Merge remote-tracking branch 'origin/release/1.50.0' into release/1.50.0

DocsDevREADME.md

@@ -19,6 +19,7 @@ Here are some guidelines to follow when writing documentation (everything under
 - Use `admin UI` instead of `Admin UI` when writing about the admin user interface.
 - Use `logged in` instead of `logged-in`
 - `log in` is the verb, `login` is the noun
+- Use `UserInfo` instead of `Userinfo`
 - Don't abbreviate FusionAuth, use the full name.
 - References to `http://127.0.0.1` should be updated to `http://localhost`. Remove hyperlinks to `localhost`.
 - Always provide an alt text for images. It should always be a full sentence describing the content of the image.
@@ -40,6 +41,7 @@ Here are some guidelines to follow when writing documentation (everything under
 - Don't use complex breadcrumbs styling in docs. Use `->`. Use the [Breadcrumb](astro/src/components/Breadcrumb.astro) component. Breadcrumbs should look like this `<Breadcrumb>foo -> bar -> baz</Breadcrumb>`.
 - If you are referencing a field in a form or JSON API doc, use the [InlineField](astro/src/components/InlineField.astro) component: `<InlineField>Issuer</InlineField>`.
 - If you are referencing a UI element or button, use the [InlineUIElement](astro/src/components/InlineUIElement.astro) component: `Click the <UIelement>Ok</UIelement> button`.
+- If you are referencing a tab in the UI, use the [Breadcrumb](astro/src/components/Breadcrumb.astro) component: `On the <Breadcrumb>OAuth</Breadcrumb> tab`.
 - When you have a list of values, use this phrase to prefix it: "The possible values are:"
 - When using images that are cropped, add `top-cropped` and/or `bottom-cropped` roles as appropriate. Use `box-shadow` only when an image isn't captured in the manner documented below. It's used only when we have screenshots of things that do not have a box shadow and are all white and blend in too much with our white background. No other image classes are needed when creating documentation.
 - Include fragments that are shared between different sections of the doc should be stored in the [shared](astro/src/content/docs/_shared) directory.

astro/src/content/docs/_shared/_application-oauth-settings.mdx

@@ -91,9 +91,9 @@ import OAuthWildcardUsage from 'src/content/docs/_shared/_oauth-wildcard-usage.m
     When creating a new Application, the `Authorization Code` and `Refresh Token` grants will be enabled by default. See The [OAuth 2.0 & OpenID Connect Overview](/docs/lifecycle/authenticate-users/oauth/) for additional information on each of these grants.
   </APIField>
   <APIField name="Device Verification URL" optional since="1.11.0">
-    The URL to direct the end-user to for the user-interaction portion of the Device Authorization Grant.
+    The URL to be returned during the Device Authorization request to be displayed to the end user. This URL will be where the end user navigates in order to complete the device authentication workflow.
 
-    This field is required if `Device` is enabled in the OAuth <InlineField>Enabled grants</InlineField> for this Application.
+    This field is required if `Device` is enabled in the OAuth <InlineField>Enabled grants</InlineField> for this Application and hidden when not.
   </APIField>
   <APIField name="Require registration" optional since="1.28.0">
     When enabled the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.

astro/src/content/docs/_shared/_application-scopes-settings.mdx

@@ -38,7 +38,7 @@ import InlineField from 'src/components/InlineField.astro';
     The possible values are:
 
     * `Compatibility` - OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.
-    * `Strict` - OAuth workflows will populate JWT and UserInfo claims according to specification based on requested and consented scopes.
+    * `Strict` - OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
   </APIField>
   <APIField name="Provided scopes">
     Configuration for standard scopes provided by FusionAuth. Each provided scope is reserved by FusionAuth and can be individually <InlineField>Enabled</InlineField> and <InlineField>Required</InlineField>. A disabled scope will be treated as unknown by FusionAuth and handled in accordance with the <InlineField>Unknown scope policy</InlineField>. A user must consent to all <InlineField>Required</InlineField> scopes present in an OAuth workflow, but may choose whether or not to consent to <InlineField>Enabled</InlineField> fields that are not <InlineField>Required</InlineField>.

astro/src/content/docs/apis/_application-oauth-configuration-response-body.mdx

@@ -50,9 +50,9 @@ import JSON from 'src/components/JSON.astro';
 
     The possible values are:
 
-    * `AlwaysPrompt` - Users are prompted to consent to requested OAuth scopes every time they go through an OAuth workflow.
-    * `RememberDecision` - The user's consent selections will be persisted, and they will only be prompted when the OAuth request contains a scope they have not made a selection for. The duration of this persisted choice is controlled by the tenant object's <InlineField>externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds</InlineField> value.
-    * `NeverPrompt` - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a `FirstParty` application. This configuration is meant for testing purposes only.
+    * `AlwaysPrompt` - Always prompt the user for consent.
+    * `RememberDecision` - Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant's <InlineField>externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds</InlineField> value.
+    * `NeverPrompt` - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a `FirstParty` application. This configuration is meant for testing purposes only and should not be used in production.
   </APIField>
   <APIField name="oauthConfiguration.deviceVerificationURL" type="String" since="1.11.0">
     The device verification URL to be used with the Device Code grant type.
@@ -116,7 +116,7 @@ import JSON from 'src/components/JSON.astro';
     Whether consent to the `profile` OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
   </APIField>
   <APIField name="oauthConfiguration.relationship" type="String" since="1.50.0">
-    The application's relationship to the OAuth server.
+    The application's relationship to the authorization server.
 
     The possible values are:
 
@@ -137,8 +137,8 @@ import JSON from 'src/components/JSON.astro';
 
     The possible values are:
 
-    * `Compatibility` - OAuth workflows will populate JWT and UserInfo claims in a backwards compatible manner.
-    * `Strict` - OAuth workflows will populate JWT and UserInfo claims according to specification based on requested and consented scopes.
+    * `Compatibility` - OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.
+    * `Strict` - OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
   </APIField>
   <APIField name="oauthConfiguration.unknownScopePolicy" type="String" since="1.50.0">
     Controls the policy for handling unknown scopes on an OAuth request.

astro/src/content/docs/apis/_application-request-body.mdx

@@ -249,9 +249,9 @@ import Xmlsignaturec14nmethodValues from 'src/content/docs/_shared/_xmlSignature
 
     The possible values are:
 
-    * `AlwaysPrompt` - Users are prompted to consent to requested OAuth scopes every time they go through an OAuth workflow.
-    * `RememberDecision` - The user's consent selections will be persisted, and they will only be prompted when the OAuth request contains a scope they have not made a selection for. The duration of this persisted choice is controlled by the tenant's <InlineField>externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds</InlineField> value.
-    * `NeverPrompt` - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a `FirstParty` application. This configuration is meant for testing purposes only.
+    * `AlwaysPrompt` - Always prompt the user for consent.
+    * `RememberDecision` - Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant's <InlineField>externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds</InlineField> value.
+    * `NeverPrompt` - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a `FirstParty` application. This configuration is meant for testing purposes only and should not be used in production.
   </APIField>
   <APIField name="application.oauthConfiguration.debug" type="Boolean" optional since="1.25.0">
     Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
@@ -341,8 +341,8 @@ import Xmlsignaturec14nmethodValues from 'src/content/docs/_shared/_xmlSignature
 
     The possible values are:
 
-    * `Compatibility` - OAuth workflows will populate JWT and UserInfo claims in a backwards compatible manner.
-    * `Strict` - OAuth workflows will populate JWT and UserInfo claims according to specification based on requested and consented scopes.
+    * `Compatibility` - OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.
+    * `Strict` - OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
   </APIField>
   <APIField name="application.oauthConfiguration.unknownScopePolicy" type="String" optional since="1.50.0" defaults="Reject">
     Controls the policy for handling unknown scopes on an OAuth request.

astro/src/content/docs/apis/_application-response-body-base.mdx

@@ -180,9 +180,9 @@ import Xmlsignaturec14nmethodValues from 'src/content/docs/_shared/_xmlSignature
 
     The possible values are:
 
-    * `AlwaysPrompt` - Users are prompted to consent to requested OAuth scopes every time they go through an OAuth workflow.
-    * `RememberDecision` - The user's consent selections will be persisted, and they will only be prompted when the OAuth request contains a scope they have not made a selection for. The duration of this persisted choice is controlled by the tenant object's <InlineField>externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds</InlineField> value.
-    * `NeverPrompt` - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a `FirstParty` application. This configuration is meant for testing purposes only.
+    * `AlwaysPrompt` - Always prompt the user for consent.
+    * `RememberDecision` - Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant's <InlineField>externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds</InlineField> value.
+    * `NeverPrompt` - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a `FirstParty` application. This configuration is meant for testing purposes only and should not be used in production.
   </APIField>
   <APIField name={ props.base_field_name + ".oauthConfiguration.debug" } type="Boolean" since="1.25.0">
     Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
@@ -270,8 +270,8 @@ import Xmlsignaturec14nmethodValues from 'src/content/docs/_shared/_xmlSignature
 
     The possible values are:
 
-    * `Compatibility` - OAuth workflows will populate JWT and UserInfo claims in a backwards compatible manner.
-    * `Strict` - OAuth workflows will populate JWT and UserInfo claims according to specification based on requested and consented scopes.
+    * `Compatibility` - OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.
+    * `Strict` - OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
   </APIField>
   <APIField name={ props.base_field_name + ".oauthConfiguration.unknownScopePolicy" } type="String" since="1.50.0">
     Controls the policy for handling unknown scopes on an OAuth request.

astro/src/content/docs/apis/applications.mdx

@@ -134,11 +134,20 @@ The response for this API contains either a single Application or all of the App
 <GenericUpdateExplanationFragment capitalized_object_name="Application" />
 
 <Aside type="note">
-You can't update an Application's roles via this API. This prevents you from accidentally removing all the roles of an Application. To create, update or remove a role from the Application, you need to call one of these APIs:
+You can't update an Application's roles or OAuth scopes via this API. This prevents you from accidentally removing all the roles or scopes of an Application.
+
+To create, update or remove a role from the Application, you need to call one of these APIs:
 
 * <ScrollRef target="Create an Application Role" />
 * <ScrollRef target="Update an Application Role" />
 * <ScrollRef target="Delete an Application Role" />
+
+To create, update or remove an OAuth scope from the Application, you need to call one of these APIs:
+
+* [Create an OAuth Scope](/docs/apis/scopes#create-an-oauth-scope)
+* [Update an OAuth Scope](/docs/apis/scopes#update-an-oauth-scope)
+* [Delete an OAuth Scope](/docs/apis/scopes#delete-an-oauth-scope)
+
 </Aside>
 
 ### Request

astro/src/content/docs/get-started/core-concepts/licensing.mdx

@@ -7,6 +7,7 @@ subcategory: core concepts
 import LicensingPremiumFeaturesIntro from 'src/content/docs/_shared/_licensing-premium-features-intro.mdx';
 import ScrollRef from 'src/components/ScrollRef.astro';
 import Aside from 'src/components/Aside.astro';
+import Breadcrumb from 'src/components/Breadcrumb.astro';
 import InlineField from 'src/components/InlineField.astro';
 import KickstartLicenseText from 'src/content/docs/_shared/_kickstart-license-text.mdx';
 import DeletingYourAccount from 'src/content/docs/_shared/_deleting-your-account.mdx';
@@ -42,15 +43,13 @@ This will be used to calculate your monthly active users (MAU), which may affect
 The other license Id is suitable for non-production environments, such as user acceptance testing or development.
 
 <Aside type="note">
-You can always find your license Id by logging in to your [Account](https://account.fusionauth.io/account) and then navigating to the **Plan** tab.
-If you do not have a license Id there, you are on Community edition.
-In that case, no license is required.
+  You can always find your license Id by logging in to your [Account](https://account.fusionauth.io/account) and then navigating to the **Plan** tab. If you do not have a license Id there, you are on Community edition. In that case, no license is required.
 </Aside>
 
 After you have your license Id, log in to your FusionAuth instance.
 
 The credentials you use to log into the instance have no connection to the credentials you used to log into your account portal.
-Navigate to the <strong>Reactor</strong> tab and enter your license Id in the <InlineField>License key</InlineField> field.
+Navigate to the <Breadcrumb>Reactor</Breadcrumb> tab and enter your license Id in the <InlineField>License key</InlineField> field.
 
 <Aside type="note">
 You will need either the `admin` or `reactor_manager` roles in the FusionAuth application to view the <strong>Reactor</strong> tab.

astro/src/content/docs/get-started/core-concepts/tenants.mdx

@@ -9,6 +9,7 @@ import APIField from 'src/components/api/APIField.astro';
 import AvailableSince from 'src/components/api/AvailableSince.astro';
 import PremiumEditionBlurb from 'src/content/docs/_shared/_premium-edition-blurb.astro';
 import InlineField from 'src/components/InlineField.astro';
+import InlineUIElement from 'src/components/InlineUIElement.astro';
 import ScrollRef from 'src/components/ScrollRef.astro';
 import EmailTemplates from 'src/content/docs/get-started/core-concepts/_email-templates.mdx';
 import TenantJsonWebTokenSettings from 'src/content/docs/get-started/core-concepts/_tenant-json-web-token-settings.mdx';
@@ -769,7 +770,7 @@ The Rate limit settings allow you to set a number of times an action can be atte
     The number of seconds before the Registration Verification identifier is no longer valid to complete the Registration Verification request.
   </APIField>
   <APIField name="Remember scope consent choice" required>
-    The number of seconds before the Remember scope consent choice identifier is no longer valid to bypass the OAuth scope consent prompt.
+    The number of seconds before a remembered consent choice, used to bypass the OAuth scope consent prompt, expires.
   </APIField>
   <APIField name="SAMLv2 AuthN request" required>
     The number of seconds before the SAMLv2 AuthN request is no longer valid to complete the SAMLv2 login request.
@@ -838,7 +839,7 @@ The Rate limit settings allow you to set a number of times an action can be atte
 
 ## Add Connector Policy Dialog
 
-If you click on the `Add policy` button on this page you will be presented with the following dialog.
+If you click on the <InlineUIElement>Add policy</InlineUIElement> button on this page you will be presented with the following dialog.
 
 <img src="/img/docs/get-started/core-concepts/tenant-configuration-connector-add-policy.png" alt="Add Connector Policy" width="300" role="box-shadow" />