Update BioID.md

docs/source/admin-guide/certificate.md

@@ -87,7 +87,7 @@
         The private key cannot be password protected, and the public key must be base64 X.509. 
 
     !!! Note
-        Please backup your full `/etc/certs` directory and `cacerts` file under `/opt/jdkx.y.z/jre/lib/security/` folder before updating certificates.
+        Please backup your full `/etc/certs` directory and `cacerts` file under `/opt/amazon-corretto-x.x.x.x/jre/lib/security/` folder before updating certificates.
 
     Please follow these steps shown below to update the Apache SSL cert:
 
@@ -96,9 +96,9 @@
     - Import 'httpd.der' into the Java Keystore
     / Convertion to DER, command:<br/> `openssl x509 -outform der -in httpd.crt -out httpd.der`
         - Delete the existing certificate to avoid ambiguity due to presence of 2 different certificates for the same entity after importing the new one: 
-        `/opt/jdkx.x.x.x/jre/bin/keytool -delete -alias <hostname_of_your_Gluu_Server>_httpd -keystore /opt/jdkx.x.x.x/jre/lib/security/cacerts -storepass changeit`
+        `/opt/jre/bin/keytool -delete -alias <hostname_of_your_Gluu_Server>_httpd -keystore /opt/jre/lib/security/cacerts -storepass changeit`
         - Import certificate into the Java Keystore(cacerts):
-        `/opt/jdkx.x.x.x/jre/bin/keytool -importcert -file httpd.der -keystore /opt/jdkx.x.x.x/jre/lib/security/cacerts -alias <hostname_of_your_Gluu_Server>_httpd -storepass changeit`
+        `/opt/jre/bin/keytool -importcert -file httpd.der -keystore /opt/jre/lib/security/cacerts -alias <hostname_of_your_Gluu_Server>_httpd -storepass changeit`
     - [Restart](../operation/services.md#restart) `opendj`, `apache2/httpd`, `oxauth` and `identity` services.
 
     ## Install Intermediate Certificates
@@ -142,7 +142,7 @@
                       restartPolicy: Never
                       containers:
                         - name: web-key-rotation
-                          image: gluufederation/certmanager:4.2.0_dev
+                          image: gluufederation/certmanager:4.2.0_01
                           envFrom:
                           - configMapRef:
                               name: gluu-config-cm # This may be differnet in Helm
@@ -194,7 +194,7 @@
                               path: gluu_https.key                              
                       containers:
                         - name: load-web-key-rotation
-                          image: gluufederation/certmanager:4.2.0_dev
+                          image: gluufederation/certmanager:4.2.0_01
                           envFrom:
                           - configMapRef:
                               name: gluu-config-cm  #This may be differnet in Helm
@@ -242,7 +242,7 @@
                     spec:
                       containers:
                         - name: oxauth-key-rotation
-                          image: gluufederation/certmanager:4.2.0_dev
+                          image: gluufederation/certmanager:4.2.0_01
                           resources:
                             requests:
                               memory: "300Mi"
@@ -292,7 +292,7 @@
                   restartPolicy: Never
                   containers:
                     - name: oxshibboleth-key-rotation
-                      image: gluufederation/certmanager:4.2.0_dev
+                      image: gluufederation/certmanager:4.2.0_01
                       envFrom:
                       - configMapRef:
                           name: gluu-config-cm
@@ -334,7 +334,7 @@
                   restartPolicy: Never
                   containers:
                     - name: oxd-key-rotation
-                      image: gluufederation/certmanager:4.2.0_dev
+                      image: gluufederation/certmanager:4.2.0_01
                       envFrom:
                       - configMapRef:
                           name: gluu-config-cm
@@ -375,7 +375,7 @@
                   restartPolicy: Never
                   containers:
                     - name: ldap-key-rotation
-                      image: gluufederation/certmanager:4.2.0_dev
+                      image: gluufederation/certmanager:4.2.0_01
                       envFrom:
                       - configMapRef:
                           name: gluu-config-cm
@@ -417,7 +417,7 @@
                   restartPolicy: Never
                   containers:
                     - name: passport-key-rotation
-                      image: gluufederation/certmanager:4.2.0_dev
+                      image: gluufederation/certmanager:4.2.0_01
                       envFrom:
                       - configMapRef:
                           name: gluu-config-cm
@@ -454,7 +454,7 @@
                   restartPolicy: Never
                   containers:
                     - name: scim-key-rotation
-                      image: gluufederation/certmanager:4.2.0_dev
+                      image: gluufederation/certmanager:4.2.0_01
                       envFrom:
                       - configMapRef:
                           name: gluu-config-cm
@@ -465,4 +465,4 @@
 
             ```bash
                 kubectl apply -f scim-key-rotation.yaml -n <gluu-namespace>
-            ```        
+            ```        

docs/source/admin-guide/custom-script.md

@@ -10,6 +10,10 @@ Interception scripts are written in [Jython](http://www.jython.org), enabling Ja
 
 While the syntax of the script requires Python, most of the functionality can be written in Java. If Python classes are imported, they must be "pure python." For example, a class that wraps C libraries can not be imported.
 
+!!! Note
+    If Python classes are imported, they must be "pure Python." For example, a class that wraps C libraries can not be imported. The same goes for Python packages which require `cython` during compiling.
+
+
 ### Methods
 There are three methods that inherit a base interface:
 
@@ -191,7 +195,11 @@ First oxTrust executes the `initRegistration` method to do an initial user entry
 
 oxAuth implements the [OpenID Connect dynamic client registration](https://openid.net/specs/openid-connect-registration-1_0.html) specification. All new clients have the same default access scopes and attributes except password and client ID. The Client Registration script allows an admin to modify this limitation. In this script it is possible to get a registration request, analyze it, and apply customizations to registered clients. For example, a script can give access to specified scopes if `redirect_uri` belongs to a specified service or domain.
 
-This script type adds only one method to the base script type:
+This script type adds following methods to the base script type:
+- `def createClient(self, registerRequest, client, configurationAttributes)` - called during client creation 
+- `def updateClient(self, registerRequest, client, configurationAttributes)` - called during client update
+- `def getSoftwareStatementHmacSecret(self, context)` - Returns secret key which will be used to validate Software Statement if HMAC algorithm is used (e.g. HS256, HS512). Invoked if oxauth conf property softwareStatementValidationType=SCRIPT which is default/fallback value. `context` is reference of `org.gluu.oxauth.service.external.context.DynamicClientRegistrationContext` (in https://github.com/GluuFederation/oxauth project )
+- `def getSoftwareStatementJwks(self, context)` - Returns JWKS which will be used to validate Software Statement if keys are used (e.g. RS256). Invoked if oxauth conf property softwareStatementValidationType=SCRIPT which is default/fallback value. `context` is reference of org.gluu.oxauth.service.external.context.DynamicClientRegistrationContext (in https://github.com/GluuFederation/oxauth project )
 
 |Method|`def updateClient(self, registerRequest, client, configurationAttributes)`|
 |---|---|

docs/source/admin-guide/device-authz-grant.md

@@ -157,6 +157,7 @@ Content-Type: application/json
 Server: Jetty(9.4.19.v20190610)
 
 {"access_token":"c31fc092-453b-4275-a36f-b2740c3eb1a6","id_token":"eyJraWQiOiJlY4.2Tc4NDgxYy05OTJkLTRmN2UtYTkzMS03NjM2NTYyMzgwZjVfc2lnX3JzMjU2IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoidWdMSnAzMkxXdnI4QUdlbmdNTlF3QSIsImF1ZCI6IjEyMy0xMjMtMTIzIiwic3ViIjoiM2M2M25HdWZnWFNkMWFwNU81NFZkVjlUUDdmdjJHc0YtLWl0eVBHeFJBTSIsImlzcyI6Imh0dHBzOi8vdGVzdC5nbHV1Lm9yZzo4NDQzIiwiZXhwIjoxNTk1NjQzOTg0LCJpYXQiOjE1OTU2NDAzODQsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCJ9.fElZtuUslhSSuqTOuvGeafG4QuQoHKLpya25RHWkC5V9Xf9ODYa6tD_Tdav2D9Gff2Zz7pt8WKso-WYOqmJ3NrgMoVU7d1SMj6pYGilTL1JokjB18Yw1TI6oR6Z4wegy8_ajftLLhqosI5-ZE36TzPwoAKzjPl-iZEpV2U1OPHWZrdwc9N3YOyO0I_IJGQmFnXC_oacitMV2VZaTxfuCew5cPwNp5durooFNvv3DPzc9JYEctmaLsiRtfqN7pCaV30B3hnYTYZ4p2HNsUbOewBI8_Brm1v1CByitQPUFqETgmPGbf4HCTEoaH-7DfaXnAsePt73blNwJrlTlUBieew","token_type":"bearer","expires_in":299}
+
 ```
 
 **Access denied**

docs/source/admin-guide/openid-connect.md

@@ -97,6 +97,18 @@ To manage this feature in oxTrust, navigate to `Configuration` > `JSON Configura
 
 Expiration of dynamically registered clients is controlled by the `dynamicRegistrationExpirationTime` property, which can also be found in the oxAuth configuration table. Find more details about these oxAuth properties and others in the [reference section](../reference/JSON-oxauth-prop.md).
 
+
+##### Software statement
+
+A software statement is a JSON Web Token (JWT) that asserts metadata values about the client software as a bundle and can be passed during registration.
+
+There are following options for software statement validation:
+
+- `softwareStatementValidationType=script` - The default (since 4.2.1), JWKs and HMAC secret are returned by [dynamic client registration script](https://github.com/GluuFederation/community-edition-setup/blob/version_4.2.1/static/extension/client_registration/SampleScript.py)
+- `softwareStatementValidationType=jwks_uri`, allows to specify `jwks_uri` claim name from `software_statement`. Claim name specified by `softwareStatementValidationClaimName` configuration property
+- `softwareStatementValidationType=jwks`, allows to specify `jwks` claim name from `software_statement`. Claim name specified by `softwareStatementValidationClaimName` configuration property
+- `softwareStatementValidationType=none`, no validation
+
 ### Customizing client registration
 
 During client registration, custom interception scripts can be used to implement custom business logic. For instance, data could be validated, extra client claims could be populated, scopes could be modified, or APIs could be called to determine whether the client should get registered at all.

docs/source/admin-guide/saml.md

@@ -16,7 +16,7 @@ In order to support SAML SSO, the Gluu Server must include the Shibboleth SAML I
 
 - During a fresh Gluu Server installation, simply opt in when prompted for Shibboleth. 
 
-- To add Shibboleth to an existing Gluu Server deployment, follow [these instructions](../operation/faq.md/#adding-passportjs-andor-shibboleth-idp-post-installation). 
+- To add Shibboleth to an existing Gluu Server deployment, follow [these instructions](../operation/faq.md#adding-passportjs-andor-shibboleth-idp-post-installation). 
 
 In addition, the target application must also support SAML. If the app doesn't already support SAML, see the section below about [SAML SP software](#saml-sp). 
 

docs/source/admin-guide/sample-client-registration-script.py

@@ -53,8 +53,15 @@ def updateClient(self, registerRequest, client, configurationAttributes):
 
         return True
 
-    def logout(self, configurationAttributes, requestParameters):
-        return True
-
     def getApiVersion(self):
         return 1
+
+    # Returns secret key which will be used to validate Software Statement if HMAC algorithm is used (e.g. HS256, HS512). Invoked if oxauth conf property softwareStatementValidationType=SCRIPT which is default/fallback value.
+    # context is reference of org.gluu.oxauth.service.external.context.DynamicClientRegistrationContext (in https://github.com/GluuFederation/oxauth project )
+    def getSoftwareStatementHmacSecret(self, context):
+        return ""
+
+    # Returns JWKS which will be used to validate Software Statement if keys are used (e.g. RS256). Invoked if oxauth conf property softwareStatementValidationType=SCRIPT which is default/fallback value.
+    # context is reference of org.gluu.oxauth.service.external.context.DynamicClientRegistrationContext (in https://github.com/GluuFederation/oxauth project )
+    def getSoftwareStatementJwks(self, context):
+        return ""

docs/source/authn-guide/BioID.md

@@ -6,7 +6,7 @@ In order to use this authentication mechanism your organization will need to reg
 
 ## Prerequisites
 - A Gluu Server ([installation instructions](../installation-guide/index.md));
-- [BioID interception script](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/bioID/BioIDExternalAuthenticator.py) (included in the default Gluu Server distribution);
+- [BioID interception script](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/bioid/BioIDExternalAuthenticator.py) (included in the default Gluu Server distribution);
 - An account with [BioID](https://bwsportal.bioid.com/register).   
 
 ## Properties
@@ -70,3 +70,10 @@ Now applications can request BioID's biometric authentication. To make BioID bio
 You can change one or both fields to BioID authentication as you see fit. If you want BioID to be the default authentication mechanism for access to oxTrust and all other applications that leverage your Gluu Server, change both fields to bioid.  
 
 ![BioID](../img/admin-guide/multi-factor/bioid.png)
+
+## Testing the script
+If you use the default BioID interception script, a user's facial and periocular traits are enrolled during the first authentication attempt. Subsequently, the user's facial and periocular traits are verified.
+
+1. Enrolling Biometric traits
+
+2. Validating a user based on their biometric traits:

docs/source/authn-guide/inbound-oauth-passport.md

@@ -12,7 +12,8 @@ Make sure the Gluu Server installation already has [Passport installed](./passpo
     - In oxTrust, navigate to `Configuration` > `Person Authentication Scripts`          
     - Expand the script labelled `passport_social`, check `enabled`, and click `Update`    
     ![Enable passport_social](../img/user-authn/passport/enable-passport_social.png)     
-    - Navigate to the `UMA RPT Policies` tab, expand the script labelled `scim_access_policy`, check `enabled`, and click `Update`       
+    - Navigate to the `Configuration` > `Other Custom Scripts`, then click the `UMA RPT Policies` tab
+    - Expand the script labeled `scim_access_policy`, check `enabled`, and click `Update`       
 
 1. Enable Passport support:    
 

docs/source/authn-guide/intro.md

@@ -102,3 +102,20 @@ Learn how to customize the look and feel of Gluu Server login pages in the [Desi
 ## Revert Authentication 
 
 New authentication flows and methods should **always** be tested in a different browser to reduce the chance of lockout. However, in case you find yourself locked out of the GUI, refer to the [revert authentication mechanism docs](../operation/faq.md#revert-an-authentication-method). 
+
+## Extending the Authentication Flow
+
+The oxAuth Person Authenticator Script (ACR) interface includes methods extend the user authentication flow. There are two entry points of this flow, `prepareForStep` and `authenticate`.
+
+oxAuth calls `prepareForStep` from XTHML, and its role is to prepare data to render the login page or redirect to a third party system for authentication. 
+
+oxAuth expects `authenticate` to call from the login page or from `/oxauth/postlogin.htm` (the callback from a third party system). Its role is to verify user data that is submitted by the user.
+
+The following diagram demonstrates the `authenticate` flow:
+
+[![authenticate flow diagram](../img/user-authn/authn_authenticate_flow.png)](../img/user-authn/authn_authenticate_flow.png))
+
+The following diagram demonstrates the `prepareForStep` flow:
+
+[![prepareForStep flow diagram](../img/user-authn/authn_prepareforstep_flow.png)](../img/user-authn/authn_prepareforstep_flow.png)
+