docs: configure registry auth and authz with azure ad

docs/modules/ROOT/nav.adoc

@@ -9,6 +9,7 @@
 * Migration
 ** xref:getting-started/assembly-migrating-registry-v1-v2.adoc[]
 * Configuration
+** xref:getting-started/assembly-configuring-registry-security.adoc[]
 ** xref:getting-started/assembly-configuring-the-registry.adoc[]
 * Client applications
 ** xref:getting-started/assembly-managing-registry-artifacts-ui.adoc[]

docs/modules/ROOT/pages/getting-started/assembly-configuring-registry-security.adoc

@@ -0,0 +1,19 @@
+// Metadata created by nebel
+include::{mod-loc}shared/all-attributes.adoc[]
+
+[id="configuring-registry-security_{context}"]
+= Configuring {registry} security options
+
+[role="_abstract"]
+This chapter explains how to set configuration options for {registry} security. For example, this includes authentication in {keycloak} or Microsoft Azure Active Directory and role-based authorization in {registry}. 
+
+* xref:registry-security-keycloak_{context}[]
+* xref:registry-security-azure_{context}[]
+* xref:registry-security-settings_{context}[]
+
+NOTE: For a list of all available configuration options, see {registry-config-reference}.
+
+//INCLUDES
+include::{mod-loc}getting-started/proc-configuring-registry-security-keycloak.adoc[leveloffset=+1]
+include::{mod-loc}getting-started/proc-configuring-registry-security-azure.adoc[leveloffset=+1]
+include::{mod-loc}getting-started/ref-registry-security-configuration.adoc[leveloffset=+1]

docs/modules/ROOT/pages/getting-started/assembly-configuring-the-registry.adoc

@@ -5,10 +5,8 @@ include::{mod-loc}shared/all-attributes.adoc[]
 = Configuring your {registry} deployment
 
 [role="_abstract"]
-This chapter explains how to set important configuration options for {registry}. This includes features such as authentication and authorization, logging, events, and health checks: 
+This chapter explains how to set important configuration options for your {registry} deployment. This includes features such as the {registry} web console, logging, events, and health checks: 
 
-* xref:registry-security_{context}[]
-* xref:registry-security-settings_{context}[]
 ifdef::apicurio-registry[]
 * xref:configuring-registry-ui_{context}[]
 endif::[]
@@ -17,11 +15,9 @@ endif::[]
 * xref:configuring-liveness-readiness-probes_{context}[]
 * xref:registry-liveness-env-vars_{context}[]
 
-NOTE: For a list of available configuration options, see {registry-config-reference}.
+NOTE: For a list of all available configuration options, see {registry-config-reference}.
 
 //INCLUDES
-include::{mod-loc}getting-started/proc-configuring-registry-security.adoc[leveloffset=+1]
-include::{mod-loc}getting-started/ref-registry-security-configuration.adoc[leveloffset=+1]
 ifdef::apicurio-registry[]
 include::{mod-loc}getting-started/proc-configuring-registry-ui.adoc[leveloffset=+1]
 endif::[]

docs/modules/ROOT/partials/getting-started/proc-configuring-registry-security-azure.adoc

@@ -0,0 +1,97 @@
+// Metadata created by nebel
+
+[id="registry-security-azure_{context}"]
+
+= Configuring {registry} authentication and authorization with Microsoft Azure Active Directory
+
+[role="_abstract"]
+This section explains how to manually configure authentication and authorization options for {registry} and Microsoft Azure Active Directory (Azure AD). 
+
+The {registry} web console and core REST API support authentication in Azure AD based on OpenID Connect (OIDC) and the OAuth Authorization Code Flow. {registry} provides role-based authorization for default admin, write, and read-only user roles. {registry} authentication and authorization settings are disabled by default. 
+
+To secure {registry} with Azure AD, you require a valid directory in Azure AD with specific configuration. This involves registering the {registry} application in the Azure AD portal with recommended settings and configuring environment variables in {registry}.  
+
+.Prerequisites
+* Azure AD is installed and running. For more details, see the link:https://learn.microsoft.com/en-us/azure[Microsoft Azure AD user documentation]. 
+* {registry} is installed and running.
+
+.Procedure
+
+. Log in to the Azure AD portal using your email address or GitHub account. 
+
+. In the navigation menu, select *Manage > App registrations > New registration*, and complete the following settings: 
++
+** *Name*: Enter your application name. For example: `apicurio-registry-example` 
+** *Supported account types*: Click *Accounts in any organizational directory*.
+** *Redirect URI*: Select *Single-page application* from the list, and enter your {registry} web console application host. For example: `\https://test-registry.com/ui/`
++
+IMPORTANT: You must register your {registry} application host as a *Redirect URI*. When logging in, users are redirected from {registry} to Azure AD for authentication, and you want to send them back to your application afterwards. Azure AD does not allow any redirect URLs that are not registered. 
+
+. Click *Register*. You can view your app registration details by selecting *Manage > App registrations* > *apicurio-registry-example*.
+
+. Select *Manage > Authentication* and ensure that the application is configured with your redirect URLs and tokens as follows:
+** *Redirect URIs*: For example: `\https://test-registry.com/ui/`
+** *Implicit grant and hybrid flows*: Click *ID tokens (used for implicit and hybrid flows)*
+
+. Select *Azure AD > Admin > App registrations > Your app > Application (client) ID*. For example: `123456a7-b8c9-012d-e3f4-5fg67h8i901`
+
+. Select *Azure AD > Admin > App registrations > Your app > Directory (tenant) ID*. For example: `\https://login.microsoftonline.com/1a2bc34d-567e-89f1-g0hi-1j2kl3m4no56/v2.0`
+
+. In {registry}, configure the following environment variables with your Azure AD settings:
++
+.Configuration for Azure AD settings in {registry}
+[.table-expandable,width="100%",cols="6,4,6",options="header"]
+|===
+|Environment variable
+|Description
+|Setting
+|`KEYCLOAK_API_CLIENT_ID`
+|The client application ID for the {registry} REST API
+|Your Azure AD Application (client) ID obtained in step 5. For example: `123456a7-b8c9-012d-e3f4-5fg67h8i901`
+|`REGISTRY_OIDC_UI_CLIENT_ID`
+|The client application ID for the {registry} web console.
+|Your Azure AD Application (client) ID obtained in step 5. For example: `123456a7-b8c9-012d-e3f4-5fg67h8i901`
+|`REGISTRY_AUTH_URL_CONFIGURED`
+|The URL for authentication in Azure AD.
+|Your Azure AD Application (tenant) ID obtained in step 6. For example: `\https://login.microsoftonline.com/1a2bc34d-567e-89f1-g0hi-1j2kl3m4no56/v2.0`.
+|===
+
+. In {registry}, configure the following environment variables for {registry}-specific settings:
++
+.Configuration for {registry}-specific settings
+[.table-expandable,width="100%",cols="6,5,4",options="header"]
+|===
+|Environment variable
+|Description
+|Setting
+|`REGISTRY_AUTH_ENABLED`
+|Enables authentication for {registry}.
+|`true`
+|`REGISTRY_UI_AUTH_TYPE`
+|The {registry} authentication type.
+|`oidc`
+|`CORS_ALLOWED_ORIGINS`
+|The host for your {registry} deployment for cross-origin resource sharing (CORS).
+|For example: `\https://test-registry.com`
+|`REGISTRY_OIDC_UI_REDIRECT_URL`
+|The host for your {registry} web console.
+|For example: `\https://test-registry.com/ui`
+|`ROLE_BASED_AUTHZ_ENABLED`
+|Enables role-based authorization in {registry}.
+|`true`
+|`QUARKUS_OIDC_ROLES_ROLE_CLAIM_PATH`
+|The name of the claim in which Azure AD stores roles.
+|`roles`
+|===
++
+NOTE: When you enable roles in {registry}, you must also create the same roles in Azure AD as application roles. The default roles expected by {registry} are `sr-admin`, `sr-developer`, and `sr-readonly`.
+
+
+[role="_additional-resources"]
+.Additional resources
+* For details on configuring non-default user role names, see xref:registry-security-settings_{context}[].
+* For more details on using Azure AD, see the link:https://learn.microsoft.com/en-us/azure[Microsoft Azure AD user documentation]. 
+
+
+
+

docs/modules/ROOT/partials/getting-started/proc-configuring-registry-security.adoc → docs/modules/ROOT/partials/getting-started/proc-configuring-registry-security-keycloak.adoc

@@ -1,11 +1,11 @@
 // Metadata created by nebel
 
-[id="registry-security_{context}"]
+[id="registry-security-keycloak_{context}"]
 
 = Configuring {registry} authentication and authorization with {keycloak}
 
 [role="_abstract"]
-This section explains how to manually configure authentication and authorization options for {registry} using {keycloak}. 
+This section explains how to manually configure authentication and authorization options for {registry} and {keycloak}. 
 
 [NOTE]
 ====
@@ -18,17 +18,17 @@ see xref:registry-security-keycloak[].
 endif::[]
 ====
 
-You can enable authentication for the {registry} web console and core REST API using {keycloak} based on OAuth using OpenID Connect (OIDC). The same {keycloak} realm and users are federated across the {registry} web console and core REST API using OpenID Connect so that you only require one set of credentials.
+The {registry} web console and core REST API support authentication in {keycloak} based on OAuth and OpenID Connect (OIDC). The same {keycloak} realm and users are federated across the {registry} web console and core REST API using OpenID Connect so that you only require one set of credentials.
 
-{registry} provides role-based authorization for default admin, write, and read-only user roles. {registry} also provides content-based authorization at the schema or API level, where only the creator of the registry artifact can update or delete it. {registry} authentication and authorization settings are disabled by default. 
+{registry} provides role-based authorization for default admin, write, and read-only user roles. {registry} provides content-based authorization at the schema or API level, where only the creator of the registry artifact can update or delete it. {registry} authentication and authorization settings are disabled by default. 
 
 .Prerequisites
 * {keycloak} is installed and running. For more details, see the 
 ifdef::apicurio-registry[]
 link:https://www.keycloak.org/documentation[{keycloak} user documentation]. 
 endif::[]
 ifdef::rh-service-registry[]
-the link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/{keycloak-version}[{keycloak} user documentation].
+link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/{keycloak-version}[{keycloak} user documentation].
 endif::[]
 * {registry} is installed and running.
 
@@ -62,24 +62,25 @@ You can use the defaults for the other client settings.
 
 . In your {registry} deployment on OpenShift, set the following {registry} environment variables to configure authentication using {keycloak}:
 +
-.Configuration for {registry} authentication
-[.table-expandable,width="100%",cols="5,5,2,4",options="header"]
+.Configuration for {registry} authentication with {keycloak}
+[.table-expandable,width="100%",cols="5,6,2,4",options="header"]
 |===
 |Environment variable
 |Description
 |Type
 |Default
 |`AUTH_ENABLED`
-|If set to `true`, the environment variables that follow are required.
+|Enables authentication for {registry}. When set to `true`, the environment variables that follow are required for authentication using {keycloak}.
 |String
 |`false`
 |`KEYCLOAK_URL`
-|The URL of the {keycloak} authentication server to use. 
-|None
+|The URL of the {keycloak} authentication server. For example, `\http://localhost:8080`.
+|String
+|-
 |`KEYCLOAK_REALM`
-|The {keycloak} realm used for authentication.
+|The {keycloak} realm for authentication. For example, `registry.`
 |String
-|`registry`
+|-
 |`KEYCLOAK_API_CLIENT_ID`
 |The client ID for the {registry} REST API.
 |String

docs/modules/ROOT/partials/getting-started/ref-registry-security-configuration.adoc

@@ -37,15 +37,15 @@ You can set the following environment variables to configure authentication for
 |Type
 |Default
 |`AUTH_ENABLED`
-|Enables authentication in {registry}. When set to `true`, the environment variables that follow are required for authentication in {keycloak}.
+|Enables authentication for {registry}. When set to `true`, the environment variables that follow are required for authentication using {keycloak}.
 |String
 |`false`
 |`KEYCLOAK_URL`
 |The URL of the {keycloak} authentication server. For example, `\http://localhost:8080`.
 |String
 |-
 |`KEYCLOAK_REALM`
-|The {keycloak} realm for authentication. For example,`registry.`
+|The {keycloak} realm for authentication. For example, `registry.`
 |String
 |-
 |`KEYCLOAK_API_CLIENT_ID`

docs/modules/ROOT/partials/shared/attributes-links.adoc

@@ -39,7 +39,7 @@ endif::[]
 
 // AMQ Streams titles
 :StreamsName: AMQ Streams
-:AMQStreamsURLVersion: 2.5
+:AMQStreamsURLVersion: 2.6
 
 :LinkStreamsOpenShift: https://access.redhat.com/documentation/en-us/red_hat_amq_streams/{AMQStreamsURLVersion}/html-single/using_amq_streams_on_openshift/index
 :NameStreamsOpenShift: Using {StreamsName} on OpenShift

docs/modules/ROOT/partials/shared/attributes.adoc

@@ -26,7 +26,7 @@ ifndef::service-registry-downstream[]
 :registry-docker-version: latest-release 
 :registry-v1: 1.3
 :registry-v1-release: 1.3.2.Final 
-:operator-version: 1.2.0-dev
+:operator-version: 1.1.0-v2.4.12.final
 :kafka-streams: Strimzi
 :registry-kafka-version: 3.5
 :keycloak: Keycloak
@@ -47,9 +47,9 @@ ifdef::service-registry-downstream[]
 :registry-version: 3.0
 :registry-release: 3.0.0-redhat-00001
 :registry-v1-release: 1.3.2.Final-redhat-00002
-:operator-version: 1.1.0.redhat.x
+:operator-version: 1.2.0.redhat.x
 :kafka-streams: AMQ Streams
-:registry-streams-version: 2.5
+:registry-streams-version: 2.6
 :keycloak: {org-name} build of Keycloak
 :keycloak-version: 7.6
 :sso-token-url: \https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token