"Temporary\".  Click \"Save\".  Click the \"Role mapping\" tab.  Click \"Assign role\".  Check one of the roles create in step 5.  Click \"Assign\".   9. You should now be able to start Workflow Manager. When you initially navigate to Workflow\n   Manager, you will be redirected to the Keycloak log in page. You can log in using the\n   users created in step 8.  10. Add REST clients:   Click \"Clients\" in the left menu.  Click \"Create client\".  Set a \"Client ID\".  Click \"Next\".  Enable \"Client authentication\".  Enable \"Service accounts roles\".  Click \"Next\".  Click \"Save\".  Click the \"Service account roles\" tab.  Click \"Assign role\".  Check a role created in step 5.  Click \"Assign\".",
+            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Get the Docker gateway IP address by running the command below. It will be used in later steps.  docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge  2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  3. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  4. Create a new realm:   Create a new realm using the drop down box in upper left that says \"master\".  Use the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager's  OIDC_ISSUER_URI  environment variable to:\n     http://<docker-gateway-ip>:9090/realms/<realm-name>   5. Create the client Workflow Manager will use to authenticate users:   The \"Client type\" needs to be set to \"OpenID Connect\".  \"Client authentication\" must be enabled.  \"Standard flow\" must be enabled.  Set \"Valid redirect URIs\" to  http://localhost:8080/workflow-manager/login/oauth2/code/provider  Set \"Valid post logout redirect URIs\" to  http://localhost:8080/workflow-manager  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.  Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   6. Create a Keycloak role that maps to a Workflow Manager role:   Use the \"Realm roles\" link in the left menu to create a new role.  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   7. Include the Keycloak role(s) in the access token:   In the \"Client scopes\" menu add a mapper to the \"roles\" scope.  Use the \"groups\" prefined mapper  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 6 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   8. Optionally, set Workflow Manager's  OIDC_USER_NAME_ATTR  to  preferred_username  to display the\n    user name instead of the ID.  9. Create Users   After creating a user, set a password in the \"Credentials\" tab.  Use the \"Role mapping\" tab to add the user to one of roles created in step 6.   10. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.  11. Add REST clients:   Use the \"Clients\" menu to create a new client.  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 5.",
             "title": "Example with Keycloak"
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#test-rest-authentication",
-            "text": "Using the client id/secret from step 10 and the realm name from step 3, run the following command:  curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://localhost:9090/realms/<realm-name>/protocol/openid-connect/token'  The response JSON will contain a token in the  \"access_token\"  property. That token need to\nincluded as a bearer token in REST requests to Workflow Manager. For example:  curl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/jobs/1",
+            "text": "Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:  curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'  The response JSON will contain a token in the  \"access_token\"  property. That token need to\nincluded as a bearer token in REST requests to Workflow Manager. For example:  curl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
             "title": "Test REST authentication"
         },
         {
diff --git a/docs/site/sitemap.xml b/docs/site/sitemap.xml
index e1221dd8adb7..1ea5a762c49a 100644
--- a/docs/site/sitemap.xml
+++ b/docs/site/sitemap.xml
@@ -2,132 +2,132 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
      <loc>/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Release-Notes/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/License-And-Distribution/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Acknowledgements/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Install-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Admin-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/User-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/OpenID-Connect-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Media-Segmentation-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Feed-Forward-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Derivative-Media-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Object-Storage-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Markup-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/TiesDb-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/REST-API/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-API-Overview/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-Descriptor-Reference/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Batch-Component-API/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Python-Batch-Component-API/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Java-Batch-Component-API/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/GPU-Support-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Contributor-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Development-Environment-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Node-Guide/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Workflow-Manager-Architecture/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Streaming-Component-API/index.html</loc>
-     <lastmod>2023-07-20</lastmod>
+     <lastmod>2023-07-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>
\ No newline at end of file

From acbecc2ebe661d71e1060327c05e3d4dac6b63d5 Mon Sep 17 00:00:00 2001
From: Brian Rosenberg <brosenberg@mitre.org>
Date: Fri, 15 Sep 2023 13:43:55 -0400
Subject: [PATCH 3/6] Address PR issues

---
 docs/docs/OpenID-Connect-Guide.md         | 41 ++++++++++--------
 docs/site/OpenID-Connect-Guide/index.html | 35 ++++++++++-----
 docs/site/index.html                      |  2 +-
 docs/site/search/search_index.json        | 10 ++---
 docs/site/sitemap.xml                     | 52 +++++++++++------------
 5 files changed, 81 insertions(+), 59 deletions(-)

diff --git a/docs/docs/OpenID-Connect-Guide.md b/docs/docs/OpenID-Connect-Guide.md
index 45897b444eeb..ba019520d292 100644
--- a/docs/docs/OpenID-Connect-Guide.md
+++ b/docs/docs/OpenID-Connect-Guide.md
@@ -12,7 +12,7 @@ In order to use OIDC, Workflow Manager must first be registered with OIDC provid
 process for this varies by provider.  As part of the registration process, a client ID and client
 secret should be provided. Those values should be set in the `OIDC_CLIENT_ID` and
 `OIDC_CLIENT_SECRET` environment variables. During the registration process the provider will
-likely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manger
+likely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager
 with `/login/oauth2/code/provider` appended.
 
 The documentation for the OIDC provider should specify the base URI a client should use to
@@ -23,7 +23,7 @@ request to the URI with `/.well-known/openid-configuration` appended.
 After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a
 claim with a specific value to determine if the user is authorized to access Workflow Manager and
 with what role. The `OIDC_USER_CLAIM_NAME` and `OIDC_ADMIN_CLAIM_NAME` environment variables
-specify the name of claim that must be present. The `OIDC_USER_CLAIM_VALUE` and
+specify the name of the claim that must be present. The `OIDC_USER_CLAIM_VALUE` and
 `OIDC_ADMIN_CLAIM_VALUE` environment variables specify the required value of the claim.
 
 
@@ -51,7 +51,7 @@ specify the name of claim that must be present. The `OIDC_USER_CLAIM_VALUE` and
     `ADMIN` role.
 - `OIDC_ADMIN_CLAIM_VALUE` (Optional): Specifies the required value of the claim specified in
     `OIDC_ADMIN_CLAIM_NAME`. If the claim is a list, only one of the values in the list must match.
-- `OIDC_SCOPES` (Optional): A comma-separated list the scopes to be requested from the OIDC
+- `OIDC_SCOPES` (Optional): A comma-separated list of the scopes to be requested from the OIDC
     provider when authenticating a user through the web UI. The OIDC specification requires one of
     the scopes to be `openid`, so if this environment variable is omitted or `openid` is not in the
     list, it will be automatically added.
@@ -59,8 +59,8 @@ specify the name of claim that must be present. The `OIDC_USER_CLAIM_VALUE` and
     `sub`.
 - `OIDC_REDIRECT_URI` (Optional): Specifies the URL the user's browser will be redirected to after
     logging in to the OIDC provider. If provided, the URL must end in `/login/oauth2/code/provider`.
-    This would generally be used when the host name Workflow Manager uses to connect to the OIDC
-    provider is different from the OIDC provider's public host name. The value can use the
+    This would generally be used when the host name that Workflow Manager uses to connect to the
+    OIDC provider is different from the OIDC provider's public host name. The value can use the
     [template variables supported by Spring.](https://docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html#oauth2Client-auth-code-redirect-uri)
 
 
@@ -92,14 +92,20 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
     Manager's `OIDC_ISSUER_URI` environment variable to:
     `http://<docker-gateway-ip>:9090/realms/<realm-name>`
 
-5\. Create the client Workflow Manager will use to authenticate users:
-
-- The "Client type" needs to be set to "OpenID Connect".
-- "Client authentication" must be enabled.
-- "Standard flow" must be enabled.
-- Set "Valid redirect URIs" to `http://localhost:8080/workflow-manager/login/oauth2/code/provider`
-- Set "Valid post logout redirect URIs" to `http://localhost:8080/workflow-manager`
-- Set Workflow Manager's `OIDC_CLIENT_ID` environment variable to the client ID you entered.
+5\. Create the client that Workflow Manager will use to authenticate users:
+
+- Use the "Clients" link in the left menu to create a new client.
+- General Settings:
+    - The "Client type" needs to be set to "OpenID Connect".
+    - Enter a "Client ID".
+    - Set Workflow Manager's `OIDC_CLIENT_ID` environment variable to the client ID you entered.
+- Capability config:
+    - "Client authentication" must be enabled.
+    - "Standard flow" must be enabled.
+- Login settings:
+    - Set "Valid redirect URIs" to
+      `http://localhost:8080/workflow-manager/login/oauth2/code/provider`
+    - Set "Valid post logout redirect URIs" to `http://localhost:8080/workflow-manager`
 - Set Workflow Manager's `OIDC_CLIENT_SECRET` environment variable to the "Client secret" in the
     "Credentials" tab.
 
@@ -115,7 +121,7 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
 7\. Include the Keycloak role(s) in the access token:
 
 - In the "Client scopes" menu add a mapper to the "roles" scope.
-- Use the "groups" prefined mapper
+- Use the "groups" predefined mapper.
 - The default name "Token Claim Name" is "groups". This can be changed.
 - If you created an `ADMIN` role in step 6 set `OIDC_ADMIN_CLAIM_NAME` to the value in
     "Token Claim Name". If you created a `USER` role, do the same for `OIDC_USER_CLAIM_NAME`.
@@ -134,8 +140,9 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
 11\. Add REST clients:
 
 - Use the "Clients" menu to create a new client.
-- The client needs to have "Client authentication" and "Service accounts roles" enabled.
-- Use the "Service account roles" tab to add the client to one of the roles created in step 5.
+- Capability config:
+    - The client needs to have "Client authentication" and "Service accounts roles" enabled.
+    - Use the "Service account roles" tab to add the client to one of the roles created in step 5.
 
 
 ### Test REST authentication
@@ -144,7 +151,7 @@ realm name from step 4, run the following command:
 ```bash
 curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'
 ```
-The response JSON will contain a token in the `"access_token"` property. That token need to
+The response JSON will contain a token in the `"access_token"` property. That token needs to be
 included as a bearer token in REST requests to Workflow Manager. For example:
 ```bash
 curl -H "Authorization: Bearer <access-token>" http://localhost:8080/workflow-manager/rest/actions
diff --git a/docs/site/OpenID-Connect-Guide/index.html b/docs/site/OpenID-Connect-Guide/index.html
index f6ff22c6243d..a580322d6be4 100644
--- a/docs/site/OpenID-Connect-Guide/index.html
+++ b/docs/site/OpenID-Connect-Guide/index.html
@@ -241,7 +241,7 @@ <h2 id="configuration">Configuration</h2>
 process for this varies by provider.  As part of the registration process, a client ID and client
 secret should be provided. Those values should be set in the <code>OIDC_CLIENT_ID</code> and
 <code>OIDC_CLIENT_SECRET</code> environment variables. During the registration process the provider will
-likely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manger
+likely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager
 with <code>/login/oauth2/code/provider</code> appended.</p>
 <p>The documentation for the OIDC provider should specify the base URI a client should use to
 authenticate users. The URI should be set in the <code>OIDC_ISSUER_URI</code> environment variable. To verify
@@ -250,7 +250,7 @@ <h2 id="configuration">Configuration</h2>
 <p>After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a
 claim with a specific value to determine if the user is authorized to access Workflow Manager and
 with what role. The <code>OIDC_USER_CLAIM_NAME</code> and <code>OIDC_ADMIN_CLAIM_NAME</code> environment variables
-specify the name of claim that must be present. The <code>OIDC_USER_CLAIM_VALUE</code> and
+specify the name of the claim that must be present. The <code>OIDC_USER_CLAIM_VALUE</code> and
 <code>OIDC_ADMIN_CLAIM_VALUE</code> environment variables specify the required value of the claim.</p>
 <h3 id="environment-variables">Environment Variables</h3>
 <ul>
@@ -275,7 +275,7 @@ <h3 id="environment-variables">Environment Variables</h3>
     <code>ADMIN</code> role.</li>
 <li><code>OIDC_ADMIN_CLAIM_VALUE</code> (Optional): Specifies the required value of the claim specified in
     <code>OIDC_ADMIN_CLAIM_NAME</code>. If the claim is a list, only one of the values in the list must match.</li>
-<li><code>OIDC_SCOPES</code> (Optional): A comma-separated list the scopes to be requested from the OIDC
+<li><code>OIDC_SCOPES</code> (Optional): A comma-separated list of the scopes to be requested from the OIDC
     provider when authenticating a user through the web UI. The OIDC specification requires one of
     the scopes to be <code>openid</code>, so if this environment variable is omitted or <code>openid</code> is not in the
     list, it will be automatically added.</li>
@@ -283,8 +283,8 @@ <h3 id="environment-variables">Environment Variables</h3>
     <code>sub</code>.</li>
 <li><code>OIDC_REDIRECT_URI</code> (Optional): Specifies the URL the user's browser will be redirected to after
     logging in to the OIDC provider. If provided, the URL must end in <code>/login/oauth2/code/provider</code>.
-    This would generally be used when the host name Workflow Manager uses to connect to the OIDC
-    provider is different from the OIDC provider's public host name. The value can use the
+    This would generally be used when the host name that Workflow Manager uses to connect to the
+    OIDC provider is different from the OIDC provider's public host name. The value can use the
     <a href="https://docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html#oauth2Client-auth-code-redirect-uri">template variables supported by Spring.</a></li>
 </ul>
 <h2 id="example-with-keycloak">Example with Keycloak</h2>
@@ -308,14 +308,26 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
     Manager's <code>OIDC_ISSUER_URI</code> environment variable to:
     <code>http://&lt;docker-gateway-ip&gt;:9090/realms/&lt;realm-name&gt;</code></li>
 </ul>
-<p>5. Create the client Workflow Manager will use to authenticate users:</p>
+<p>5. Create the client that Workflow Manager will use to authenticate users:</p>
 <ul>
+<li>Use the "Clients" link in the left menu to create a new client.</li>
+<li>General Settings:<ul>
 <li>The "Client type" needs to be set to "OpenID Connect".</li>
+<li>Enter a "Client ID".</li>
+<li>Set Workflow Manager's <code>OIDC_CLIENT_ID</code> environment variable to the client ID you entered.</li>
+</ul>
+</li>
+<li>Capability config:<ul>
 <li>"Client authentication" must be enabled.</li>
 <li>"Standard flow" must be enabled.</li>
-<li>Set "Valid redirect URIs" to <code>http://localhost:8080/workflow-manager/login/oauth2/code/provider</code></li>
+</ul>
+</li>
+<li>Login settings:<ul>
+<li>Set "Valid redirect URIs" to
+  <code>http://localhost:8080/workflow-manager/login/oauth2/code/provider</code></li>
 <li>Set "Valid post logout redirect URIs" to <code>http://localhost:8080/workflow-manager</code></li>
-<li>Set Workflow Manager's <code>OIDC_CLIENT_ID</code> environment variable to the client ID you entered.</li>
+</ul>
+</li>
 <li>Set Workflow Manager's <code>OIDC_CLIENT_SECRET</code> environment variable to the "Client secret" in the
     "Credentials" tab.</li>
 </ul>
@@ -331,7 +343,7 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <p>7. Include the Keycloak role(s) in the access token:</p>
 <ul>
 <li>In the "Client scopes" menu add a mapper to the "roles" scope.</li>
-<li>Use the "groups" prefined mapper</li>
+<li>Use the "groups" predefined mapper.</li>
 <li>The default name "Token Claim Name" is "groups". This can be changed.</li>
 <li>If you created an <code>ADMIN</code> role in step 6 set <code>OIDC_ADMIN_CLAIM_NAME</code> to the value in
     "Token Claim Name". If you created a <code>USER</code> role, do the same for <code>OIDC_USER_CLAIM_NAME</code>.</li>
@@ -348,15 +360,18 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <p>11. Add REST clients:</p>
 <ul>
 <li>Use the "Clients" menu to create a new client.</li>
+<li>Capability config:<ul>
 <li>The client needs to have "Client authentication" and "Service accounts roles" enabled.</li>
 <li>Use the "Service account roles" tab to add the client to one of the roles created in step 5.</li>
 </ul>
+</li>
+</ul>
 <h3 id="test-rest-authentication">Test REST authentication</h3>
 <p>Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the
 realm name from step 4, run the following command:</p>
 <pre><code class="language-bash">curl -d grant_type=client_credentials -u '&lt;client-id&gt;:&lt;client-secret&gt;' 'http://&lt;docker-gateway-ip&gt;:9090/realms/&lt;realm-name&gt;/protocol/openid-connect/token'
 </code></pre>
-<p>The response JSON will contain a token in the <code>"access_token"</code> property. That token need to
+<p>The response JSON will contain a token in the <code>"access_token"</code> property. That token needs to be
 included as a bearer token in REST requests to Workflow Manager. For example:</p>
 <pre><code class="language-bash">curl -H &quot;Authorization: Bearer &lt;access-token&gt;&quot; http://localhost:8080/workflow-manager/rest/actions
 </code></pre>
diff --git a/docs/site/index.html b/docs/site/index.html
index 86116c01571c..27fec2145764 100644
--- a/docs/site/index.html
+++ b/docs/site/index.html
@@ -384,5 +384,5 @@ <h1 id="overview">Overview</h1>
 
 <!--
 MkDocs version : 0.17.5
-Build Date UTC : 2023-07-24 14:26:38
+Build Date UTC : 2023-09-18 10:46:56
 -->
diff --git a/docs/site/search/search_index.json b/docs/site/search/search_index.json
index 3941683050eb..8314e2b6fcb2 100644
--- a/docs/site/search/search_index.json
+++ b/docs/site/search/search_index.json
@@ -262,7 +262,7 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html",
-            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manger\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nEnvironment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name Workflow Manager uses to connect to the OIDC\n    provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\nUse the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager's \nOIDC_ISSUER_URI\n environment variable to:\n    \nhttp://<docker-gateway-ip>:9090/realms/<realm-name>\n\n\n\n\n5. Create the client Workflow Manager will use to authenticate users:\n\n\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\nSet \"Valid redirect URIs\" to \nhttp://localhost:8080/workflow-manager/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080/workflow-manager\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" prefined mapper\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\n11. Add REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 5.\n\n\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token need to\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
+            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of the claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nEnvironment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\nUse the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager's \nOIDC_ISSUER_URI\n environment variable to:\n    \nhttp://<docker-gateway-ip>:9090/realms/<realm-name>\n\n\n\n\n5. Create the client that Workflow Manager will use to authenticate users:\n\n\n\n\nUse the \"Clients\" link in the left menu to create a new client.\n\n\nGeneral Settings:\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\nEnter a \"Client ID\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\n\n\n\n\nCapability config:\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\n\n\n\n\nLogin settings:\n\n\nSet \"Valid redirect URIs\" to\n  \nhttp://localhost:8080/workflow-manager/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080/workflow-manager\n\n\n\n\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" predefined mapper.\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\n11. Add REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 5.\n\n\n\n\n\n\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
             "title": "OpenID Connect Guide"
         },
         {
@@ -272,22 +272,22 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#configuration",
-            "text": "In order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the  OIDC_CLIENT_ID  and OIDC_CLIENT_SECRET  environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manger\nwith  /login/oauth2/code/provider  appended.  The documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the  OIDC_ISSUER_URI  environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with  /.well-known/openid-configuration  appended.  After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The  OIDC_USER_CLAIM_NAME  and  OIDC_ADMIN_CLAIM_NAME  environment variables\nspecify the name of claim that must be present. The  OIDC_USER_CLAIM_VALUE  and OIDC_ADMIN_CLAIM_VALUE  environment variables specify the required value of the claim.",
+            "text": "In order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the  OIDC_CLIENT_ID  and OIDC_CLIENT_SECRET  environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith  /login/oauth2/code/provider  appended.  The documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the  OIDC_ISSUER_URI  environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with  /.well-known/openid-configuration  appended.  After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The  OIDC_USER_CLAIM_NAME  and  OIDC_ADMIN_CLAIM_NAME  environment variables\nspecify the name of the claim that must be present. The  OIDC_USER_CLAIM_VALUE  and OIDC_ADMIN_CLAIM_VALUE  environment variables specify the required value of the claim.",
             "title": "Configuration"
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#environment-variables",
-            "text": "OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If  OIDC_JWT_ISSUER_URI  is not set,  OIDC_ISSUER_URI  will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n     OIDC_ISSUER_URI  with  /.well-known/openid-configuration  appended.  OIDC_JWT_ISSUER_URI  (Optional): Works the same way as  OIDC_ISSUER_URI , except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n     OIDC_ISSUER_URI  will be used.  OIDC_CLIENT_ID  (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.  OIDC_CLIENT_SECRET  (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.  OIDC_USER_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     USER  role.  OIDC_USER_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_USER_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_ADMIN_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     ADMIN  role.  OIDC_ADMIN_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_ADMIN_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_SCOPES  (Optional): A comma-separated list the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be  openid , so if this environment variable is omitted or  openid  is not in the\n    list, it will be automatically added.  OIDC_USER_NAME_ATTR  (Optional): The name of the claim containing the user name. Defaults to\n     sub .  OIDC_REDIRECT_URI  (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in  /login/oauth2/code/provider .\n    This would generally be used when the host name Workflow Manager uses to connect to the OIDC\n    provider is different from the OIDC provider's public host name. The value can use the\n     template variables supported by Spring.",
+            "text": "OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If  OIDC_JWT_ISSUER_URI  is not set,  OIDC_ISSUER_URI  will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n     OIDC_ISSUER_URI  with  /.well-known/openid-configuration  appended.  OIDC_JWT_ISSUER_URI  (Optional): Works the same way as  OIDC_ISSUER_URI , except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n     OIDC_ISSUER_URI  will be used.  OIDC_CLIENT_ID  (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.  OIDC_CLIENT_SECRET  (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.  OIDC_USER_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     USER  role.  OIDC_USER_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_USER_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_ADMIN_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     ADMIN  role.  OIDC_ADMIN_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_ADMIN_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_SCOPES  (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be  openid , so if this environment variable is omitted or  openid  is not in the\n    list, it will be automatically added.  OIDC_USER_NAME_ATTR  (Optional): The name of the claim containing the user name. Defaults to\n     sub .  OIDC_REDIRECT_URI  (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in  /login/oauth2/code/provider .\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n     template variables supported by Spring.",
             "title": "Environment Variables"
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#example-with-keycloak",
-            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Get the Docker gateway IP address by running the command below. It will be used in later steps.  docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge  2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  3. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  4. Create a new realm:   Create a new realm using the drop down box in upper left that says \"master\".  Use the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager's  OIDC_ISSUER_URI  environment variable to:\n     http://<docker-gateway-ip>:9090/realms/<realm-name>   5. Create the client Workflow Manager will use to authenticate users:   The \"Client type\" needs to be set to \"OpenID Connect\".  \"Client authentication\" must be enabled.  \"Standard flow\" must be enabled.  Set \"Valid redirect URIs\" to  http://localhost:8080/workflow-manager/login/oauth2/code/provider  Set \"Valid post logout redirect URIs\" to  http://localhost:8080/workflow-manager  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.  Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   6. Create a Keycloak role that maps to a Workflow Manager role:   Use the \"Realm roles\" link in the left menu to create a new role.  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   7. Include the Keycloak role(s) in the access token:   In the \"Client scopes\" menu add a mapper to the \"roles\" scope.  Use the \"groups\" prefined mapper  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 6 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   8. Optionally, set Workflow Manager's  OIDC_USER_NAME_ATTR  to  preferred_username  to display the\n    user name instead of the ID.  9. Create Users   After creating a user, set a password in the \"Credentials\" tab.  Use the \"Role mapping\" tab to add the user to one of roles created in step 6.   10. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.  11. Add REST clients:   Use the \"Clients\" menu to create a new client.  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 5.",
+            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Get the Docker gateway IP address by running the command below. It will be used in later steps.  docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge  2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  3. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  4. Create a new realm:   Create a new realm using the drop down box in upper left that says \"master\".  Use the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager's  OIDC_ISSUER_URI  environment variable to:\n     http://<docker-gateway-ip>:9090/realms/<realm-name>   5. Create the client that Workflow Manager will use to authenticate users:   Use the \"Clients\" link in the left menu to create a new client.  General Settings:  The \"Client type\" needs to be set to \"OpenID Connect\".  Enter a \"Client ID\".  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.    Capability config:  \"Client authentication\" must be enabled.  \"Standard flow\" must be enabled.    Login settings:  Set \"Valid redirect URIs\" to\n   http://localhost:8080/workflow-manager/login/oauth2/code/provider  Set \"Valid post logout redirect URIs\" to  http://localhost:8080/workflow-manager    Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   6. Create a Keycloak role that maps to a Workflow Manager role:   Use the \"Realm roles\" link in the left menu to create a new role.  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   7. Include the Keycloak role(s) in the access token:   In the \"Client scopes\" menu add a mapper to the \"roles\" scope.  Use the \"groups\" predefined mapper.  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 6 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   8. Optionally, set Workflow Manager's  OIDC_USER_NAME_ATTR  to  preferred_username  to display the\n    user name instead of the ID.  9. Create Users   After creating a user, set a password in the \"Credentials\" tab.  Use the \"Role mapping\" tab to add the user to one of roles created in step 6.   10. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.  11. Add REST clients:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 5.",
             "title": "Example with Keycloak"
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#test-rest-authentication",
-            "text": "Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:  curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'  The response JSON will contain a token in the  \"access_token\"  property. That token need to\nincluded as a bearer token in REST requests to Workflow Manager. For example:  curl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
+            "text": "Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:  curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'  The response JSON will contain a token in the  \"access_token\"  property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:  curl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
             "title": "Test REST authentication"
         },
         {
diff --git a/docs/site/sitemap.xml b/docs/site/sitemap.xml
index 1ea5a762c49a..c433c6575b49 100644
--- a/docs/site/sitemap.xml
+++ b/docs/site/sitemap.xml
@@ -2,132 +2,132 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
      <loc>/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Release-Notes/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/License-And-Distribution/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Acknowledgements/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Install-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Admin-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/User-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/OpenID-Connect-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Media-Segmentation-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Feed-Forward-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Derivative-Media-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Object-Storage-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Markup-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/TiesDb-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/REST-API/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-API-Overview/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-Descriptor-Reference/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Batch-Component-API/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Python-Batch-Component-API/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Java-Batch-Component-API/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/GPU-Support-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Contributor-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Development-Environment-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Node-Guide/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Workflow-Manager-Architecture/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Streaming-Component-API/index.html</loc>
-     <lastmod>2023-07-24</lastmod>
+     <lastmod>2023-09-18</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>
\ No newline at end of file

From 97c0a384e0a36ecb3c8d4ec4a3e4d2f46c076244 Mon Sep 17 00:00:00 2001
From: Brian Rosenberg <brosenberg@mitre.org>
Date: Mon, 18 Sep 2023 07:16:09 -0400
Subject: [PATCH 4/6] Document component oidc environment variables

---
 docs/docs/OpenID-Connect-Guide.md         | 40 +++++++++++++++++++----
 docs/site/OpenID-Connect-Guide/index.html | 40 +++++++++++++++++++----
 docs/site/index.html                      |  2 +-
 docs/site/search/search_index.json        | 15 ++++++---
 4 files changed, 79 insertions(+), 18 deletions(-)

diff --git a/docs/docs/OpenID-Connect-Guide.md b/docs/docs/OpenID-Connect-Guide.md
index ba019520d292..6c915c399fe9 100644
--- a/docs/docs/OpenID-Connect-Guide.md
+++ b/docs/docs/OpenID-Connect-Guide.md
@@ -26,9 +26,14 @@ with what role. The `OIDC_USER_CLAIM_NAME` and `OIDC_ADMIN_CLAIM_NAME` environme
 specify the name of the claim that must be present. The `OIDC_USER_CLAIM_VALUE` and
 `OIDC_ADMIN_CLAIM_VALUE` environment variables specify the required value of the claim.
 
+If Workflow Manager is configured to use OIDC, then the component services must also be configured
+to use OIDC. The component services will use OIDC if either the `OIDC_JWT_ISSUER_URI` or
+`OIDC_ISSUER_URI` environment variables are set on the component service. When a component service
+is configured to use OIDC, the `WFM_USER` and `WFM_PASSWORD` environment variables are used to
+specify the client ID and secret that will be used during component registration.
 
 
-### Environment Variables
+### Workflow Manager Environment Variables
 
 - `OIDC_ISSUER_URI` (Required): URI for the OIDC provider that will be used to authenticate users
     through the web UI. If `OIDC_JWT_ISSUER_URI` is not set, `OIDC_ISSUER_URI` will also be used to
@@ -64,6 +69,18 @@ specify the name of the claim that must be present. The `OIDC_USER_CLAIM_VALUE`
     [template variables supported by Spring.](https://docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html#oauth2Client-auth-code-redirect-uri)
 
 
+### Component Environment Variables
+
+- `OIDC_JWT_ISSUER_URI` or `OIDC_ISSUER_URI`: URI for the OIDC provider that will be used to
+    authenticate REST clients. The OIDC configuration endpoint must exist at the value of this
+    environment variable with `/.well-known/openid-configuration` appended. If both environment
+    variables are provided, `OIDC_JWT_ISSUER_URI` will be used.
+- `WFM_USER`: The client ID that the component service will use when registering the component
+    with Workflow Manager.
+- `WFM_PASSWORD`: The client secret that the component service will use when registering the
+    component with Workflow Manager.
+
+
 ## Example with Keycloak
 
 The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.
@@ -89,7 +106,7 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
 
 - Create a new realm using the drop down box in upper left that says "master".
 - Use the realm name you entered and the gateway IP address from step 1 to set Workflow
-    Manager's `OIDC_ISSUER_URI` environment variable to:
+    Manager and the component services' `OIDC_ISSUER_URI` environment variable to:
     `http://<docker-gateway-ip>:9090/realms/<realm-name>`
 
 5\. Create the client that Workflow Manager will use to authenticate users:
@@ -129,21 +146,32 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
 8\. Optionally, set Workflow Manager's `OIDC_USER_NAME_ATTR` to `preferred_username` to display the
     user name instead of the ID.
 
-9\. Create Users
+9\. Create Users:
 
 - After creating a user, set a password in the "Credentials" tab.
 - Use the "Role mapping" tab to add the user to one of roles created in step 6.
 
-10\. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
-     redirected to the Keycloak log in page. You can log in using the users created in step 9.
+10\. Add Component Registration REST client:
 
-11\. Add REST clients:
+- Use the "Clients" menu to create a new client.
+- Capability config:
+    - The client needs to have "Client authentication" and "Service accounts roles" enabled.
+    - Use the "Service account roles" tab to add the client to one of the roles created in step 5.
+- Set the component services' `WFM_USER` environment variable to the client ID you entered.
+- Set component services' `WFM_PASSWORD` environment variable to the "Client secret" in the
+    "Credentials" tab.
+
+11\. Add external REST clients:
 
 - Use the "Clients" menu to create a new client.
 - Capability config:
     - The client needs to have "Client authentication" and "Service accounts roles" enabled.
     - Use the "Service account roles" tab to add the client to one of the roles created in step 5.
 
+12\. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
+     redirected to the Keycloak log in page. You can log in using the users created in step 9.
+
+
 
 ### Test REST authentication
 Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the
diff --git a/docs/site/OpenID-Connect-Guide/index.html b/docs/site/OpenID-Connect-Guide/index.html
index a580322d6be4..8857f7d3e154 100644
--- a/docs/site/OpenID-Connect-Guide/index.html
+++ b/docs/site/OpenID-Connect-Guide/index.html
@@ -252,7 +252,12 @@ <h2 id="configuration">Configuration</h2>
 with what role. The <code>OIDC_USER_CLAIM_NAME</code> and <code>OIDC_ADMIN_CLAIM_NAME</code> environment variables
 specify the name of the claim that must be present. The <code>OIDC_USER_CLAIM_VALUE</code> and
 <code>OIDC_ADMIN_CLAIM_VALUE</code> environment variables specify the required value of the claim.</p>
-<h3 id="environment-variables">Environment Variables</h3>
+<p>If Workflow Manager is configured to use OIDC, then the component services must also be configured
+to use OIDC. The component services will use OIDC if either the <code>OIDC_JWT_ISSUER_URI</code> or
+<code>OIDC_ISSUER_URI</code> environment variables are set on the component service. When a component service
+is configured to use OIDC, the <code>WFM_USER</code> and <code>WFM_PASSWORD</code> environment variables are used to
+specify the client ID and secret that will be used during component registration.</p>
+<h3 id="workflow-manager-environment-variables">Workflow Manager Environment Variables</h3>
 <ul>
 <li><code>OIDC_ISSUER_URI</code> (Required): URI for the OIDC provider that will be used to authenticate users
     through the web UI. If <code>OIDC_JWT_ISSUER_URI</code> is not set, <code>OIDC_ISSUER_URI</code> will also be used to
@@ -287,6 +292,17 @@ <h3 id="environment-variables">Environment Variables</h3>
     OIDC provider is different from the OIDC provider's public host name. The value can use the
     <a href="https://docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html#oauth2Client-auth-code-redirect-uri">template variables supported by Spring.</a></li>
 </ul>
+<h3 id="component-environment-variables">Component Environment Variables</h3>
+<ul>
+<li><code>OIDC_JWT_ISSUER_URI</code> or <code>OIDC_ISSUER_URI</code>: URI for the OIDC provider that will be used to
+    authenticate REST clients. The OIDC configuration endpoint must exist at the value of this
+    environment variable with <code>/.well-known/openid-configuration</code> appended. If both environment
+    variables are provided, <code>OIDC_JWT_ISSUER_URI</code> will be used.</li>
+<li><code>WFM_USER</code>: The client ID that the component service will use when registering the component
+    with Workflow Manager.</li>
+<li><code>WFM_PASSWORD</code>: The client secret that the component service will use when registering the
+    component with Workflow Manager.</li>
+</ul>
 <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <p>The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.
 It is just an example and should not be used in production.</p>
@@ -305,7 +321,7 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <ul>
 <li>Create a new realm using the drop down box in upper left that says "master".</li>
 <li>Use the realm name you entered and the gateway IP address from step 1 to set Workflow
-    Manager's <code>OIDC_ISSUER_URI</code> environment variable to:
+    Manager and the component services' <code>OIDC_ISSUER_URI</code> environment variable to:
     <code>http://&lt;docker-gateway-ip&gt;:9090/realms/&lt;realm-name&gt;</code></li>
 </ul>
 <p>5. Create the client that Workflow Manager will use to authenticate users:</p>
@@ -350,14 +366,12 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 </ul>
 <p>8. Optionally, set Workflow Manager's <code>OIDC_USER_NAME_ATTR</code> to <code>preferred_username</code> to display the
     user name instead of the ID.</p>
-<p>9. Create Users</p>
+<p>9. Create Users:</p>
 <ul>
 <li>After creating a user, set a password in the "Credentials" tab.</li>
 <li>Use the "Role mapping" tab to add the user to one of roles created in step 6.</li>
 </ul>
-<p>10. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
-     redirected to the Keycloak log in page. You can log in using the users created in step 9.</p>
-<p>11. Add REST clients:</p>
+<p>10. Add Component Registration REST client:</p>
 <ul>
 <li>Use the "Clients" menu to create a new client.</li>
 <li>Capability config:<ul>
@@ -365,7 +379,21 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <li>Use the "Service account roles" tab to add the client to one of the roles created in step 5.</li>
 </ul>
 </li>
+<li>Set the component services' <code>WFM_USER</code> environment variable to the client ID you entered.</li>
+<li>Set component services' <code>WFM_PASSWORD</code> environment variable to the "Client secret" in the
+    "Credentials" tab.</li>
 </ul>
+<p>11. Add external REST clients:</p>
+<ul>
+<li>Use the "Clients" menu to create a new client.</li>
+<li>Capability config:<ul>
+<li>The client needs to have "Client authentication" and "Service accounts roles" enabled.</li>
+<li>Use the "Service account roles" tab to add the client to one of the roles created in step 5.</li>
+</ul>
+</li>
+</ul>
+<p>12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
+     redirected to the Keycloak log in page. You can log in using the users created in step 9.</p>
 <h3 id="test-rest-authentication">Test REST authentication</h3>
 <p>Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the
 realm name from step 4, run the following command:</p>
diff --git a/docs/site/index.html b/docs/site/index.html
index 27fec2145764..00f4e79e6839 100644
--- a/docs/site/index.html
+++ b/docs/site/index.html
@@ -384,5 +384,5 @@ <h1 id="overview">Overview</h1>
 
 <!--
 MkDocs version : 0.17.5
-Build Date UTC : 2023-09-18 10:46:56
+Build Date UTC : 2023-09-18 11:15:24
 -->
diff --git a/docs/site/search/search_index.json b/docs/site/search/search_index.json
index 8314e2b6fcb2..4a294b109c1f 100644
--- a/docs/site/search/search_index.json
+++ b/docs/site/search/search_index.json
@@ -262,7 +262,7 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html",
-            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of the claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nEnvironment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\nUse the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager's \nOIDC_ISSUER_URI\n environment variable to:\n    \nhttp://<docker-gateway-ip>:9090/realms/<realm-name>\n\n\n\n\n5. Create the client that Workflow Manager will use to authenticate users:\n\n\n\n\nUse the \"Clients\" link in the left menu to create a new client.\n\n\nGeneral Settings:\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\nEnter a \"Client ID\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\n\n\n\n\nCapability config:\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\n\n\n\n\nLogin settings:\n\n\nSet \"Valid redirect URIs\" to\n  \nhttp://localhost:8080/workflow-manager/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080/workflow-manager\n\n\n\n\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" predefined mapper.\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\n11. Add REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 5.\n\n\n\n\n\n\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
+            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of the claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nIf Workflow Manager is configured to use OIDC, then the component services must also be configured\nto use OIDC. The component services will use OIDC if either the \nOIDC_JWT_ISSUER_URI\n or\n\nOIDC_ISSUER_URI\n environment variables are set on the component service. When a component service\nis configured to use OIDC, the \nWFM_USER\n and \nWFM_PASSWORD\n environment variables are used to\nspecify the client ID and secret that will be used during component registration.\n\n\nWorkflow Manager Environment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nComponent Environment Variables\n\n\n\n\nOIDC_JWT_ISSUER_URI\n or \nOIDC_ISSUER_URI\n: URI for the OIDC provider that will be used to\n    authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with \n/.well-known/openid-configuration\n appended. If both environment\n    variables are provided, \nOIDC_JWT_ISSUER_URI\n will be used.\n\n\nWFM_USER\n: The client ID that the component service will use when registering the component\n    with Workflow Manager.\n\n\nWFM_PASSWORD\n: The client secret that the component service will use when registering the\n    component with Workflow Manager.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\nUse the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager and the component services' \nOIDC_ISSUER_URI\n environment variable to:\n    \nhttp://<docker-gateway-ip>:9090/realms/<realm-name>\n\n\n\n\n5. Create the client that Workflow Manager will use to authenticate users:\n\n\n\n\nUse the \"Clients\" link in the left menu to create a new client.\n\n\nGeneral Settings:\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\nEnter a \"Client ID\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\n\n\n\n\nCapability config:\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\n\n\n\n\nLogin settings:\n\n\nSet \"Valid redirect URIs\" to\n  \nhttp://localhost:8080/workflow-manager/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080/workflow-manager\n\n\n\n\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" predefined mapper.\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users:\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Add Component Registration REST client:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 5.\n\n\n\n\n\n\nSet the component services' \nWFM_USER\n environment variable to the client ID you entered.\n\n\nSet component services' \nWFM_PASSWORD\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n11. Add external REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 5.\n\n\n\n\n\n\n\n\n12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
             "title": "OpenID Connect Guide"
         },
         {
@@ -272,17 +272,22 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#configuration",
-            "text": "In order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the  OIDC_CLIENT_ID  and OIDC_CLIENT_SECRET  environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith  /login/oauth2/code/provider  appended.  The documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the  OIDC_ISSUER_URI  environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with  /.well-known/openid-configuration  appended.  After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The  OIDC_USER_CLAIM_NAME  and  OIDC_ADMIN_CLAIM_NAME  environment variables\nspecify the name of the claim that must be present. The  OIDC_USER_CLAIM_VALUE  and OIDC_ADMIN_CLAIM_VALUE  environment variables specify the required value of the claim.",
+            "text": "In order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the  OIDC_CLIENT_ID  and OIDC_CLIENT_SECRET  environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith  /login/oauth2/code/provider  appended.  The documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the  OIDC_ISSUER_URI  environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with  /.well-known/openid-configuration  appended.  After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The  OIDC_USER_CLAIM_NAME  and  OIDC_ADMIN_CLAIM_NAME  environment variables\nspecify the name of the claim that must be present. The  OIDC_USER_CLAIM_VALUE  and OIDC_ADMIN_CLAIM_VALUE  environment variables specify the required value of the claim.  If Workflow Manager is configured to use OIDC, then the component services must also be configured\nto use OIDC. The component services will use OIDC if either the  OIDC_JWT_ISSUER_URI  or OIDC_ISSUER_URI  environment variables are set on the component service. When a component service\nis configured to use OIDC, the  WFM_USER  and  WFM_PASSWORD  environment variables are used to\nspecify the client ID and secret that will be used during component registration.",
             "title": "Configuration"
         },
         {
-            "location": "/OpenID-Connect-Guide/index.html#environment-variables",
+            "location": "/OpenID-Connect-Guide/index.html#workflow-manager-environment-variables",
             "text": "OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If  OIDC_JWT_ISSUER_URI  is not set,  OIDC_ISSUER_URI  will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n     OIDC_ISSUER_URI  with  /.well-known/openid-configuration  appended.  OIDC_JWT_ISSUER_URI  (Optional): Works the same way as  OIDC_ISSUER_URI , except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n     OIDC_ISSUER_URI  will be used.  OIDC_CLIENT_ID  (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.  OIDC_CLIENT_SECRET  (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.  OIDC_USER_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     USER  role.  OIDC_USER_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_USER_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_ADMIN_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     ADMIN  role.  OIDC_ADMIN_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_ADMIN_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_SCOPES  (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be  openid , so if this environment variable is omitted or  openid  is not in the\n    list, it will be automatically added.  OIDC_USER_NAME_ATTR  (Optional): The name of the claim containing the user name. Defaults to\n     sub .  OIDC_REDIRECT_URI  (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in  /login/oauth2/code/provider .\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n     template variables supported by Spring.",
-            "title": "Environment Variables"
+            "title": "Workflow Manager Environment Variables"
+        },
+        {
+            "location": "/OpenID-Connect-Guide/index.html#component-environment-variables",
+            "text": "OIDC_JWT_ISSUER_URI  or  OIDC_ISSUER_URI : URI for the OIDC provider that will be used to\n    authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with  /.well-known/openid-configuration  appended. If both environment\n    variables are provided,  OIDC_JWT_ISSUER_URI  will be used.  WFM_USER : The client ID that the component service will use when registering the component\n    with Workflow Manager.  WFM_PASSWORD : The client secret that the component service will use when registering the\n    component with Workflow Manager.",
+            "title": "Component Environment Variables"
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#example-with-keycloak",
-            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Get the Docker gateway IP address by running the command below. It will be used in later steps.  docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge  2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  3. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  4. Create a new realm:   Create a new realm using the drop down box in upper left that says \"master\".  Use the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager's  OIDC_ISSUER_URI  environment variable to:\n     http://<docker-gateway-ip>:9090/realms/<realm-name>   5. Create the client that Workflow Manager will use to authenticate users:   Use the \"Clients\" link in the left menu to create a new client.  General Settings:  The \"Client type\" needs to be set to \"OpenID Connect\".  Enter a \"Client ID\".  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.    Capability config:  \"Client authentication\" must be enabled.  \"Standard flow\" must be enabled.    Login settings:  Set \"Valid redirect URIs\" to\n   http://localhost:8080/workflow-manager/login/oauth2/code/provider  Set \"Valid post logout redirect URIs\" to  http://localhost:8080/workflow-manager    Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   6. Create a Keycloak role that maps to a Workflow Manager role:   Use the \"Realm roles\" link in the left menu to create a new role.  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   7. Include the Keycloak role(s) in the access token:   In the \"Client scopes\" menu add a mapper to the \"roles\" scope.  Use the \"groups\" predefined mapper.  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 6 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   8. Optionally, set Workflow Manager's  OIDC_USER_NAME_ATTR  to  preferred_username  to display the\n    user name instead of the ID.  9. Create Users   After creating a user, set a password in the \"Credentials\" tab.  Use the \"Role mapping\" tab to add the user to one of roles created in step 6.   10. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.  11. Add REST clients:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 5.",
+            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Get the Docker gateway IP address by running the command below. It will be used in later steps.  docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge  2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  3. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  4. Create a new realm:   Create a new realm using the drop down box in upper left that says \"master\".  Use the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager and the component services'  OIDC_ISSUER_URI  environment variable to:\n     http://<docker-gateway-ip>:9090/realms/<realm-name>   5. Create the client that Workflow Manager will use to authenticate users:   Use the \"Clients\" link in the left menu to create a new client.  General Settings:  The \"Client type\" needs to be set to \"OpenID Connect\".  Enter a \"Client ID\".  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.    Capability config:  \"Client authentication\" must be enabled.  \"Standard flow\" must be enabled.    Login settings:  Set \"Valid redirect URIs\" to\n   http://localhost:8080/workflow-manager/login/oauth2/code/provider  Set \"Valid post logout redirect URIs\" to  http://localhost:8080/workflow-manager    Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   6. Create a Keycloak role that maps to a Workflow Manager role:   Use the \"Realm roles\" link in the left menu to create a new role.  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   7. Include the Keycloak role(s) in the access token:   In the \"Client scopes\" menu add a mapper to the \"roles\" scope.  Use the \"groups\" predefined mapper.  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 6 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   8. Optionally, set Workflow Manager's  OIDC_USER_NAME_ATTR  to  preferred_username  to display the\n    user name instead of the ID.  9. Create Users:   After creating a user, set a password in the \"Credentials\" tab.  Use the \"Role mapping\" tab to add the user to one of roles created in step 6.   10. Add Component Registration REST client:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 5.    Set the component services'  WFM_USER  environment variable to the client ID you entered.  Set component services'  WFM_PASSWORD  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   11. Add external REST clients:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 5.     12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.",
             "title": "Example with Keycloak"
         },
         {

From 82614c95b91dc22085cb9f8886ecc8eaa5da8d3f Mon Sep 17 00:00:00 2001
From: Brian Rosenberg <brosenberg@mitre.org>
Date: Wed, 29 Nov 2023 08:38:00 -0500
Subject: [PATCH 5/6] Update oidc docs

---
 docs/docs/OpenID-Connect-Guide.md         | 28 +++++++-----
 docs/site/OpenID-Connect-Guide/index.html | 28 +++++++-----
 docs/site/index.html                      |  2 +-
 docs/site/search/search_index.json        | 10 ++---
 docs/site/sitemap.xml                     | 54 +++++++++++------------
 5 files changed, 65 insertions(+), 57 deletions(-)

diff --git a/docs/docs/OpenID-Connect-Guide.md b/docs/docs/OpenID-Connect-Guide.md
index 6c915c399fe9..4eab654315b3 100644
--- a/docs/docs/OpenID-Connect-Guide.md
+++ b/docs/docs/OpenID-Connect-Guide.md
@@ -29,8 +29,8 @@ specify the name of the claim that must be present. The `OIDC_USER_CLAIM_VALUE`
 If Workflow Manager is configured to use OIDC, then the component services must also be configured
 to use OIDC. The component services will use OIDC if either the `OIDC_JWT_ISSUER_URI` or
 `OIDC_ISSUER_URI` environment variables are set on the component service. When a component service
-is configured to use OIDC, the `WFM_USER` and `WFM_PASSWORD` environment variables are used to
-specify the client ID and secret that will be used during component registration.
+is configured to use OIDC, the `OIDC_CLIENT_ID` and `OIDC_CLIENT_SECRET` environment variables are
+used to specify the client ID and secret that will be used during component registration.
 
 
 ### Workflow Manager Environment Variables
@@ -41,7 +41,8 @@ specify the client ID and secret that will be used during component registration
     `OIDC_ISSUER_URI` with `/.well-known/openid-configuration` appended.
 - `OIDC_JWT_ISSUER_URI` (Optional): Works the same way as `OIDC_ISSUER_URI`, except that the
     configuration will only be used to authenticate REST clients. When not provided,
-    `OIDC_ISSUER_URI` will be used.
+    `OIDC_ISSUER_URI` will be used. This would be used when the authentication provider's endpoint
+    for user authentication is different from the endpoint for authentication of REST clients.
 - `OIDC_CLIENT_ID` (Required): The client ID that Workflow Manager will use to authenticate with
     the OIDC provider.
 - `OIDC_CLIENT_SECRET` (Required): The client secret Workflow Manager will use to authenticate
@@ -71,14 +72,17 @@ specify the client ID and secret that will be used during component registration
 
 ### Component Environment Variables
 
-- `OIDC_JWT_ISSUER_URI` or `OIDC_ISSUER_URI`: URI for the OIDC provider that will be used to
-    authenticate REST clients. The OIDC configuration endpoint must exist at the value of this
+- `OIDC_JWT_ISSUER_URI` or `OIDC_ISSUER_URI` (Required): URI for the OIDC provider that will be used
+    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this
     environment variable with `/.well-known/openid-configuration` appended. If both environment
-    variables are provided, `OIDC_JWT_ISSUER_URI` will be used.
-- `WFM_USER`: The client ID that the component service will use when registering the component
-    with Workflow Manager.
-- `WFM_PASSWORD`: The client secret that the component service will use when registering the
-    component with Workflow Manager.
+    variables are provided, `OIDC_JWT_ISSUER_URI` will be used. If `OIDC_JWT_ISSUER_URI` is set on
+    Workflow Manager, it should be set to the same value on the component services. If
+    `OIDC_JWT_ISSUER_URI` is not set on Workflow Manager, `OIDC_ISSUER_URI` should be set to the
+    same value on Workflow Manager and the component services.
+- `OIDC_CLIENT_ID` (Required): The client ID that the component service will use when registering
+    the component with Workflow Manager.
+- `OIDC_CLIENT_SECRET` (Required): The client secret that the component service will use when
+    registering the component with Workflow Manager.
 
 
 ## Example with Keycloak
@@ -156,7 +160,7 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
 - Use the "Clients" menu to create a new client.
 - Capability config:
     - The client needs to have "Client authentication" and "Service accounts roles" enabled.
-    - Use the "Service account roles" tab to add the client to one of the roles created in step 5.
+    - Use the "Service account roles" tab to add the client to one of the roles created in step 6.
 - Set the component services' `WFM_USER` environment variable to the client ID you entered.
 - Set component services' `WFM_PASSWORD` environment variable to the "Client secret" in the
     "Credentials" tab.
@@ -166,7 +170,7 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
 - Use the "Clients" menu to create a new client.
 - Capability config:
     - The client needs to have "Client authentication" and "Service accounts roles" enabled.
-    - Use the "Service account roles" tab to add the client to one of the roles created in step 5.
+    - Use the "Service account roles" tab to add the client to one of the roles created in step 6.
 
 12\. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
      redirected to the Keycloak log in page. You can log in using the users created in step 9.
diff --git a/docs/site/OpenID-Connect-Guide/index.html b/docs/site/OpenID-Connect-Guide/index.html
index cfd583f8f68b..bf4e7eebd578 100644
--- a/docs/site/OpenID-Connect-Guide/index.html
+++ b/docs/site/OpenID-Connect-Guide/index.html
@@ -259,8 +259,8 @@ <h2 id="configuration">Configuration</h2>
 <p>If Workflow Manager is configured to use OIDC, then the component services must also be configured
 to use OIDC. The component services will use OIDC if either the <code>OIDC_JWT_ISSUER_URI</code> or
 <code>OIDC_ISSUER_URI</code> environment variables are set on the component service. When a component service
-is configured to use OIDC, the <code>WFM_USER</code> and <code>WFM_PASSWORD</code> environment variables are used to
-specify the client ID and secret that will be used during component registration.</p>
+is configured to use OIDC, the <code>OIDC_CLIENT_ID</code> and <code>OIDC_CLIENT_SECRET</code> environment variables are
+used to specify the client ID and secret that will be used during component registration.</p>
 <h3 id="workflow-manager-environment-variables">Workflow Manager Environment Variables</h3>
 <ul>
 <li><code>OIDC_ISSUER_URI</code> (Required): URI for the OIDC provider that will be used to authenticate users
@@ -269,7 +269,8 @@ <h3 id="workflow-manager-environment-variables">Workflow Manager Environment Var
     <code>OIDC_ISSUER_URI</code> with <code>/.well-known/openid-configuration</code> appended.</li>
 <li><code>OIDC_JWT_ISSUER_URI</code> (Optional): Works the same way as <code>OIDC_ISSUER_URI</code>, except that the
     configuration will only be used to authenticate REST clients. When not provided,
-    <code>OIDC_ISSUER_URI</code> will be used.</li>
+    <code>OIDC_ISSUER_URI</code> will be used. This would be used when the authentication provider's endpoint
+    for user authentication is different from the endpoint for authentication of REST clients.</li>
 <li><code>OIDC_CLIENT_ID</code> (Required): The client ID that Workflow Manager will use to authenticate with
     the OIDC provider.</li>
 <li><code>OIDC_CLIENT_SECRET</code> (Required): The client secret Workflow Manager will use to authenticate
@@ -298,14 +299,17 @@ <h3 id="workflow-manager-environment-variables">Workflow Manager Environment Var
 </ul>
 <h3 id="component-environment-variables">Component Environment Variables</h3>
 <ul>
-<li><code>OIDC_JWT_ISSUER_URI</code> or <code>OIDC_ISSUER_URI</code>: URI for the OIDC provider that will be used to
-    authenticate REST clients. The OIDC configuration endpoint must exist at the value of this
+<li><code>OIDC_JWT_ISSUER_URI</code> or <code>OIDC_ISSUER_URI</code> (Required): URI for the OIDC provider that will be used
+    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this
     environment variable with <code>/.well-known/openid-configuration</code> appended. If both environment
-    variables are provided, <code>OIDC_JWT_ISSUER_URI</code> will be used.</li>
-<li><code>WFM_USER</code>: The client ID that the component service will use when registering the component
-    with Workflow Manager.</li>
-<li><code>WFM_PASSWORD</code>: The client secret that the component service will use when registering the
-    component with Workflow Manager.</li>
+    variables are provided, <code>OIDC_JWT_ISSUER_URI</code> will be used. If <code>OIDC_JWT_ISSUER_URI</code> is set on
+    Workflow Manager, it should be set to the same value on the component services. If
+    <code>OIDC_JWT_ISSUER_URI</code> is not set on Workflow Manager, <code>OIDC_ISSUER_URI</code> should be set to the
+    same value on Workflow Manager and the component services.</li>
+<li><code>OIDC_CLIENT_ID</code> (Required): The client ID that the component service will use when registering
+    the component with Workflow Manager.</li>
+<li><code>OIDC_CLIENT_SECRET</code> (Required): The client secret that the component service will use when
+    registering the component with Workflow Manager.</li>
 </ul>
 <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <p>The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.
@@ -380,7 +384,7 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <li>Use the "Clients" menu to create a new client.</li>
 <li>Capability config:<ul>
 <li>The client needs to have "Client authentication" and "Service accounts roles" enabled.</li>
-<li>Use the "Service account roles" tab to add the client to one of the roles created in step 5.</li>
+<li>Use the "Service account roles" tab to add the client to one of the roles created in step 6.</li>
 </ul>
 </li>
 <li>Set the component services' <code>WFM_USER</code> environment variable to the client ID you entered.</li>
@@ -392,7 +396,7 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <li>Use the "Clients" menu to create a new client.</li>
 <li>Capability config:<ul>
 <li>The client needs to have "Client authentication" and "Service accounts roles" enabled.</li>
-<li>Use the "Service account roles" tab to add the client to one of the roles created in step 5.</li>
+<li>Use the "Service account roles" tab to add the client to one of the roles created in step 6.</li>
 </ul>
 </li>
 </ul>
diff --git a/docs/site/index.html b/docs/site/index.html
index a8a744bc3db6..f170bd26c216 100644
--- a/docs/site/index.html
+++ b/docs/site/index.html
@@ -388,5 +388,5 @@ <h1 id="overview">Overview</h1>
 
 <!--
 MkDocs version : 0.17.5
-Build Date UTC : 2023-11-14 18:01:04
+Build Date UTC : 2023-11-29 13:37:49
 -->
diff --git a/docs/site/search/search_index.json b/docs/site/search/search_index.json
index dbb514190fe7..ba1291a1bfa4 100644
--- a/docs/site/search/search_index.json
+++ b/docs/site/search/search_index.json
@@ -262,7 +262,7 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html",
-            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of the claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nIf Workflow Manager is configured to use OIDC, then the component services must also be configured\nto use OIDC. The component services will use OIDC if either the \nOIDC_JWT_ISSUER_URI\n or\n\nOIDC_ISSUER_URI\n environment variables are set on the component service. When a component service\nis configured to use OIDC, the \nWFM_USER\n and \nWFM_PASSWORD\n environment variables are used to\nspecify the client ID and secret that will be used during component registration.\n\n\nWorkflow Manager Environment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nComponent Environment Variables\n\n\n\n\nOIDC_JWT_ISSUER_URI\n or \nOIDC_ISSUER_URI\n: URI for the OIDC provider that will be used to\n    authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with \n/.well-known/openid-configuration\n appended. If both environment\n    variables are provided, \nOIDC_JWT_ISSUER_URI\n will be used.\n\n\nWFM_USER\n: The client ID that the component service will use when registering the component\n    with Workflow Manager.\n\n\nWFM_PASSWORD\n: The client secret that the component service will use when registering the\n    component with Workflow Manager.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\nUse the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager and the component services' \nOIDC_ISSUER_URI\n environment variable to:\n    \nhttp://<docker-gateway-ip>:9090/realms/<realm-name>\n\n\n\n\n5. Create the client that Workflow Manager will use to authenticate users:\n\n\n\n\nUse the \"Clients\" link in the left menu to create a new client.\n\n\nGeneral Settings:\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\nEnter a \"Client ID\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\n\n\n\n\nCapability config:\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\n\n\n\n\nLogin settings:\n\n\nSet \"Valid redirect URIs\" to\n  \nhttp://localhost:8080/workflow-manager/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080/workflow-manager\n\n\n\n\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" predefined mapper.\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users:\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Add Component Registration REST client:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 5.\n\n\n\n\n\n\nSet the component services' \nWFM_USER\n environment variable to the client ID you entered.\n\n\nSet component services' \nWFM_PASSWORD\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n11. Add external REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 5.\n\n\n\n\n\n\n\n\n12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
+            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of the claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nIf Workflow Manager is configured to use OIDC, then the component services must also be configured\nto use OIDC. The component services will use OIDC if either the \nOIDC_JWT_ISSUER_URI\n or\n\nOIDC_ISSUER_URI\n environment variables are set on the component service. When a component service\nis configured to use OIDC, the \nOIDC_CLIENT_ID\n and \nOIDC_CLIENT_SECRET\n environment variables are\nused to specify the client ID and secret that will be used during component registration.\n\n\nWorkflow Manager Environment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used. This would be used when the authentication provider's endpoint\n    for user authentication is different from the endpoint for authentication of REST clients.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nComponent Environment Variables\n\n\n\n\nOIDC_JWT_ISSUER_URI\n or \nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used\n    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with \n/.well-known/openid-configuration\n appended. If both environment\n    variables are provided, \nOIDC_JWT_ISSUER_URI\n will be used. If \nOIDC_JWT_ISSUER_URI\n is set on\n    Workflow Manager, it should be set to the same value on the component services. If\n    \nOIDC_JWT_ISSUER_URI\n is not set on Workflow Manager, \nOIDC_ISSUER_URI\n should be set to the\n    same value on Workflow Manager and the component services.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that the component service will use when registering\n    the component with Workflow Manager.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret that the component service will use when\n    registering the component with Workflow Manager.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\nUse the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager and the component services' \nOIDC_ISSUER_URI\n environment variable to:\n    \nhttp://<docker-gateway-ip>:9090/realms/<realm-name>\n\n\n\n\n5. Create the client that Workflow Manager will use to authenticate users:\n\n\n\n\nUse the \"Clients\" link in the left menu to create a new client.\n\n\nGeneral Settings:\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\nEnter a \"Client ID\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\n\n\n\n\nCapability config:\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\n\n\n\n\nLogin settings:\n\n\nSet \"Valid redirect URIs\" to\n  \nhttp://localhost:8080/workflow-manager/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080/workflow-manager\n\n\n\n\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" predefined mapper.\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users:\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Add Component Registration REST client:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 6.\n\n\n\n\n\n\nSet the component services' \nWFM_USER\n environment variable to the client ID you entered.\n\n\nSet component services' \nWFM_PASSWORD\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n11. Add external REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 6.\n\n\n\n\n\n\n\n\n12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
             "title": "OpenID Connect Guide"
         },
         {
@@ -272,22 +272,22 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#configuration",
-            "text": "In order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the  OIDC_CLIENT_ID  and OIDC_CLIENT_SECRET  environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith  /login/oauth2/code/provider  appended.  The documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the  OIDC_ISSUER_URI  environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with  /.well-known/openid-configuration  appended.  After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The  OIDC_USER_CLAIM_NAME  and  OIDC_ADMIN_CLAIM_NAME  environment variables\nspecify the name of the claim that must be present. The  OIDC_USER_CLAIM_VALUE  and OIDC_ADMIN_CLAIM_VALUE  environment variables specify the required value of the claim.  If Workflow Manager is configured to use OIDC, then the component services must also be configured\nto use OIDC. The component services will use OIDC if either the  OIDC_JWT_ISSUER_URI  or OIDC_ISSUER_URI  environment variables are set on the component service. When a component service\nis configured to use OIDC, the  WFM_USER  and  WFM_PASSWORD  environment variables are used to\nspecify the client ID and secret that will be used during component registration.",
+            "text": "In order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the  OIDC_CLIENT_ID  and OIDC_CLIENT_SECRET  environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith  /login/oauth2/code/provider  appended.  The documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the  OIDC_ISSUER_URI  environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with  /.well-known/openid-configuration  appended.  After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The  OIDC_USER_CLAIM_NAME  and  OIDC_ADMIN_CLAIM_NAME  environment variables\nspecify the name of the claim that must be present. The  OIDC_USER_CLAIM_VALUE  and OIDC_ADMIN_CLAIM_VALUE  environment variables specify the required value of the claim.  If Workflow Manager is configured to use OIDC, then the component services must also be configured\nto use OIDC. The component services will use OIDC if either the  OIDC_JWT_ISSUER_URI  or OIDC_ISSUER_URI  environment variables are set on the component service. When a component service\nis configured to use OIDC, the  OIDC_CLIENT_ID  and  OIDC_CLIENT_SECRET  environment variables are\nused to specify the client ID and secret that will be used during component registration.",
             "title": "Configuration"
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#workflow-manager-environment-variables",
-            "text": "OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If  OIDC_JWT_ISSUER_URI  is not set,  OIDC_ISSUER_URI  will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n     OIDC_ISSUER_URI  with  /.well-known/openid-configuration  appended.  OIDC_JWT_ISSUER_URI  (Optional): Works the same way as  OIDC_ISSUER_URI , except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n     OIDC_ISSUER_URI  will be used.  OIDC_CLIENT_ID  (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.  OIDC_CLIENT_SECRET  (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.  OIDC_USER_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     USER  role.  OIDC_USER_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_USER_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_ADMIN_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     ADMIN  role.  OIDC_ADMIN_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_ADMIN_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_SCOPES  (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be  openid , so if this environment variable is omitted or  openid  is not in the\n    list, it will be automatically added.  OIDC_USER_NAME_ATTR  (Optional): The name of the claim containing the user name. Defaults to\n     sub .  OIDC_REDIRECT_URI  (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in  /login/oauth2/code/provider .\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n     template variables supported by Spring.",
+            "text": "OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If  OIDC_JWT_ISSUER_URI  is not set,  OIDC_ISSUER_URI  will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n     OIDC_ISSUER_URI  with  /.well-known/openid-configuration  appended.  OIDC_JWT_ISSUER_URI  (Optional): Works the same way as  OIDC_ISSUER_URI , except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n     OIDC_ISSUER_URI  will be used. This would be used when the authentication provider's endpoint\n    for user authentication is different from the endpoint for authentication of REST clients.  OIDC_CLIENT_ID  (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.  OIDC_CLIENT_SECRET  (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.  OIDC_USER_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     USER  role.  OIDC_USER_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_USER_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_ADMIN_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     ADMIN  role.  OIDC_ADMIN_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_ADMIN_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_SCOPES  (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be  openid , so if this environment variable is omitted or  openid  is not in the\n    list, it will be automatically added.  OIDC_USER_NAME_ATTR  (Optional): The name of the claim containing the user name. Defaults to\n     sub .  OIDC_REDIRECT_URI  (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in  /login/oauth2/code/provider .\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n     template variables supported by Spring.",
             "title": "Workflow Manager Environment Variables"
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#component-environment-variables",
-            "text": "OIDC_JWT_ISSUER_URI  or  OIDC_ISSUER_URI : URI for the OIDC provider that will be used to\n    authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with  /.well-known/openid-configuration  appended. If both environment\n    variables are provided,  OIDC_JWT_ISSUER_URI  will be used.  WFM_USER : The client ID that the component service will use when registering the component\n    with Workflow Manager.  WFM_PASSWORD : The client secret that the component service will use when registering the\n    component with Workflow Manager.",
+            "text": "OIDC_JWT_ISSUER_URI  or  OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used\n    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with  /.well-known/openid-configuration  appended. If both environment\n    variables are provided,  OIDC_JWT_ISSUER_URI  will be used. If  OIDC_JWT_ISSUER_URI  is set on\n    Workflow Manager, it should be set to the same value on the component services. If\n     OIDC_JWT_ISSUER_URI  is not set on Workflow Manager,  OIDC_ISSUER_URI  should be set to the\n    same value on Workflow Manager and the component services.  OIDC_CLIENT_ID  (Required): The client ID that the component service will use when registering\n    the component with Workflow Manager.  OIDC_CLIENT_SECRET  (Required): The client secret that the component service will use when\n    registering the component with Workflow Manager.",
             "title": "Component Environment Variables"
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#example-with-keycloak",
-            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Get the Docker gateway IP address by running the command below. It will be used in later steps.  docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge  2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  3. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  4. Create a new realm:   Create a new realm using the drop down box in upper left that says \"master\".  Use the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager and the component services'  OIDC_ISSUER_URI  environment variable to:\n     http://<docker-gateway-ip>:9090/realms/<realm-name>   5. Create the client that Workflow Manager will use to authenticate users:   Use the \"Clients\" link in the left menu to create a new client.  General Settings:  The \"Client type\" needs to be set to \"OpenID Connect\".  Enter a \"Client ID\".  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.    Capability config:  \"Client authentication\" must be enabled.  \"Standard flow\" must be enabled.    Login settings:  Set \"Valid redirect URIs\" to\n   http://localhost:8080/workflow-manager/login/oauth2/code/provider  Set \"Valid post logout redirect URIs\" to  http://localhost:8080/workflow-manager    Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   6. Create a Keycloak role that maps to a Workflow Manager role:   Use the \"Realm roles\" link in the left menu to create a new role.  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   7. Include the Keycloak role(s) in the access token:   In the \"Client scopes\" menu add a mapper to the \"roles\" scope.  Use the \"groups\" predefined mapper.  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 6 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   8. Optionally, set Workflow Manager's  OIDC_USER_NAME_ATTR  to  preferred_username  to display the\n    user name instead of the ID.  9. Create Users:   After creating a user, set a password in the \"Credentials\" tab.  Use the \"Role mapping\" tab to add the user to one of roles created in step 6.   10. Add Component Registration REST client:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 5.    Set the component services'  WFM_USER  environment variable to the client ID you entered.  Set component services'  WFM_PASSWORD  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   11. Add external REST clients:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 5.     12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.",
+            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Get the Docker gateway IP address by running the command below. It will be used in later steps.  docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge  2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  3. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  4. Create a new realm:   Create a new realm using the drop down box in upper left that says \"master\".  Use the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager and the component services'  OIDC_ISSUER_URI  environment variable to:\n     http://<docker-gateway-ip>:9090/realms/<realm-name>   5. Create the client that Workflow Manager will use to authenticate users:   Use the \"Clients\" link in the left menu to create a new client.  General Settings:  The \"Client type\" needs to be set to \"OpenID Connect\".  Enter a \"Client ID\".  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.    Capability config:  \"Client authentication\" must be enabled.  \"Standard flow\" must be enabled.    Login settings:  Set \"Valid redirect URIs\" to\n   http://localhost:8080/workflow-manager/login/oauth2/code/provider  Set \"Valid post logout redirect URIs\" to  http://localhost:8080/workflow-manager    Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   6. Create a Keycloak role that maps to a Workflow Manager role:   Use the \"Realm roles\" link in the left menu to create a new role.  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   7. Include the Keycloak role(s) in the access token:   In the \"Client scopes\" menu add a mapper to the \"roles\" scope.  Use the \"groups\" predefined mapper.  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 6 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   8. Optionally, set Workflow Manager's  OIDC_USER_NAME_ATTR  to  preferred_username  to display the\n    user name instead of the ID.  9. Create Users:   After creating a user, set a password in the \"Credentials\" tab.  Use the \"Role mapping\" tab to add the user to one of roles created in step 6.   10. Add Component Registration REST client:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 6.    Set the component services'  WFM_USER  environment variable to the client ID you entered.  Set component services'  WFM_PASSWORD  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   11. Add external REST clients:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 6.     12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.",
             "title": "Example with Keycloak"
         },
         {
diff --git a/docs/site/sitemap.xml b/docs/site/sitemap.xml
index dfc18e9eabc2..fc59088946eb 100644
--- a/docs/site/sitemap.xml
+++ b/docs/site/sitemap.xml
@@ -2,137 +2,137 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
      <loc>/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Release-Notes/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/License-And-Distribution/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Acknowledgements/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Install-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Admin-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/User-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/OpenID-Connect-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Media-Segmentation-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Feed-Forward-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Derivative-Media-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Object-Storage-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Markup-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/TiesDb-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Trigger-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/REST-API/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-API-Overview/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-Descriptor-Reference/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Batch-Component-API/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Python-Batch-Component-API/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Java-Batch-Component-API/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/GPU-Support-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Contributor-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Development-Environment-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Node-Guide/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Workflow-Manager-Architecture/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Streaming-Component-API/index.html</loc>
-     <lastmod>2023-11-14</lastmod>
+     <lastmod>2023-11-29</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>
\ No newline at end of file

From 167fbf5f0d8f3a9578403cbda06621f96f7cd548 Mon Sep 17 00:00:00 2001
From: Brian Rosenberg <brosenberg@mitre.org>
Date: Wed, 29 Nov 2023 11:41:36 -0500
Subject: [PATCH 6/6] Address PR comments

---
 docs/docs/OpenID-Connect-Guide.md         | 3 ++-
 docs/site/OpenID-Connect-Guide/index.html | 3 ++-
 docs/site/index.html                      | 2 +-
 docs/site/search/search_index.json        | 4 ++--
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/docs/docs/OpenID-Connect-Guide.md b/docs/docs/OpenID-Connect-Guide.md
index 4eab654315b3..8673a0fa181c 100644
--- a/docs/docs/OpenID-Connect-Guide.md
+++ b/docs/docs/OpenID-Connect-Guide.md
@@ -78,7 +78,8 @@ used to specify the client ID and secret that will be used during component regi
     variables are provided, `OIDC_JWT_ISSUER_URI` will be used. If `OIDC_JWT_ISSUER_URI` is set on
     Workflow Manager, it should be set to the same value on the component services. If
     `OIDC_JWT_ISSUER_URI` is not set on Workflow Manager, `OIDC_ISSUER_URI` should be set to the
-    same value on Workflow Manager and the component services.
+    same value on Workflow Manager and the component services. When either environment variable is
+    set, the `WFM_USER` and `WFM_PASSWORD` environment variables are ignored.
 - `OIDC_CLIENT_ID` (Required): The client ID that the component service will use when registering
     the component with Workflow Manager.
 - `OIDC_CLIENT_SECRET` (Required): The client secret that the component service will use when
diff --git a/docs/site/OpenID-Connect-Guide/index.html b/docs/site/OpenID-Connect-Guide/index.html
index bf4e7eebd578..18322833b060 100644
--- a/docs/site/OpenID-Connect-Guide/index.html
+++ b/docs/site/OpenID-Connect-Guide/index.html
@@ -305,7 +305,8 @@ <h3 id="component-environment-variables">Component Environment Variables</h3>
     variables are provided, <code>OIDC_JWT_ISSUER_URI</code> will be used. If <code>OIDC_JWT_ISSUER_URI</code> is set on
     Workflow Manager, it should be set to the same value on the component services. If
     <code>OIDC_JWT_ISSUER_URI</code> is not set on Workflow Manager, <code>OIDC_ISSUER_URI</code> should be set to the
-    same value on Workflow Manager and the component services.</li>
+    same value on Workflow Manager and the component services. When either environment variable is
+    set, the <code>WFM_USER</code> and <code>WFM_PASSWORD</code> environment variables are ignored.</li>
 <li><code>OIDC_CLIENT_ID</code> (Required): The client ID that the component service will use when registering
     the component with Workflow Manager.</li>
 <li><code>OIDC_CLIENT_SECRET</code> (Required): The client secret that the component service will use when
diff --git a/docs/site/index.html b/docs/site/index.html
index f170bd26c216..a71256d2ad7a 100644
--- a/docs/site/index.html
+++ b/docs/site/index.html
@@ -388,5 +388,5 @@ <h1 id="overview">Overview</h1>
 
 <!--
 MkDocs version : 0.17.5
-Build Date UTC : 2023-11-29 13:37:49
+Build Date UTC : 2023-11-29 16:41:29
 -->
diff --git a/docs/site/search/search_index.json b/docs/site/search/search_index.json
index ba1291a1bfa4..dae91c3dffd8 100644
--- a/docs/site/search/search_index.json
+++ b/docs/site/search/search_index.json
@@ -262,7 +262,7 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html",
-            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of the claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nIf Workflow Manager is configured to use OIDC, then the component services must also be configured\nto use OIDC. The component services will use OIDC if either the \nOIDC_JWT_ISSUER_URI\n or\n\nOIDC_ISSUER_URI\n environment variables are set on the component service. When a component service\nis configured to use OIDC, the \nOIDC_CLIENT_ID\n and \nOIDC_CLIENT_SECRET\n environment variables are\nused to specify the client ID and secret that will be used during component registration.\n\n\nWorkflow Manager Environment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used. This would be used when the authentication provider's endpoint\n    for user authentication is different from the endpoint for authentication of REST clients.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nComponent Environment Variables\n\n\n\n\nOIDC_JWT_ISSUER_URI\n or \nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used\n    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with \n/.well-known/openid-configuration\n appended. If both environment\n    variables are provided, \nOIDC_JWT_ISSUER_URI\n will be used. If \nOIDC_JWT_ISSUER_URI\n is set on\n    Workflow Manager, it should be set to the same value on the component services. If\n    \nOIDC_JWT_ISSUER_URI\n is not set on Workflow Manager, \nOIDC_ISSUER_URI\n should be set to the\n    same value on Workflow Manager and the component services.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that the component service will use when registering\n    the component with Workflow Manager.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret that the component service will use when\n    registering the component with Workflow Manager.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\nUse the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager and the component services' \nOIDC_ISSUER_URI\n environment variable to:\n    \nhttp://<docker-gateway-ip>:9090/realms/<realm-name>\n\n\n\n\n5. Create the client that Workflow Manager will use to authenticate users:\n\n\n\n\nUse the \"Clients\" link in the left menu to create a new client.\n\n\nGeneral Settings:\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\nEnter a \"Client ID\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\n\n\n\n\nCapability config:\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\n\n\n\n\nLogin settings:\n\n\nSet \"Valid redirect URIs\" to\n  \nhttp://localhost:8080/workflow-manager/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080/workflow-manager\n\n\n\n\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" predefined mapper.\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users:\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Add Component Registration REST client:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 6.\n\n\n\n\n\n\nSet the component services' \nWFM_USER\n environment variable to the client ID you entered.\n\n\nSet component services' \nWFM_PASSWORD\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n11. Add external REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 6.\n\n\n\n\n\n\n\n\n12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
+            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2023\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of the claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nIf Workflow Manager is configured to use OIDC, then the component services must also be configured\nto use OIDC. The component services will use OIDC if either the \nOIDC_JWT_ISSUER_URI\n or\n\nOIDC_ISSUER_URI\n environment variables are set on the component service. When a component service\nis configured to use OIDC, the \nOIDC_CLIENT_ID\n and \nOIDC_CLIENT_SECRET\n environment variables are\nused to specify the client ID and secret that will be used during component registration.\n\n\nWorkflow Manager Environment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used. This would be used when the authentication provider's endpoint\n    for user authentication is different from the endpoint for authentication of REST clients.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nComponent Environment Variables\n\n\n\n\nOIDC_JWT_ISSUER_URI\n or \nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used\n    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with \n/.well-known/openid-configuration\n appended. If both environment\n    variables are provided, \nOIDC_JWT_ISSUER_URI\n will be used. If \nOIDC_JWT_ISSUER_URI\n is set on\n    Workflow Manager, it should be set to the same value on the component services. If\n    \nOIDC_JWT_ISSUER_URI\n is not set on Workflow Manager, \nOIDC_ISSUER_URI\n should be set to the\n    same value on Workflow Manager and the component services. When either environment variable is\n    set, the \nWFM_USER\n and \nWFM_PASSWORD\n environment variables are ignored.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that the component service will use when registering\n    the component with Workflow Manager.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret that the component service will use when\n    registering the component with Workflow Manager.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\nUse the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager and the component services' \nOIDC_ISSUER_URI\n environment variable to:\n    \nhttp://<docker-gateway-ip>:9090/realms/<realm-name>\n\n\n\n\n5. Create the client that Workflow Manager will use to authenticate users:\n\n\n\n\nUse the \"Clients\" link in the left menu to create a new client.\n\n\nGeneral Settings:\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\nEnter a \"Client ID\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\n\n\n\n\nCapability config:\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\n\n\n\n\nLogin settings:\n\n\nSet \"Valid redirect URIs\" to\n  \nhttp://localhost:8080/workflow-manager/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080/workflow-manager\n\n\n\n\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" predefined mapper.\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users:\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Add Component Registration REST client:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 6.\n\n\n\n\n\n\nSet the component services' \nWFM_USER\n environment variable to the client ID you entered.\n\n\nSet component services' \nWFM_PASSWORD\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n11. Add external REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 6.\n\n\n\n\n\n\n\n\n12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/workflow-manager/rest/actions",
             "title": "OpenID Connect Guide"
         },
         {
@@ -282,7 +282,7 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#component-environment-variables",
-            "text": "OIDC_JWT_ISSUER_URI  or  OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used\n    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with  /.well-known/openid-configuration  appended. If both environment\n    variables are provided,  OIDC_JWT_ISSUER_URI  will be used. If  OIDC_JWT_ISSUER_URI  is set on\n    Workflow Manager, it should be set to the same value on the component services. If\n     OIDC_JWT_ISSUER_URI  is not set on Workflow Manager,  OIDC_ISSUER_URI  should be set to the\n    same value on Workflow Manager and the component services.  OIDC_CLIENT_ID  (Required): The client ID that the component service will use when registering\n    the component with Workflow Manager.  OIDC_CLIENT_SECRET  (Required): The client secret that the component service will use when\n    registering the component with Workflow Manager.",
+            "text": "OIDC_JWT_ISSUER_URI  or  OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used\n    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with  /.well-known/openid-configuration  appended. If both environment\n    variables are provided,  OIDC_JWT_ISSUER_URI  will be used. If  OIDC_JWT_ISSUER_URI  is set on\n    Workflow Manager, it should be set to the same value on the component services. If\n     OIDC_JWT_ISSUER_URI  is not set on Workflow Manager,  OIDC_ISSUER_URI  should be set to the\n    same value on Workflow Manager and the component services. When either environment variable is\n    set, the  WFM_USER  and  WFM_PASSWORD  environment variables are ignored.  OIDC_CLIENT_ID  (Required): The client ID that the component service will use when registering\n    the component with Workflow Manager.  OIDC_CLIENT_SECRET  (Required): The client secret that the component service will use when\n    registering the component with Workflow Manager.",
             "title": "Component Environment Variables"
         },
         {