docs: configure registry auth and authz with azure ad (#4295)

* docs: how to configure registry auth and authn with ms azure ad

* build(deps-dev): bump the ui-dependencies group (#4292)

Bumps the ui-dependencies group in /ui/tests with 2 updates: [@playwright/test](https://github.com/microsoft/playwright) and [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node).

Updates `@playwright/test` from 1.41.1 to 1.41.2
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.41.1...v1.41.2)

Updates `@types/node` from 20.11.15 to 20.11.16
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@playwright/test"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: ui-dependencies
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: ui-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: add missing config steps and clean up formatting

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: 2 people

docs/modules/ROOT/nav.adoc

@@ -9,6 +9,7 @@
 * Migration
 ** xref:getting-started/assembly-migrating-registry-v1-v2.adoc[]
 * Configuration
+** xref:getting-started/assembly-configuring-registry-security.adoc[]
 ** xref:getting-started/assembly-configuring-the-registry.adoc[]
 * Client applications
 ** xref:getting-started/assembly-managing-registry-artifacts-ui.adoc[]

docs/modules/ROOT/pages/getting-started/assembly-configuring-registry-security.adoc

@@ -0,0 +1,19 @@
+// Metadata created by nebel
+include::{mod-loc}shared/all-attributes.adoc[]
+
+[id="configuring-registry-security_{context}"]
+= Configuring {registry} security options
+
+[role="_abstract"]
+This chapter explains how to set configuration options for {registry} security. For example, this includes authentication in {keycloak} or Microsoft Azure Active Directory and role-based authorization in {registry}. 
+
+* xref:registry-security-keycloak_{context}[]
+* xref:registry-security-azure_{context}[]
+* xref:registry-security-settings_{context}[]
+
+NOTE: For a list of all available configuration options, see {registry-config-reference}.
+
+//INCLUDES
+include::{mod-loc}getting-started/proc-configuring-registry-security-keycloak.adoc[leveloffset=+1]
+include::{mod-loc}getting-started/proc-configuring-registry-security-azure.adoc[leveloffset=+1]
+include::{mod-loc}getting-started/ref-registry-security-configuration.adoc[leveloffset=+1]

docs/modules/ROOT/pages/getting-started/assembly-configuring-the-registry.adoc

@@ -5,10 +5,8 @@ include::{mod-loc}shared/all-attributes.adoc[]
 = Configuring your {registry} deployment
 
 [role="_abstract"]
-This chapter explains how to set important configuration options for {registry}. This includes features such as authentication and authorization, logging, events, and health checks: 
+This chapter explains how to set important configuration options for your {registry} deployment. This includes features such as the {registry} web console, logging, events, and health checks: 
 
-* xref:registry-security_{context}[]
-* xref:registry-security-settings_{context}[]
 ifdef::apicurio-registry[]
 * xref:configuring-registry-ui_{context}[]
 endif::[]
@@ -17,11 +15,9 @@ endif::[]
 * xref:configuring-liveness-readiness-probes_{context}[]
 * xref:registry-liveness-env-vars_{context}[]
 
-NOTE: For a list of available configuration options, see {registry-config-reference}.
+NOTE: For a list of all available configuration options, see {registry-config-reference}.
 
 //INCLUDES
-include::{mod-loc}getting-started/proc-configuring-registry-security.adoc[leveloffset=+1]
-include::{mod-loc}getting-started/ref-registry-security-configuration.adoc[leveloffset=+1]
 ifdef::apicurio-registry[]
 include::{mod-loc}getting-started/proc-configuring-registry-ui.adoc[leveloffset=+1]
 endif::[]

docs/modules/ROOT/partials/getting-started/proc-configuring-registry-security-azure.adoc

@@ -0,0 +1,97 @@
+// Metadata created by nebel
+
+[id="registry-security-azure_{context}"]
+
+= Configuring {registry} authentication and authorization with Microsoft Azure Active Directory
+
+[role="_abstract"]
+This section explains how to manually configure authentication and authorization options for {registry} and Microsoft Azure Active Directory (Azure AD). 
+
+The {registry} web console and core REST API support authentication in Azure AD based on OpenID Connect (OIDC) and the OAuth Authorization Code Flow. {registry} provides role-based authorization for default admin, write, and read-only user roles. {registry} authentication and authorization settings are disabled by default. 
+
+To secure {registry} with Azure AD, you require a valid directory in Azure AD with specific configuration. This involves registering the {registry} application in the Azure AD portal with recommended settings and configuring environment variables in {registry}.  
+
+.Prerequisites
+* Azure AD is installed and running. For more details, see the link:https://learn.microsoft.com/en-us/azure[Microsoft Azure AD user documentation]. 
+* {registry} is installed and running.
+
+.Procedure
+
+. Log in to the Azure AD portal using your email address or GitHub account. 
+
+. In the navigation menu, select *Manage > App registrations > New registration*, and complete the following settings: 
++
+** *Name*: Enter your application name. For example: `apicurio-registry-example` 
+** *Supported account types*: Click *Accounts in any organizational directory*.
+** *Redirect URI*: Select *Single-page application* from the list, and enter your {registry} web console application host. For example: `\https://test-registry.com/ui/`
++
+IMPORTANT: You must register your {registry} application host as a *Redirect URI*. When logging in, users are redirected from {registry} to Azure AD for authentication, and you want to send them back to your application afterwards. Azure AD does not allow any redirect URLs that are not registered. 
+
+. Click *Register*. You can view your app registration details by selecting *Manage > App registrations* > *apicurio-registry-example*.
+
+. Select *Manage > Authentication* and ensure that the application is configured with your redirect URLs and tokens as follows:
+** *Redirect URIs*: For example: `\https://test-registry.com/ui/`
+** *Implicit grant and hybrid flows*: Click *ID tokens (used for implicit and hybrid flows)*
+
+. Select *Azure AD > Admin > App registrations > Your app > Application (client) ID*. For example: `123456a7-b8c9-012d-e3f4-5fg67h8i901`
+
+. Select *Azure AD > Admin > App registrations > Your app > Directory (tenant) ID*. For example: `\https://login.microsoftonline.com/1a2bc34d-567e-89f1-g0hi-1j2kl3m4no56/v2.0`
+
+. In {registry}, configure the following environment variables with your Azure AD settings:
++
+.Configuration for Azure AD settings in {registry}
+[.table-expandable,width="100%",cols="6,4,6",options="header"]
+|===
+|Environment variable
+|Description
+|Setting
+|`KEYCLOAK_API_CLIENT_ID`
+|The client application ID for the {registry} REST API
+|Your Azure AD Application (client) ID obtained in step 5. For example: `123456a7-b8c9-012d-e3f4-5fg67h8i901`
+|`REGISTRY_OIDC_UI_CLIENT_ID`
+|The client application ID for the {registry} web console.
+|Your Azure AD Application (client) ID obtained in step 5. For example: `123456a7-b8c9-012d-e3f4-5fg67h8i901`
+|`REGISTRY_AUTH_URL_CONFIGURED`
+|The URL for authentication in Azure AD.
+|Your Azure AD Application (tenant) ID obtained in step 6. For example: `\https://login.microsoftonline.com/1a2bc34d-567e-89f1-g0hi-1j2kl3m4no56/v2.0`.
+|===
+
+. In {registry}, configure the following environment variables for {registry}-specific settings:
++
+.Configuration for {registry}-specific settings
+[.table-expandable,width="100%",cols="6,5,4",options="header"]
+|===
+|Environment variable
+|Description
+|Setting
+|`REGISTRY_AUTH_ENABLED`
+|Enables authentication for {registry}.
+|`true`
+|`REGISTRY_UI_AUTH_TYPE`
+|The {registry} authentication type.
+|`oidc`
+|`CORS_ALLOWED_ORIGINS`
+|The host for your {registry} deployment for cross-origin resource sharing (CORS).
+|For example: `\https://test-registry.com`
+|`REGISTRY_OIDC_UI_REDIRECT_URL`
+|The host for your {registry} web console.
+|For example: `\https://test-registry.com/ui`
+|`ROLE_BASED_AUTHZ_ENABLED`
+|Enables role-based authorization in {registry}.
+|`true`
+|`QUARKUS_OIDC_ROLES_ROLE_CLAIM_PATH`
+|The name of the claim in which Azure AD stores roles.
+|`roles`
+|===
++
+NOTE: When you enable roles in {registry}, you must also create the same roles in Azure AD as application roles. The default roles expected by {registry} are `sr-admin`, `sr-developer`, and `sr-readonly`.
+
+
+[role="_additional-resources"]
+.Additional resources
+* For details on configuring non-default user role names, see xref:registry-security-settings_{context}[].
+* For more details on using Azure AD, see the link:https://learn.microsoft.com/en-us/azure[Microsoft Azure AD user documentation]. 
+
+
+
+

docs/modules/ROOT/partials/getting-started/proc-configuring-registry-security.adoc docs/modules/ROOT/partials/getting-started/proc-configuring-registry-security-keycloak.adoc

@@ -1,11 +1,11 @@
 // Metadata created by nebel
 
-[id="registry-security_{context}"]
+[id="registry-security-keycloak_{context}"]
 
 = Configuring {registry} authentication and authorization with {keycloak}
 
 [role="_abstract"]
-This section explains how to manually configure authentication and authorization options for {registry} using {keycloak}. 
+This section explains how to manually configure authentication and authorization options for {registry} and {keycloak}. 
 
 [NOTE]
 ====
@@ -18,9 +18,9 @@ see xref:registry-security-keycloak[].
 endif::[]
 ====
 
-You can enable authentication for the {registry} web console and core REST API using {keycloak} based on OAuth using OpenID Connect (OIDC). The same {keycloak} realm and users are federated across the {registry} web console and core REST API using OpenID Connect so that you only require one set of credentials.
+The {registry} web console and core REST API support authentication in {keycloak} based on OAuth and OpenID Connect (OIDC). The same {keycloak} realm and users are federated across the {registry} web console and core REST API using OpenID Connect so that you only require one set of credentials.
 
-{registry} provides role-based authorization for default admin, write, and read-only user roles. {registry} also provides content-based authorization at the schema or API level, where only the creator of the registry artifact can update or delete it. {registry} authentication and authorization settings are disabled by default. 
+{registry} provides role-based authorization for default admin, write, and read-only user roles. {registry} provides content-based authorization at the schema or API level, where only the creator of the registry artifact can update or delete it. {registry} authentication and authorization settings are disabled by default. 
 
 .Prerequisites
 * {keycloak} is installed and running. For more details, see the 

docs/modules/ROOT/partials/shared/attributes.adoc

@@ -26,7 +26,7 @@ ifndef::service-registry-downstream[]
 :registry-docker-version: latest-release 
 :registry-v1: 1.3
 :registry-v1-release: 1.3.2.Final 
-:operator-version: 1.2.0-dev
+:operator-version: 1.1.0-v2.4.12.final
 :kafka-streams: Strimzi
 :registry-kafka-version: 3.5
 :keycloak: Keycloak
@@ -47,7 +47,7 @@ ifdef::service-registry-downstream[]
 :registry-version: 2.5
 :registry-release: 2.5.4.Final-redhat-00001
 :registry-v1-release: 1.3.2.Final-redhat-00002
-:operator-version: 1.1.0.redhat.x
+:operator-version: 1.2.0.redhat.x
 :kafka-streams: AMQ Streams
 :registry-streams-version: 2.6
 :keycloak: {org-name} Single Sign-On