From 4ba60ec9f3d5bd289be82ae69018d66c60c59cb8 Mon Sep 17 00:00:00 2001
From: Brian Rosenberg <brosenberg@mitre.org>
Date: Fri, 21 Mar 2025 10:07:24 -0400
Subject: [PATCH 1/2] Remove component sections from oidc guide.

---
 docs/docs/OpenID-Connect-Guide.md         | 39 +-------------
 docs/site/OpenID-Connect-Guide/index.html | 39 +-------------
 docs/site/index.html                      |  2 +-
 docs/site/search/search_index.json        | 11 ++--
 docs/site/sitemap.xml                     | 64 +++++++++++------------
 5 files changed, 40 insertions(+), 115 deletions(-)

diff --git a/docs/docs/OpenID-Connect-Guide.md b/docs/docs/OpenID-Connect-Guide.md
index 07fb03de85d6..277804893d2a 100644
--- a/docs/docs/OpenID-Connect-Guide.md
+++ b/docs/docs/OpenID-Connect-Guide.md
@@ -26,12 +26,6 @@ with what role. The `OIDC_USER_CLAIM_NAME` and `OIDC_ADMIN_CLAIM_NAME` environme
 specify the name of the claim that must be present. The `OIDC_USER_CLAIM_VALUE` and
 `OIDC_ADMIN_CLAIM_VALUE` environment variables specify the required value of the claim.
 
-If Workflow Manager is configured to use OIDC, then the component services must also be configured
-to use OIDC. The component services will use OIDC if either the `OIDC_JWT_ISSUER_URI` or
-`OIDC_ISSUER_URI` environment variables are set on the component service. When a component service
-is configured to use OIDC, the `OIDC_CLIENT_ID` and `OIDC_CLIENT_SECRET` environment variables are
-used to specify the client ID and secret that will be used during component registration.
-
 
 ### Workflow Manager Environment Variables
 
@@ -70,22 +64,6 @@ used to specify the client ID and secret that will be used during component regi
     [template variables supported by Spring.](https://docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html#oauth2Client-auth-code-redirect-uri)
 
 
-### Component Environment Variables
-
-- `OIDC_JWT_ISSUER_URI` or `OIDC_ISSUER_URI` (Required): URI for the OIDC provider that will be used
-    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this
-    environment variable with `/.well-known/openid-configuration` appended. If both environment
-    variables are provided, `OIDC_JWT_ISSUER_URI` will be used. If `OIDC_JWT_ISSUER_URI` is set on
-    Workflow Manager, it should be set to the same value on the component services. If
-    `OIDC_JWT_ISSUER_URI` is not set on Workflow Manager, `OIDC_ISSUER_URI` should be set to the
-    same value on Workflow Manager and the component services. When either environment variable is
-    set, the `WFM_USER` and `WFM_PASSWORD` environment variables are ignored.
-- `OIDC_CLIENT_ID` (Required): The client ID that the component service will use when registering
-    the component with Workflow Manager.
-- `OIDC_CLIENT_SECRET` (Required): The client secret that the component service will use when
-    registering the component with Workflow Manager.
-
-
 ## Example with Keycloak
 
 The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.
@@ -110,9 +88,6 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
 4\. Create a new realm:
 
 - Create a new realm using the drop down box in upper left that says "master".
-- Use the realm name you entered and the gateway IP address from step 1 to set Workflow
-    Manager and the component services' `OIDC_ISSUER_URI` environment variable to:
-    `http://<docker-gateway-ip>:9090/realms/<realm-name>`
 
 5\. Create the client that Workflow Manager will use to authenticate users:
 
@@ -158,24 +133,14 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
 - After creating a user, set a password in the "Credentials" tab.
 - Use the "Role mapping" tab to add the user to one of roles created in step 6.
 
-10\. Add Component Registration REST client:
-
-- Use the "Clients" menu to create a new client.
-- Capability config:
-    - The client needs to have "Client authentication" and "Service accounts roles" enabled.
-    - Use the "Service account roles" tab to add the client to one of the roles created in step 6.
-- Set the component services' `WFM_USER` environment variable to the client ID you entered.
-- Set component services' `WFM_PASSWORD` environment variable to the "Client secret" in the
-    "Credentials" tab.
-
-11\. Add external REST clients:
+10\. Add external REST clients:
 
 - Use the "Clients" menu to create a new client.
 - Capability config:
     - The client needs to have "Client authentication" and "Service accounts roles" enabled.
     - Use the "Service account roles" tab to add the client to one of the roles created in step 6.
 
-12\. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
+11\. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
      redirected to the Keycloak log in page. You can log in using the users created in step 9.
 
 
diff --git a/docs/site/OpenID-Connect-Guide/index.html b/docs/site/OpenID-Connect-Guide/index.html
index 85b9e91627dd..fd1f15c81e74 100644
--- a/docs/site/OpenID-Connect-Guide/index.html
+++ b/docs/site/OpenID-Connect-Guide/index.html
@@ -276,11 +276,6 @@ <h2 id="configuration">Configuration</h2>
 with what role. The <code>OIDC_USER_CLAIM_NAME</code> and <code>OIDC_ADMIN_CLAIM_NAME</code> environment variables
 specify the name of the claim that must be present. The <code>OIDC_USER_CLAIM_VALUE</code> and
 <code>OIDC_ADMIN_CLAIM_VALUE</code> environment variables specify the required value of the claim.</p>
-<p>If Workflow Manager is configured to use OIDC, then the component services must also be configured
-to use OIDC. The component services will use OIDC if either the <code>OIDC_JWT_ISSUER_URI</code> or
-<code>OIDC_ISSUER_URI</code> environment variables are set on the component service. When a component service
-is configured to use OIDC, the <code>OIDC_CLIENT_ID</code> and <code>OIDC_CLIENT_SECRET</code> environment variables are
-used to specify the client ID and secret that will be used during component registration.</p>
 <h3 id="workflow-manager-environment-variables">Workflow Manager Environment Variables</h3>
 <ul>
 <li><code>OIDC_ISSUER_URI</code> (Required): URI for the OIDC provider that will be used to authenticate users
@@ -317,21 +312,6 @@ <h3 id="workflow-manager-environment-variables">Workflow Manager Environment Var
     OIDC provider is different from the OIDC provider's public host name. The value can use the
     <a href="https://docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html#oauth2Client-auth-code-redirect-uri">template variables supported by Spring.</a></li>
 </ul>
-<h3 id="component-environment-variables">Component Environment Variables</h3>
-<ul>
-<li><code>OIDC_JWT_ISSUER_URI</code> or <code>OIDC_ISSUER_URI</code> (Required): URI for the OIDC provider that will be used
-    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this
-    environment variable with <code>/.well-known/openid-configuration</code> appended. If both environment
-    variables are provided, <code>OIDC_JWT_ISSUER_URI</code> will be used. If <code>OIDC_JWT_ISSUER_URI</code> is set on
-    Workflow Manager, it should be set to the same value on the component services. If
-    <code>OIDC_JWT_ISSUER_URI</code> is not set on Workflow Manager, <code>OIDC_ISSUER_URI</code> should be set to the
-    same value on Workflow Manager and the component services. When either environment variable is
-    set, the <code>WFM_USER</code> and <code>WFM_PASSWORD</code> environment variables are ignored.</li>
-<li><code>OIDC_CLIENT_ID</code> (Required): The client ID that the component service will use when registering
-    the component with Workflow Manager.</li>
-<li><code>OIDC_CLIENT_SECRET</code> (Required): The client secret that the component service will use when
-    registering the component with Workflow Manager.</li>
-</ul>
 <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <p>The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.
 It is just an example and should not be used in production.</p>
@@ -349,9 +329,6 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <p>4. Create a new realm:</p>
 <ul>
 <li>Create a new realm using the drop down box in upper left that says "master".</li>
-<li>Use the realm name you entered and the gateway IP address from step 1 to set Workflow
-    Manager and the component services' <code>OIDC_ISSUER_URI</code> environment variable to:
-    <code>http://&lt;docker-gateway-ip&gt;:9090/realms/&lt;realm-name&gt;</code></li>
 </ul>
 <p>5. Create the client that Workflow Manager will use to authenticate users:</p>
 <ul>
@@ -402,19 +379,7 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <li>After creating a user, set a password in the "Credentials" tab.</li>
 <li>Use the "Role mapping" tab to add the user to one of roles created in step 6.</li>
 </ul>
-<p>10. Add Component Registration REST client:</p>
-<ul>
-<li>Use the "Clients" menu to create a new client.</li>
-<li>Capability config:<ul>
-<li>The client needs to have "Client authentication" and "Service accounts roles" enabled.</li>
-<li>Use the "Service account roles" tab to add the client to one of the roles created in step 6.</li>
-</ul>
-</li>
-<li>Set the component services' <code>WFM_USER</code> environment variable to the client ID you entered.</li>
-<li>Set component services' <code>WFM_PASSWORD</code> environment variable to the "Client secret" in the
-    "Credentials" tab.</li>
-</ul>
-<p>11. Add external REST clients:</p>
+<p>10. Add external REST clients:</p>
 <ul>
 <li>Use the "Clients" menu to create a new client.</li>
 <li>Capability config:<ul>
@@ -423,7 +388,7 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 </ul>
 </li>
 </ul>
-<p>12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
+<p>11. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
      redirected to the Keycloak log in page. You can log in using the users created in step 9.</p>
 <h3 id="test-rest-authentication">Test REST authentication</h3>
 <p>Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the
diff --git a/docs/site/index.html b/docs/site/index.html
index 20a3e606be45..b1b9a7c2bcce 100644
--- a/docs/site/index.html
+++ b/docs/site/index.html
@@ -408,5 +408,5 @@ <h1 id="overview">Overview</h1>
 
 <!--
 MkDocs version : 0.17.5
-Build Date UTC : 2025-03-18 20:24:01
+Build Date UTC : 2025-03-21 14:06:10
 -->
diff --git a/docs/site/search/search_index.json b/docs/site/search/search_index.json
index 4286e287abd9..b8609d656ae9 100644
--- a/docs/site/search/search_index.json
+++ b/docs/site/search/search_index.json
@@ -277,7 +277,7 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html",
-            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2024\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of the claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nIf Workflow Manager is configured to use OIDC, then the component services must also be configured\nto use OIDC. The component services will use OIDC if either the \nOIDC_JWT_ISSUER_URI\n or\n\nOIDC_ISSUER_URI\n environment variables are set on the component service. When a component service\nis configured to use OIDC, the \nOIDC_CLIENT_ID\n and \nOIDC_CLIENT_SECRET\n environment variables are\nused to specify the client ID and secret that will be used during component registration.\n\n\nWorkflow Manager Environment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used. This would be used when the authentication provider's endpoint\n    for user authentication is different from the endpoint for authentication of REST clients.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nComponent Environment Variables\n\n\n\n\nOIDC_JWT_ISSUER_URI\n or \nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used\n    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with \n/.well-known/openid-configuration\n appended. If both environment\n    variables are provided, \nOIDC_JWT_ISSUER_URI\n will be used. If \nOIDC_JWT_ISSUER_URI\n is set on\n    Workflow Manager, it should be set to the same value on the component services. If\n    \nOIDC_JWT_ISSUER_URI\n is not set on Workflow Manager, \nOIDC_ISSUER_URI\n should be set to the\n    same value on Workflow Manager and the component services. When either environment variable is\n    set, the \nWFM_USER\n and \nWFM_PASSWORD\n environment variables are ignored.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that the component service will use when registering\n    the component with Workflow Manager.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret that the component service will use when\n    registering the component with Workflow Manager.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\nUse the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager and the component services' \nOIDC_ISSUER_URI\n environment variable to:\n    \nhttp://<docker-gateway-ip>:9090/realms/<realm-name>\n\n\n\n\n5. Create the client that Workflow Manager will use to authenticate users:\n\n\n\n\nUse the \"Clients\" link in the left menu to create a new client.\n\n\nGeneral Settings:\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\nEnter a \"Client ID\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\n\n\n\n\nCapability config:\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\n\"Service accounts roles\" must be enabled so that Workflow Manager can include an OAuth token\n    in job completion callbacks and when communicating with TiesDb.\n\n\n\n\n\n\nLogin settings:\n\n\nSet \"Valid redirect URIs\" to\n  \nhttp://localhost:8080/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080\n\n\n\n\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" predefined mapper.\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users:\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Add Component Registration REST client:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 6.\n\n\n\n\n\n\nSet the component services' \nWFM_USER\n environment variable to the client ID you entered.\n\n\nSet component services' \nWFM_PASSWORD\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n11. Add external REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 6.\n\n\n\n\n\n\n\n\n12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/rest/actions\n\n\n\nUse OAuth when sending job complete callbacks and when posting to TiesDb.\n\n\n1. Create a client for the callback receiver or TiesDb:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\n\n\n\n\nConfigure the callback receiver or TiesDb with the client ID and secret.\n\n\n\n\n2. Create a client role:\n\n\n\n\nUse the \"Roles\" tab to add a role to the client that was just created.\n\n\n\n\n3. Add the role to the Workflow Manager's client:\n\n\n\n\nGo to the client details page for the client created for Workflow Manager.\n\n\nGo to the \"Service accounts roles\" tab.\n\n\nClick \"Assign role\".\n\n\nChange \"Filter by realm roles\" to \"Filter by clients\".\n\n\nAssign the role created in step 2.\n\n\n\n\n4. Run jobs with the \nCALLBACK_USE_OIDC\n or \nTIES_DB_USE_OIDC\n job properties set to \nTRUE\n.\n\n\nTest callback authentication\n\n\nThe Python script below can be used to test callback authentication. Before running the script you\nmust run \npip install Flask-pyoidc==3.14.2\n. To run the script, you must set the \nOIDC_ISSUER_URI\n,\n\nOIDC_CLIENT_ID\n, and \nOIDC_CLIENT_SECRET\n environment variables. Note that the script configures\nthe \nFlask-pyoidc\n package to authenticate Web users, as required by the package, but we are only\ntesting the authentication of REST clients.\n\n\nOnce the script is running, a user can submit a job via the Workflow Manager Swagger page with the\nfollowing fields to test callbacks:\n\n\n{\n  \"callbackMethod\": \"POST\",\n  \"callbackURL\": \"http://localhost:5000/api\",\n  \"jobProperties\": {\n    \"CALLBACK_USE_OIDC\": \"TRUE\"\n  }\n}\n\n\n\nimport json\nimport logging\nimport os\n\nfrom flask import Flask, jsonify\nfrom flask_pyoidc.provider_configuration import ProviderConfiguration, ClientMetadata\nfrom flask_pyoidc import OIDCAuthentication\n\nlogging.basicConfig(level=logging.INFO)\n\napp = Flask(__name__)\napp.config.update(\n    OIDC_REDIRECT_URI='http://localhost:5000/redirect_uri',\n    SECRET_KEY='secret',\n    DEBUG=True\n)\n\nauth = OIDCAuthentication({\n    'default': ProviderConfiguration(\n        os.getenv('OIDC_ISSUER_URI'),\n        client_metadata=ClientMetadata(\n            os.getenv('OIDC_CLIENT_ID'), os.getenv('OIDC_CLIENT_SECRET'))\n    )\n}, app)\n\n@app.route('/api', methods = ('GET', 'POST'))\n@auth.token_auth('default')\ndef api():\n    print(type(auth.current_token_identity))\n    print(json.dumps(auth.current_token_identity, sort_keys=True, indent=4))\n    return jsonify({'message': 'test message'})\n\nif __name__ == '__main__':\n    app.run()",
+            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2024\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of the claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nWorkflow Manager Environment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used. This would be used when the authentication provider's endpoint\n    for user authentication is different from the endpoint for authentication of REST clients.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\n\n\n5. Create the client that Workflow Manager will use to authenticate users:\n\n\n\n\nUse the \"Clients\" link in the left menu to create a new client.\n\n\nGeneral Settings:\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\nEnter a \"Client ID\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\n\n\n\n\nCapability config:\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\n\"Service accounts roles\" must be enabled so that Workflow Manager can include an OAuth token\n    in job completion callbacks and when communicating with TiesDb.\n\n\n\n\n\n\nLogin settings:\n\n\nSet \"Valid redirect URIs\" to\n  \nhttp://localhost:8080/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080\n\n\n\n\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" predefined mapper.\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users:\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Add external REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 6.\n\n\n\n\n\n\n\n\n11. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/rest/actions\n\n\n\nUse OAuth when sending job complete callbacks and when posting to TiesDb.\n\n\n1. Create a client for the callback receiver or TiesDb:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\n\n\n\n\nConfigure the callback receiver or TiesDb with the client ID and secret.\n\n\n\n\n2. Create a client role:\n\n\n\n\nUse the \"Roles\" tab to add a role to the client that was just created.\n\n\n\n\n3. Add the role to the Workflow Manager's client:\n\n\n\n\nGo to the client details page for the client created for Workflow Manager.\n\n\nGo to the \"Service accounts roles\" tab.\n\n\nClick \"Assign role\".\n\n\nChange \"Filter by realm roles\" to \"Filter by clients\".\n\n\nAssign the role created in step 2.\n\n\n\n\n4. Run jobs with the \nCALLBACK_USE_OIDC\n or \nTIES_DB_USE_OIDC\n job properties set to \nTRUE\n.\n\n\nTest callback authentication\n\n\nThe Python script below can be used to test callback authentication. Before running the script you\nmust run \npip install Flask-pyoidc==3.14.2\n. To run the script, you must set the \nOIDC_ISSUER_URI\n,\n\nOIDC_CLIENT_ID\n, and \nOIDC_CLIENT_SECRET\n environment variables. Note that the script configures\nthe \nFlask-pyoidc\n package to authenticate Web users, as required by the package, but we are only\ntesting the authentication of REST clients.\n\n\nOnce the script is running, a user can submit a job via the Workflow Manager Swagger page with the\nfollowing fields to test callbacks:\n\n\n{\n  \"callbackMethod\": \"POST\",\n  \"callbackURL\": \"http://localhost:5000/api\",\n  \"jobProperties\": {\n    \"CALLBACK_USE_OIDC\": \"TRUE\"\n  }\n}\n\n\n\nimport json\nimport logging\nimport os\n\nfrom flask import Flask, jsonify\nfrom flask_pyoidc.provider_configuration import ProviderConfiguration, ClientMetadata\nfrom flask_pyoidc import OIDCAuthentication\n\nlogging.basicConfig(level=logging.INFO)\n\napp = Flask(__name__)\napp.config.update(\n    OIDC_REDIRECT_URI='http://localhost:5000/redirect_uri',\n    SECRET_KEY='secret',\n    DEBUG=True\n)\n\nauth = OIDCAuthentication({\n    'default': ProviderConfiguration(\n        os.getenv('OIDC_ISSUER_URI'),\n        client_metadata=ClientMetadata(\n            os.getenv('OIDC_CLIENT_ID'), os.getenv('OIDC_CLIENT_SECRET'))\n    )\n}, app)\n\n@app.route('/api', methods = ('GET', 'POST'))\n@auth.token_auth('default')\ndef api():\n    print(type(auth.current_token_identity))\n    print(json.dumps(auth.current_token_identity, sort_keys=True, indent=4))\n    return jsonify({'message': 'test message'})\n\nif __name__ == '__main__':\n    app.run()",
             "title": "OpenID Connect Guide"
         },
         {
@@ -287,7 +287,7 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#configuration",
-            "text": "In order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the  OIDC_CLIENT_ID  and OIDC_CLIENT_SECRET  environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith  /login/oauth2/code/provider  appended.  The documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the  OIDC_ISSUER_URI  environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with  /.well-known/openid-configuration  appended.  After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The  OIDC_USER_CLAIM_NAME  and  OIDC_ADMIN_CLAIM_NAME  environment variables\nspecify the name of the claim that must be present. The  OIDC_USER_CLAIM_VALUE  and OIDC_ADMIN_CLAIM_VALUE  environment variables specify the required value of the claim.  If Workflow Manager is configured to use OIDC, then the component services must also be configured\nto use OIDC. The component services will use OIDC if either the  OIDC_JWT_ISSUER_URI  or OIDC_ISSUER_URI  environment variables are set on the component service. When a component service\nis configured to use OIDC, the  OIDC_CLIENT_ID  and  OIDC_CLIENT_SECRET  environment variables are\nused to specify the client ID and secret that will be used during component registration.",
+            "text": "In order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the  OIDC_CLIENT_ID  and OIDC_CLIENT_SECRET  environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith  /login/oauth2/code/provider  appended.  The documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the  OIDC_ISSUER_URI  environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with  /.well-known/openid-configuration  appended.  After a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The  OIDC_USER_CLAIM_NAME  and  OIDC_ADMIN_CLAIM_NAME  environment variables\nspecify the name of the claim that must be present. The  OIDC_USER_CLAIM_VALUE  and OIDC_ADMIN_CLAIM_VALUE  environment variables specify the required value of the claim.",
             "title": "Configuration"
         },
         {
@@ -295,14 +295,9 @@
             "text": "OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If  OIDC_JWT_ISSUER_URI  is not set,  OIDC_ISSUER_URI  will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n     OIDC_ISSUER_URI  with  /.well-known/openid-configuration  appended.  OIDC_JWT_ISSUER_URI  (Optional): Works the same way as  OIDC_ISSUER_URI , except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n     OIDC_ISSUER_URI  will be used. This would be used when the authentication provider's endpoint\n    for user authentication is different from the endpoint for authentication of REST clients.  OIDC_CLIENT_ID  (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.  OIDC_CLIENT_SECRET  (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.  OIDC_USER_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     USER  role.  OIDC_USER_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_USER_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_ADMIN_CLAIM_NAME  (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n     ADMIN  role.  OIDC_ADMIN_CLAIM_VALUE  (Optional): Specifies the required value of the claim specified in\n     OIDC_ADMIN_CLAIM_NAME . If the claim is a list, only one of the values in the list must match.  OIDC_SCOPES  (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be  openid , so if this environment variable is omitted or  openid  is not in the\n    list, it will be automatically added.  OIDC_USER_NAME_ATTR  (Optional): The name of the claim containing the user name. Defaults to\n     sub .  OIDC_REDIRECT_URI  (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in  /login/oauth2/code/provider .\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n     template variables supported by Spring.",
             "title": "Workflow Manager Environment Variables"
         },
-        {
-            "location": "/OpenID-Connect-Guide/index.html#component-environment-variables",
-            "text": "OIDC_JWT_ISSUER_URI  or  OIDC_ISSUER_URI  (Required): URI for the OIDC provider that will be used\n    to authenticate REST clients. The OIDC configuration endpoint must exist at the value of this\n    environment variable with  /.well-known/openid-configuration  appended. If both environment\n    variables are provided,  OIDC_JWT_ISSUER_URI  will be used. If  OIDC_JWT_ISSUER_URI  is set on\n    Workflow Manager, it should be set to the same value on the component services. If\n     OIDC_JWT_ISSUER_URI  is not set on Workflow Manager,  OIDC_ISSUER_URI  should be set to the\n    same value on Workflow Manager and the component services. When either environment variable is\n    set, the  WFM_USER  and  WFM_PASSWORD  environment variables are ignored.  OIDC_CLIENT_ID  (Required): The client ID that the component service will use when registering\n    the component with Workflow Manager.  OIDC_CLIENT_SECRET  (Required): The client secret that the component service will use when\n    registering the component with Workflow Manager.",
-            "title": "Component Environment Variables"
-        },
         {
             "location": "/OpenID-Connect-Guide/index.html#example-with-keycloak",
-            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Get the Docker gateway IP address by running the command below. It will be used in later steps.  docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge  2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  3. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  4. Create a new realm:   Create a new realm using the drop down box in upper left that says \"master\".  Use the realm name you entered and the gateway IP address from step 1 to set Workflow\n    Manager and the component services'  OIDC_ISSUER_URI  environment variable to:\n     http://<docker-gateway-ip>:9090/realms/<realm-name>   5. Create the client that Workflow Manager will use to authenticate users:   Use the \"Clients\" link in the left menu to create a new client.  General Settings:  The \"Client type\" needs to be set to \"OpenID Connect\".  Enter a \"Client ID\".  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.    Capability config:  \"Client authentication\" must be enabled.  \"Standard flow\" must be enabled.  \"Service accounts roles\" must be enabled so that Workflow Manager can include an OAuth token\n    in job completion callbacks and when communicating with TiesDb.    Login settings:  Set \"Valid redirect URIs\" to\n   http://localhost:8080/login/oauth2/code/provider  Set \"Valid post logout redirect URIs\" to  http://localhost:8080    Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   6. Create a Keycloak role that maps to a Workflow Manager role:   Use the \"Realm roles\" link in the left menu to create a new role.  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   7. Include the Keycloak role(s) in the access token:   In the \"Client scopes\" menu add a mapper to the \"roles\" scope.  Use the \"groups\" predefined mapper.  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 6 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   8. Optionally, set Workflow Manager's  OIDC_USER_NAME_ATTR  to  preferred_username  to display the\n    user name instead of the ID.  9. Create Users:   After creating a user, set a password in the \"Credentials\" tab.  Use the \"Role mapping\" tab to add the user to one of roles created in step 6.   10. Add Component Registration REST client:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 6.    Set the component services'  WFM_USER  environment variable to the client ID you entered.  Set component services'  WFM_PASSWORD  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   11. Add external REST clients:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 6.     12. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.",
+            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Get the Docker gateway IP address by running the command below. It will be used in later steps.  docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge  2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  3. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  4. Create a new realm:   Create a new realm using the drop down box in upper left that says \"master\".   5. Create the client that Workflow Manager will use to authenticate users:   Use the \"Clients\" link in the left menu to create a new client.  General Settings:  The \"Client type\" needs to be set to \"OpenID Connect\".  Enter a \"Client ID\".  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.    Capability config:  \"Client authentication\" must be enabled.  \"Standard flow\" must be enabled.  \"Service accounts roles\" must be enabled so that Workflow Manager can include an OAuth token\n    in job completion callbacks and when communicating with TiesDb.    Login settings:  Set \"Valid redirect URIs\" to\n   http://localhost:8080/login/oauth2/code/provider  Set \"Valid post logout redirect URIs\" to  http://localhost:8080    Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   6. Create a Keycloak role that maps to a Workflow Manager role:   Use the \"Realm roles\" link in the left menu to create a new role.  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   7. Include the Keycloak role(s) in the access token:   In the \"Client scopes\" menu add a mapper to the \"roles\" scope.  Use the \"groups\" predefined mapper.  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 6 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   8. Optionally, set Workflow Manager's  OIDC_USER_NAME_ATTR  to  preferred_username  to display the\n    user name instead of the ID.  9. Create Users:   After creating a user, set a password in the \"Credentials\" tab.  Use the \"Role mapping\" tab to add the user to one of roles created in step 6.   10. Add external REST clients:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 6.     11. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.",
             "title": "Example with Keycloak"
         },
         {
diff --git a/docs/site/sitemap.xml b/docs/site/sitemap.xml
index 080567a2740b..0fd5dee3ce79 100644
--- a/docs/site/sitemap.xml
+++ b/docs/site/sitemap.xml
@@ -2,162 +2,162 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
      <loc>/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Release-Notes/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/License-And-Distribution/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Acknowledgements/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Install-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Admin-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/User-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/OpenID-Connect-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Media-Segmentation-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Feed-Forward-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Derivative-Media-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Object-Storage-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Markup-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/TiesDb-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Trigger-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Roll-Up-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Health-Check-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Artifact-Extraction-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Quality-Selection-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Media-Selectors-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/REST-API/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-API-Overview/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-Descriptor-Reference/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Batch-Component-API/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Python-Batch-Component-API/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Java-Batch-Component-API/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/GPU-Support-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Contributor-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Development-Environment-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Node-Guide/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Workflow-Manager-Architecture/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Streaming-Component-API/index.html</loc>
-     <lastmod>2025-03-18</lastmod>
+     <lastmod>2025-03-21</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>
\ No newline at end of file

From 3a7b6091caeace36e2cdd34c2568180c294ae78a Mon Sep 17 00:00:00 2001
From: Brian Rosenberg <brosenberg@mitre.org>
Date: Mon, 24 Mar 2025 09:52:36 -0400
Subject: [PATCH 2/2] Fix oidc guide

---
 docs/docs/OpenID-Connect-Guide.md         |  4 +-
 docs/site/OpenID-Connect-Guide/index.html |  4 +-
 docs/site/index.html                      |  2 +-
 docs/site/search/search_index.json        |  6 +--
 docs/site/sitemap.xml                     | 64 +++++++++++------------
 5 files changed, 42 insertions(+), 38 deletions(-)

diff --git a/docs/docs/OpenID-Connect-Guide.md b/docs/docs/OpenID-Connect-Guide.md
index 277804893d2a..a91bc1889e03 100644
--- a/docs/docs/OpenID-Connect-Guide.md
+++ b/docs/docs/OpenID-Connect-Guide.md
@@ -88,6 +88,8 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
 4\. Create a new realm:
 
 - Create a new realm using the drop down box in upper left that says "master".
+- Use the realm name you entered and the gateway IP address from step 1 to set Workflow Manager's
+    `OIDC_ISSUER_URI` environment variable to: `http://<docker-gateway-ip>:9090/realms/<realm-name>`
 
 5\. Create the client that Workflow Manager will use to authenticate users:
 
@@ -146,7 +148,7 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
 
 
 ### Test REST authentication
-Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the
+Using the Docker gateway IP address from step 1, the client ID and secret from step 10, and the
 realm name from step 4, run the following command:
 ```bash
 curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'
diff --git a/docs/site/OpenID-Connect-Guide/index.html b/docs/site/OpenID-Connect-Guide/index.html
index fd1f15c81e74..b8e359df9b2e 100644
--- a/docs/site/OpenID-Connect-Guide/index.html
+++ b/docs/site/OpenID-Connect-Guide/index.html
@@ -329,6 +329,8 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <p>4. Create a new realm:</p>
 <ul>
 <li>Create a new realm using the drop down box in upper left that says "master".</li>
+<li>Use the realm name you entered and the gateway IP address from step 1 to set Workflow Manager's
+    <code>OIDC_ISSUER_URI</code> environment variable to: <code>http://&lt;docker-gateway-ip&gt;:9090/realms/&lt;realm-name&gt;</code></li>
 </ul>
 <p>5. Create the client that Workflow Manager will use to authenticate users:</p>
 <ul>
@@ -391,7 +393,7 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
 <p>11. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be
      redirected to the Keycloak log in page. You can log in using the users created in step 9.</p>
 <h3 id="test-rest-authentication">Test REST authentication</h3>
-<p>Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the
+<p>Using the Docker gateway IP address from step 1, the client ID and secret from step 10, and the
 realm name from step 4, run the following command:</p>
 <pre><code class="language-bash">curl -d grant_type=client_credentials -u '&lt;client-id&gt;:&lt;client-secret&gt;' 'http://&lt;docker-gateway-ip&gt;:9090/realms/&lt;realm-name&gt;/protocol/openid-connect/token'
 </code></pre>
diff --git a/docs/site/index.html b/docs/site/index.html
index b1b9a7c2bcce..fb120b8cda9e 100644
--- a/docs/site/index.html
+++ b/docs/site/index.html
@@ -408,5 +408,5 @@ <h1 id="overview">Overview</h1>
 
 <!--
 MkDocs version : 0.17.5
-Build Date UTC : 2025-03-21 14:06:10
+Build Date UTC : 2025-03-24 13:48:48
 -->
diff --git a/docs/site/search/search_index.json b/docs/site/search/search_index.json
index b8609d656ae9..d5f93e1c8fae 100644
--- a/docs/site/search/search_index.json
+++ b/docs/site/search/search_index.json
@@ -277,7 +277,7 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html",
-            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2024\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of the claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nWorkflow Manager Environment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used. This would be used when the authentication provider's endpoint\n    for user authentication is different from the endpoint for authentication of REST clients.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\n\n\n5. Create the client that Workflow Manager will use to authenticate users:\n\n\n\n\nUse the \"Clients\" link in the left menu to create a new client.\n\n\nGeneral Settings:\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\nEnter a \"Client ID\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\n\n\n\n\nCapability config:\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\n\"Service accounts roles\" must be enabled so that Workflow Manager can include an OAuth token\n    in job completion callbacks and when communicating with TiesDb.\n\n\n\n\n\n\nLogin settings:\n\n\nSet \"Valid redirect URIs\" to\n  \nhttp://localhost:8080/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080\n\n\n\n\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" predefined mapper.\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users:\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Add external REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 6.\n\n\n\n\n\n\n\n\n11. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/rest/actions\n\n\n\nUse OAuth when sending job complete callbacks and when posting to TiesDb.\n\n\n1. Create a client for the callback receiver or TiesDb:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\n\n\n\n\nConfigure the callback receiver or TiesDb with the client ID and secret.\n\n\n\n\n2. Create a client role:\n\n\n\n\nUse the \"Roles\" tab to add a role to the client that was just created.\n\n\n\n\n3. Add the role to the Workflow Manager's client:\n\n\n\n\nGo to the client details page for the client created for Workflow Manager.\n\n\nGo to the \"Service accounts roles\" tab.\n\n\nClick \"Assign role\".\n\n\nChange \"Filter by realm roles\" to \"Filter by clients\".\n\n\nAssign the role created in step 2.\n\n\n\n\n4. Run jobs with the \nCALLBACK_USE_OIDC\n or \nTIES_DB_USE_OIDC\n job properties set to \nTRUE\n.\n\n\nTest callback authentication\n\n\nThe Python script below can be used to test callback authentication. Before running the script you\nmust run \npip install Flask-pyoidc==3.14.2\n. To run the script, you must set the \nOIDC_ISSUER_URI\n,\n\nOIDC_CLIENT_ID\n, and \nOIDC_CLIENT_SECRET\n environment variables. Note that the script configures\nthe \nFlask-pyoidc\n package to authenticate Web users, as required by the package, but we are only\ntesting the authentication of REST clients.\n\n\nOnce the script is running, a user can submit a job via the Workflow Manager Swagger page with the\nfollowing fields to test callbacks:\n\n\n{\n  \"callbackMethod\": \"POST\",\n  \"callbackURL\": \"http://localhost:5000/api\",\n  \"jobProperties\": {\n    \"CALLBACK_USE_OIDC\": \"TRUE\"\n  }\n}\n\n\n\nimport json\nimport logging\nimport os\n\nfrom flask import Flask, jsonify\nfrom flask_pyoidc.provider_configuration import ProviderConfiguration, ClientMetadata\nfrom flask_pyoidc import OIDCAuthentication\n\nlogging.basicConfig(level=logging.INFO)\n\napp = Flask(__name__)\napp.config.update(\n    OIDC_REDIRECT_URI='http://localhost:5000/redirect_uri',\n    SECRET_KEY='secret',\n    DEBUG=True\n)\n\nauth = OIDCAuthentication({\n    'default': ProviderConfiguration(\n        os.getenv('OIDC_ISSUER_URI'),\n        client_metadata=ClientMetadata(\n            os.getenv('OIDC_CLIENT_ID'), os.getenv('OIDC_CLIENT_SECRET'))\n    )\n}, app)\n\n@app.route('/api', methods = ('GET', 'POST'))\n@auth.token_auth('default')\ndef api():\n    print(type(auth.current_token_identity))\n    print(json.dumps(auth.current_token_identity, sort_keys=True, indent=4))\n    return jsonify({'message': 'test message'})\n\nif __name__ == '__main__':\n    app.run()",
+            "text": "NOTICE:\n This software (or technical data) was produced for the U.S. Government under contract,\nand is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007). Copyright 2024\nThe MITRE Corporation. All Rights Reserved.\n\n\nOpenID Connect Overview\n\n\nWorkflow Manager can use an OpenID Connect (OIDC) provider to handle authentication for users of\nthe web UI and clients of the REST API.\n\n\nConfiguration\n\n\nIn order to use OIDC, Workflow Manager must first be registered with OIDC provider. The exact\nprocess for this varies by provider.  As part of the registration process, a client ID and client\nsecret should be provided. Those values should be set in the \nOIDC_CLIENT_ID\n and\n\nOIDC_CLIENT_SECRET\n environment variables. During the registration process the provider will\nlikely request a redirect URI. The redirect URI should be set to the base URI for Workflow Manager\nwith \n/login/oauth2/code/provider\n appended.\n\n\nThe documentation for the OIDC provider should specify the base URI a client should use to\nauthenticate users. The URI should be set in the \nOIDC_ISSUER_URI\n environment variable. To verify\nthe URI is correct, check that the JSON discovery document is returned when sending an HTTP GET\nrequest to the URI with \n/.well-known/openid-configuration\n appended.\n\n\nAfter a user or REST client authenticates with the OIDC provider, Workflow Manager will check for a\nclaim with a specific value to determine if the user is authorized to access Workflow Manager and\nwith what role. The \nOIDC_USER_CLAIM_NAME\n and \nOIDC_ADMIN_CLAIM_NAME\n environment variables\nspecify the name of the claim that must be present. The \nOIDC_USER_CLAIM_VALUE\n and\n\nOIDC_ADMIN_CLAIM_VALUE\n environment variables specify the required value of the claim.\n\n\nWorkflow Manager Environment Variables\n\n\n\n\nOIDC_ISSUER_URI\n (Required): URI for the OIDC provider that will be used to authenticate users\n    through the web UI. If \nOIDC_JWT_ISSUER_URI\n is not set, \nOIDC_ISSUER_URI\n will also be used to\n    authenticate REST clients.  The OIDC configuration endpoint must exist at the value of\n    \nOIDC_ISSUER_URI\n with \n/.well-known/openid-configuration\n appended.\n\n\nOIDC_JWT_ISSUER_URI\n (Optional): Works the same way as \nOIDC_ISSUER_URI\n, except that the\n    configuration will only be used to authenticate REST clients. When not provided,\n    \nOIDC_ISSUER_URI\n will be used. This would be used when the authentication provider's endpoint\n    for user authentication is different from the endpoint for authentication of REST clients.\n\n\nOIDC_CLIENT_ID\n (Required): The client ID that Workflow Manager will use to authenticate with\n    the OIDC provider.\n\n\nOIDC_CLIENT_SECRET\n (Required): The client secret Workflow Manager will use to authenticate\n    with the OIDC provider.\n\n\nOIDC_USER_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nUSER\n role.\n\n\nOIDC_USER_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_USER_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_ADMIN_CLAIM_NAME\n (Optional): Specifies the name of the claim from the authentication token\n    that is required for a user or REST client to be granted access to Workflow Manager with the\n    \nADMIN\n role.\n\n\nOIDC_ADMIN_CLAIM_VALUE\n (Optional): Specifies the required value of the claim specified in\n    \nOIDC_ADMIN_CLAIM_NAME\n. If the claim is a list, only one of the values in the list must match.\n\n\nOIDC_SCOPES\n (Optional): A comma-separated list of the scopes to be requested from the OIDC\n    provider when authenticating a user through the web UI. The OIDC specification requires one of\n    the scopes to be \nopenid\n, so if this environment variable is omitted or \nopenid\n is not in the\n    list, it will be automatically added.\n\n\nOIDC_USER_NAME_ATTR\n (Optional): The name of the claim containing the user name. Defaults to\n    \nsub\n.\n\n\nOIDC_REDIRECT_URI\n (Optional): Specifies the URL the user's browser will be redirected to after\n    logging in to the OIDC provider. If provided, the URL must end in \n/login/oauth2/code/provider\n.\n    This would generally be used when the host name that Workflow Manager uses to connect to the\n    OIDC provider is different from the OIDC provider's public host name. The value can use the\n    \ntemplate variables supported by Spring.\n\n\n\n\nExample with Keycloak\n\n\nThe following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.\n\n\n1. Get the Docker gateway IP address by running the command below. It will be used in later steps.\n\n\ndocker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge\n\n\n\n2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.\n\n\ndocker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev\n\n\n\n3. Go to \nhttp://localhost:9090/admin\n in a browser and login with username \nadmin\n and\n    password \nadmin\n.\n\n\n4. Create a new realm:\n\n\n\n\nCreate a new realm using the drop down box in upper left that says \"master\".\n\n\nUse the realm name you entered and the gateway IP address from step 1 to set Workflow Manager's\n    \nOIDC_ISSUER_URI\n environment variable to: \nhttp://<docker-gateway-ip>:9090/realms/<realm-name>\n\n\n\n\n5. Create the client that Workflow Manager will use to authenticate users:\n\n\n\n\nUse the \"Clients\" link in the left menu to create a new client.\n\n\nGeneral Settings:\n\n\nThe \"Client type\" needs to be set to \"OpenID Connect\".\n\n\nEnter a \"Client ID\".\n\n\nSet Workflow Manager's \nOIDC_CLIENT_ID\n environment variable to the client ID you entered.\n\n\n\n\n\n\nCapability config:\n\n\n\"Client authentication\" must be enabled.\n\n\n\"Standard flow\" must be enabled.\n\n\n\"Service accounts roles\" must be enabled so that Workflow Manager can include an OAuth token\n    in job completion callbacks and when communicating with TiesDb.\n\n\n\n\n\n\nLogin settings:\n\n\nSet \"Valid redirect URIs\" to\n  \nhttp://localhost:8080/login/oauth2/code/provider\n\n\nSet \"Valid post logout redirect URIs\" to \nhttp://localhost:8080\n\n\n\n\n\n\nSet Workflow Manager's \nOIDC_CLIENT_SECRET\n environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.\n\n\n\n\n6. Create a Keycloak role that maps to a Workflow Manager role:\n\n\n\n\nUse the \"Realm roles\" link in the left menu to create a new role.\n\n\nIf the Keycloak role should make the user an \nADMIN\n in Workflow Manager, set Workflow\n    Manager's \nOIDC_ADMIN_CLAIM_VALUE\n to the role name you just entered. If it should be a\n    \nUSER\n, then set the \nOIDC_USER_CLAIM_VALUE\n environment variable.\n\n\nOnly one of \nOIDC_ADMIN_CLAIM_VALUE\n and \nOIDC_USER_CLAIM_VALUE\n need to be set. If you would\n    like to set up both roles repeat this step.\n\n\n\n\n7. Include the Keycloak role(s) in the access token:\n\n\n\n\nIn the \"Client scopes\" menu add a mapper to the \"roles\" scope.\n\n\nUse the \"groups\" predefined mapper.\n\n\nThe default name \"Token Claim Name\" is \"groups\". This can be changed.\n\n\nIf you created an \nADMIN\n role in step 6 set \nOIDC_ADMIN_CLAIM_NAME\n to the value in\n    \"Token Claim Name\". If you created a \nUSER\n role, do the same for \nOIDC_USER_CLAIM_NAME\n.\n\n\n\n\n8. Optionally, set Workflow Manager's \nOIDC_USER_NAME_ATTR\n to \npreferred_username\n to display the\n    user name instead of the ID.\n\n\n9. Create Users:\n\n\n\n\nAfter creating a user, set a password in the \"Credentials\" tab.\n\n\nUse the \"Role mapping\" tab to add the user to one of roles created in step 6.\n\n\n\n\n10. Add external REST clients:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\nUse the \"Service account roles\" tab to add the client to one of the roles created in step 6.\n\n\n\n\n\n\n\n\n11. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.\n\n\nTest REST authentication\n\n\nUsing the Docker gateway IP address from step 1, the client ID and secret from step 10, and the\nrealm name from step 4, run the following command:\n\n\ncurl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'\n\n\n\nThe response JSON will contain a token in the \n\"access_token\"\n property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:\n\n\ncurl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/rest/actions\n\n\n\nUse OAuth when sending job complete callbacks and when posting to TiesDb.\n\n\n1. Create a client for the callback receiver or TiesDb:\n\n\n\n\nUse the \"Clients\" menu to create a new client.\n\n\nCapability config:\n\n\nThe client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.\n\n\n\n\n\n\nConfigure the callback receiver or TiesDb with the client ID and secret.\n\n\n\n\n2. Create a client role:\n\n\n\n\nUse the \"Roles\" tab to add a role to the client that was just created.\n\n\n\n\n3. Add the role to the Workflow Manager's client:\n\n\n\n\nGo to the client details page for the client created for Workflow Manager.\n\n\nGo to the \"Service accounts roles\" tab.\n\n\nClick \"Assign role\".\n\n\nChange \"Filter by realm roles\" to \"Filter by clients\".\n\n\nAssign the role created in step 2.\n\n\n\n\n4. Run jobs with the \nCALLBACK_USE_OIDC\n or \nTIES_DB_USE_OIDC\n job properties set to \nTRUE\n.\n\n\nTest callback authentication\n\n\nThe Python script below can be used to test callback authentication. Before running the script you\nmust run \npip install Flask-pyoidc==3.14.2\n. To run the script, you must set the \nOIDC_ISSUER_URI\n,\n\nOIDC_CLIENT_ID\n, and \nOIDC_CLIENT_SECRET\n environment variables. Note that the script configures\nthe \nFlask-pyoidc\n package to authenticate Web users, as required by the package, but we are only\ntesting the authentication of REST clients.\n\n\nOnce the script is running, a user can submit a job via the Workflow Manager Swagger page with the\nfollowing fields to test callbacks:\n\n\n{\n  \"callbackMethod\": \"POST\",\n  \"callbackURL\": \"http://localhost:5000/api\",\n  \"jobProperties\": {\n    \"CALLBACK_USE_OIDC\": \"TRUE\"\n  }\n}\n\n\n\nimport json\nimport logging\nimport os\n\nfrom flask import Flask, jsonify\nfrom flask_pyoidc.provider_configuration import ProviderConfiguration, ClientMetadata\nfrom flask_pyoidc import OIDCAuthentication\n\nlogging.basicConfig(level=logging.INFO)\n\napp = Flask(__name__)\napp.config.update(\n    OIDC_REDIRECT_URI='http://localhost:5000/redirect_uri',\n    SECRET_KEY='secret',\n    DEBUG=True\n)\n\nauth = OIDCAuthentication({\n    'default': ProviderConfiguration(\n        os.getenv('OIDC_ISSUER_URI'),\n        client_metadata=ClientMetadata(\n            os.getenv('OIDC_CLIENT_ID'), os.getenv('OIDC_CLIENT_SECRET'))\n    )\n}, app)\n\n@app.route('/api', methods = ('GET', 'POST'))\n@auth.token_auth('default')\ndef api():\n    print(type(auth.current_token_identity))\n    print(json.dumps(auth.current_token_identity, sort_keys=True, indent=4))\n    return jsonify({'message': 'test message'})\n\nif __name__ == '__main__':\n    app.run()",
             "title": "OpenID Connect Guide"
         },
         {
@@ -297,12 +297,12 @@
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#example-with-keycloak",
-            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Get the Docker gateway IP address by running the command below. It will be used in later steps.  docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge  2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  3. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  4. Create a new realm:   Create a new realm using the drop down box in upper left that says \"master\".   5. Create the client that Workflow Manager will use to authenticate users:   Use the \"Clients\" link in the left menu to create a new client.  General Settings:  The \"Client type\" needs to be set to \"OpenID Connect\".  Enter a \"Client ID\".  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.    Capability config:  \"Client authentication\" must be enabled.  \"Standard flow\" must be enabled.  \"Service accounts roles\" must be enabled so that Workflow Manager can include an OAuth token\n    in job completion callbacks and when communicating with TiesDb.    Login settings:  Set \"Valid redirect URIs\" to\n   http://localhost:8080/login/oauth2/code/provider  Set \"Valid post logout redirect URIs\" to  http://localhost:8080    Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   6. Create a Keycloak role that maps to a Workflow Manager role:   Use the \"Realm roles\" link in the left menu to create a new role.  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   7. Include the Keycloak role(s) in the access token:   In the \"Client scopes\" menu add a mapper to the \"roles\" scope.  Use the \"groups\" predefined mapper.  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 6 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   8. Optionally, set Workflow Manager's  OIDC_USER_NAME_ATTR  to  preferred_username  to display the\n    user name instead of the ID.  9. Create Users:   After creating a user, set a password in the \"Credentials\" tab.  Use the \"Role mapping\" tab to add the user to one of roles created in step 6.   10. Add external REST clients:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 6.     11. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.",
+            "text": "The following example explains how to test Workflow Manager with Keycloak as the OIDC provider.\nIt is just an example and should not be used in production.  1. Get the Docker gateway IP address by running the command below. It will be used in later steps.  docker network inspect --format '{{(index .IPAM.Config 0).Gateway}}' bridge  2. Start Keycloak in development mode using the command below. Do not start Workflow Manager yet.\n    The values for the OIDC environment variables are dependent on how you set up Keycloak in the\n    following steps.  docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n    quay.io/keycloak/keycloak:21.1.1 start-dev  3. Go to  http://localhost:9090/admin  in a browser and login with username  admin  and\n    password  admin .  4. Create a new realm:   Create a new realm using the drop down box in upper left that says \"master\".  Use the realm name you entered and the gateway IP address from step 1 to set Workflow Manager's\n     OIDC_ISSUER_URI  environment variable to:  http://<docker-gateway-ip>:9090/realms/<realm-name>   5. Create the client that Workflow Manager will use to authenticate users:   Use the \"Clients\" link in the left menu to create a new client.  General Settings:  The \"Client type\" needs to be set to \"OpenID Connect\".  Enter a \"Client ID\".  Set Workflow Manager's  OIDC_CLIENT_ID  environment variable to the client ID you entered.    Capability config:  \"Client authentication\" must be enabled.  \"Standard flow\" must be enabled.  \"Service accounts roles\" must be enabled so that Workflow Manager can include an OAuth token\n    in job completion callbacks and when communicating with TiesDb.    Login settings:  Set \"Valid redirect URIs\" to\n   http://localhost:8080/login/oauth2/code/provider  Set \"Valid post logout redirect URIs\" to  http://localhost:8080    Set Workflow Manager's  OIDC_CLIENT_SECRET  environment variable to the \"Client secret\" in the\n    \"Credentials\" tab.   6. Create a Keycloak role that maps to a Workflow Manager role:   Use the \"Realm roles\" link in the left menu to create a new role.  If the Keycloak role should make the user an  ADMIN  in Workflow Manager, set Workflow\n    Manager's  OIDC_ADMIN_CLAIM_VALUE  to the role name you just entered. If it should be a\n     USER , then set the  OIDC_USER_CLAIM_VALUE  environment variable.  Only one of  OIDC_ADMIN_CLAIM_VALUE  and  OIDC_USER_CLAIM_VALUE  need to be set. If you would\n    like to set up both roles repeat this step.   7. Include the Keycloak role(s) in the access token:   In the \"Client scopes\" menu add a mapper to the \"roles\" scope.  Use the \"groups\" predefined mapper.  The default name \"Token Claim Name\" is \"groups\". This can be changed.  If you created an  ADMIN  role in step 6 set  OIDC_ADMIN_CLAIM_NAME  to the value in\n    \"Token Claim Name\". If you created a  USER  role, do the same for  OIDC_USER_CLAIM_NAME .   8. Optionally, set Workflow Manager's  OIDC_USER_NAME_ATTR  to  preferred_username  to display the\n    user name instead of the ID.  9. Create Users:   After creating a user, set a password in the \"Credentials\" tab.  Use the \"Role mapping\" tab to add the user to one of roles created in step 6.   10. Add external REST clients:   Use the \"Clients\" menu to create a new client.  Capability config:  The client needs to have \"Client authentication\" and \"Service accounts roles\" enabled.  Use the \"Service account roles\" tab to add the client to one of the roles created in step 6.     11. Start Workflow Manager. When you initially navigate to Workflow Manager, you will be\n     redirected to the Keycloak log in page. You can log in using the users created in step 9.",
             "title": "Example with Keycloak"
         },
         {
             "location": "/OpenID-Connect-Guide/index.html#test-rest-authentication",
-            "text": "Using the Docker gateway IP address from step 1, the client ID and secret from step 11, and the\nrealm name from step 4, run the following command:  curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'  The response JSON will contain a token in the  \"access_token\"  property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:  curl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/rest/actions",
+            "text": "Using the Docker gateway IP address from step 1, the client ID and secret from step 10, and the\nrealm name from step 4, run the following command:  curl -d grant_type=client_credentials -u '<client-id>:<client-secret>' 'http://<docker-gateway-ip>:9090/realms/<realm-name>/protocol/openid-connect/token'  The response JSON will contain a token in the  \"access_token\"  property. That token needs to be\nincluded as a bearer token in REST requests to Workflow Manager. For example:  curl -H \"Authorization: Bearer <access-token>\" http://localhost:8080/rest/actions",
             "title": "Test REST authentication"
         },
         {
diff --git a/docs/site/sitemap.xml b/docs/site/sitemap.xml
index 0fd5dee3ce79..c193442b4a7e 100644
--- a/docs/site/sitemap.xml
+++ b/docs/site/sitemap.xml
@@ -2,162 +2,162 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
      <loc>/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Release-Notes/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/License-And-Distribution/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Acknowledgements/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Install-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Admin-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/User-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/OpenID-Connect-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Media-Segmentation-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Feed-Forward-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Derivative-Media-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Object-Storage-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Markup-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/TiesDb-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Trigger-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Roll-Up-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Health-Check-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Artifact-Extraction-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Quality-Selection-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Media-Selectors-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/REST-API/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-API-Overview/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Component-Descriptor-Reference/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Batch-Component-API/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Python-Batch-Component-API/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Java-Batch-Component-API/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/GPU-Support-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Contributor-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Development-Environment-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Node-Guide/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/Workflow-Manager-Architecture/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>/CPP-Streaming-Component-API/index.html</loc>
-     <lastmod>2025-03-21</lastmod>
+     <lastmod>2025-03-24</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>
\ No newline at end of file