Merge pull request #1264 from ITfoxtec/test

Test

Author: Revsgaard

FoxIDs.sln

@@ -75,6 +75,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-D
 		docs\email.md = docs\email.md
 		docs\extended-ui.md = docs\extended-ui.md
 		docs\external-login.md = docs\external-login.md
+		docs\external-password-api.md = docs\external-password-api.md
 		docs\faq.md = docs\faq.md
 		docs\foxids-dev.md = docs\foxids-dev.md
 		docs\foxids-inside.md = docs\foxids-inside.md
@@ -100,6 +101,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-D
 		docs\samples.md = docs\samples.md
 		docs\standard-support.md = docs\standard-support.md
 		docs\token-exchange.md = docs\token-exchange.md
+		docs\users-external.md = docs\users-external.md
+		docs\users-internal.md = docs\users-internal.md
 		docs\users-upload.md = docs\users-upload.md
 		docs\users.md = docs\users.md
 		docs\_sidebar.md = docs\_sidebar.md
@@ -136,6 +139,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\configure-external-claims-config.png = docs\images\configure-external-claims-config.png
 		docs\images\configure-external-login-config.png = docs\images\configure-external-login-config.png
 		docs\images\configure-external-login-ui.png = docs\images\configure-external-login-ui.png
+		docs\images\configure-external-password-api.png = docs\images\configure-external-password-api.png
+		docs\images\configure-failing-login-lockout.png = docs\images\configure-failing-login-lockout.png
 		docs\images\configure-foxids_control_api.png = docs\images\configure-foxids_control_api.png
 		docs\images\configure-implicit-code-flow.png = docs\images\configure-implicit-code-flow.png
 		docs\images\configure-jwt-saml-mappings.png = docs\images\configure-jwt-saml-mappings.png
@@ -155,6 +160,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\configure-oauth-resource.png = docs\images\configure-oauth-resource.png
 		docs\images\configure-oidc-auth-method.png = docs\images\configure-oidc-auth-method.png
 		docs\images\configure-oidc-lifetime.png = docs\images\configure-oidc-lifetime.png
+		docs\images\configure-password-policy.png = docs\images\configure-password-policy.png
 		docs\images\configure-plan-tenant.png = docs\images\configure-plan-tenant.png
 		docs\images\configure-plan.png = docs\images\configure-plan.png
 		docs\images\configure-resource-scopes-client.png = docs\images\configure-resource-scopes-client.png

docs/claim-transform-task.md

@@ -104,23 +104,17 @@ If the base URL for the API is `https://somewhere.org/myclaimsstore` the URL for
   *The outgoing IP address can be changed and more can be added over time.*
 
 #### Request
-The API call is secured with [HTTP Basic authentication scheme](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) where FoxIDs sends the ID `external_claims` as the username and the configured secret as the password.
+Secured with [HTTP Basic auth](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1): username `external_claims`, password = configured secret.
 
 The API is called with HTTP POST and a JSON body.
 
 This is a request JSON body with two input claims:
 ```JSON
 {
- "claims": [
-        {
-            "type": "sub",
-            "value": "1b1ac05e-5937-4939-a49c-0e84a89662df"
-        },
-        {
-            "type": "email",
-            "value": "[email protected]"
-        }
-    ]
+  "claims": [
+    { "type": "sub", "value": "1b1ac05e-5937-4939-a49c-0e84a89662df" },
+    { "type": "email", "value": "[email protected]" }
+  ]
 }
 ```
 
@@ -131,41 +125,26 @@ For example, the user's sub (user ID / username), customer ID and roles:
 ```JSON
 {
     "claims": [
-        {
-            "type": "sub",
-            "value": "somewhere/[email protected]"
-        },
-        {
-            "type": "customer_id",
-            "value": "1234abcd"
-        },
-        {
-            "type": "role",
-            "value": "admin_access"
-        },
-        {
-            "type": "role",
-            "value": "read_access"
-        },
-        {
-            "type": "role",
-            "value": "write_access"
-        }
+        { "type": "sub", "value": "somewhere/[email protected]" },
+        { "type": "customer_id", "value": "1234abcd" },
+        { "type": "role", "value": "admin_access" },
+        { "type": "role", "value": "read_access" },
+        { "type": "role", "value": "write_access" }
     ]
 }
 ```
 
 #### Response - Error 
-The API must return HTTP code 401 (Unauthorized) and an `error` (required) if the Basic authentication is rejected. Optionally add an error description in `ErrorMessage`.
+The API must return HTTP code 401 (Unauthorized) and an `error` (required) if the Basic auth is rejected. Optionally add an error description in `ErrorMessage`.
 ```JSON
 {
     "error": "invalid_api_id_secret",
     "ErrorMessage": "Invalid API ID or secret"
 }
 ```
 
-If other errors occur, the API should return HTTP code 500 or another appropriate error code. 
-It is recommended to add a technical error message in `ErrorMessage`. The error message can then later be found in the FoxIDs logs.  
+If other errors occur, the API should return HTTP code 500 or another appropriate error code.  
+It is recommended to add a technical error message `ErrorMessage` for diagnostics (it is only logged; never shown to the end user).
 
 > Error messages returned from the API in `ErrorMessage` is NOT displayed for the user only logged.
 

docs/description.md

@@ -1,24 +1,24 @@
-**FoxIDs is a Identity Service (IDS) with support for [OAuth 2.0](oauth-2.0.md), [OpenID Connect 1.0](oidc.md) and [SAML 2.0](saml-2.0.md).**
+**FoxIDs is an Identity Service (IDS) with support for [OAuth 2.0](oauth-2.0.md), [OpenID Connect 1.0](oidc.md) and [SAML 2.0](saml-2.0.md).**
 
 > Hosted in Europe / Ownership and data in Europe.
 
-FoxIDs is both an [authentication](login.md) platform and a security broker where FoxIDs support [converting](bridge.md) between OpenID Connect 1.0 and SAML 2.0.
+FoxIDs is both an [authentication](login.md) platform and a security broker where FoxIDs supports [converting](bridge.md) between OpenID Connect 1.0 and SAML 2.0.
 
-FoxIDs is designed as service with multi-tenant support. Your tenant holds your environments (prod, QA, test, dev or corporate, external-idp, app-a, app-b) and possible [interconnect](howto-environmentlink-foxids.md) the environments.  
+FoxIDs is designed as a service with multi-tenant support. Your tenant holds your environments (prod, QA, test, dev or corporate, external-idp, app-a, app-b) and can optionally [interconnect](howto-environmentlink-foxids.md) the environments.  
 Each environment is an Identity Provider with a [user repository](users.md) and a unique [certificate](certificates.md). 
-An environment can be connected to external Identity Provider with [OpenID Connect 1.0](auth-method-oidc.md) or [SAML 2.0](auth-method-saml-2.0.md) authentication methods. 
+An environment can be connected to an external Identity Provider with [OpenID Connect 1.0](auth-method-oidc.md) or [SAML 2.0](auth-method-saml-2.0.md) authentication methods. 
 The environment is configured as the IdP for applications and APIs with [OAuth 2.0](app-reg-oauth-2.0.md), [OpenID Connect 1.0](app-reg-oidc.md) or [SAML 2.0](app-reg-saml-2.0.md) application registrations.  
 The user's [log in](login.md) experience is configured and optionally [customised](customisation.md).
 
 > Take a look at the FoxIDs test configuration in FoxIDs Control: [https://control.foxids.com/test-corp](https://control.foxids.com/test-corp)  
 > Get read access with the user `[email protected]` and password `TestAccess!`
 
-FoxIDs consist of two services:
+FoxIDs consists of two services:
 
 - [FoxIDs](connections.md) - identity service, which handles user log in, OAuth 2.0, OpenID Connect 1.0 and SAML 2.0.
 - [FoxIDs Control](control.md), which is used to configure FoxIDs in a user interface or by calling an API.
 
-Hosting:
+Hosting options:
 
 - FoxIDs SaaS is available at [FoxIDs Cloud](https://www.foxids.com/action/signup) as an Identity Service (IDS).  
 - You can [deploy](deployment.md) FoxIDs anywhere using Docker or Kubernetes (K8s).
@@ -28,17 +28,17 @@ Hosting:
 ## Source code available 
 
 The FoxIDs source code is available at the [GitHub repository](https://github.com/ITfoxtec/FoxIDs). 
-The [license](https://github.com/ITfoxtec/FoxIDs/blob/main/LICENSE) grant all the right to install and use FoxIDs for non-production. The license grant small companies including, personal projects and non-profit educational institutions the right to install and use FoxIDs in production.
+The [license](https://github.com/ITfoxtec/FoxIDs/blob/main/LICENSE) grants you the right to install and use FoxIDs for non-production. The license grants small companies, personal projects, and non-profit educational institutions the right to install and use FoxIDs in production.
 
 ## Selection by URL
-The [structure](foxids-inside.md#structure) of FoxIDs separates the different tenants, environments and [connections](connections.md) which is selected with URL elements. 
+The [structure](foxids-inside.md#structure) of FoxIDs separates the different tenants, environments and [connections](connections.md), which are selected via URL elements. 
 
 If FoxIDs is hosted on e.g., `https://foxidsxxxx.com/` the tenants are separated in the first path element of the URL `https://foxidsxxxx.com/tenant-x/`. 
 The environments are separated under each tenant in the second path element of the URL `https://foxidsxxxx.com/tenant-x/environment-y/`.
 
-An application registration is call by adding the application registration name as the third path element in the URL `https://foxidsxxxx.com/tenant-x/environment-y/application-z/`.  
-An authentication method is call by adding the authentication method name insight round brackets as the third path element in the URL `https://foxidsxxxx.com/tenant-x/environment-y/(auth-method-s)/`. 
-If FoxIDs handles a authentication method sequence resulting in a session cookie the same URL notation is used to lock the cookie to the URL.
+An application registration is called by adding the application registration name as the third path element in the URL `https://foxidsxxxx.com/tenant-x/environment-y/application-z/`.  
+An authentication method is called by adding the authentication method name inside round brackets as the third path element in the URL `https://foxidsxxxx.com/tenant-x/environment-y/(auth-method-s)/`. 
+If FoxIDs handles an authentication method sequence resulting in a session cookie the same URL notation is used to lock the cookie to the URL.
 
 When a client (application) starts an OpenID Connect or SAML 2.0 login sequence it needs to specify by which authentication method the user should authenticate. 
 The authentication method is selected by adding the authentication method name in round brackets in the URLs third path element after the application registration name `https://foxidsxxxx.com/tenant-x/environment-y/application-z(auth-method-s)/`.  
@@ -50,7 +50,7 @@ Selecting multiple authentication methods:
   in the URL after the application registration name `https://foxidsxxxx.com/tenant-x/environment-y/application-z(auth-method-s1,auth-method-s2,auth-method-s3,auth-method-s4)/`
 - Select an authentication methods profile by adding the authentication method `+` profile instead of just the authentication method in the URL `https://foxidsxxxx.com/tenant-x/environment-y/application-z(auth-method-s+profile-u)/`
 
-> The allowed authentication methods is configured in each [application registration](connections.md#application-registration).
+> The allowed authentication methods are configured in each [application registration](connections.md#application-registration).
 
-A client using client credentials as authorization grant would not specify the authentication method. 
+A client using the client credentials authorization grant would not specify the authentication method. 
 It is likewise optional to specify the authentication method when calling an OpenID Connect discovery document or a SAML 2.0 metadata endpoint.