From 73fbb8b77ff5c9880b132724f4be9932d723b9fd Mon Sep 17 00:00:00 2001 From: Paul Millar Date: Sun, 21 Apr 2024 09:54:55 +0200 Subject: [PATCH] docs: update oidc chapter to explain trust anchors Motivation: Issue #7553 describes how it's currently undocumented that the OIDC plugin uses Java's built-in trust store. Modification: Document behaviour Result: Admins may have a better understanding of how to configure their dCache. Target: master Requires-notes: no Requires-book: yes Request: 9.2 --- docs/TheBook/src/main/markdown/config-gplazma.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/TheBook/src/main/markdown/config-gplazma.md b/docs/TheBook/src/main/markdown/config-gplazma.md index bd54ee25947..4a4810edf36 100644 --- a/docs/TheBook/src/main/markdown/config-gplazma.md +++ b/docs/TheBook/src/main/markdown/config-gplazma.md @@ -227,6 +227,13 @@ will use offline verification; otherwise, the token is sent to the userinfo endpoint. dCache will cache the response. This behaviour may be adjusted. +Please note that the OIDC plugin uses Java's built-in trust store +to verify the certificate presented by the issuer when making +TLS-encrypted HTTP requests (https://...). Most issuers use +certificates issued by a CA/B-accredited certificate authority, and +most distributions of Java provide CA/B as a default list of +trusted certificate authorities. + ##### Obtaining OIDC information The access token represents a logged in user; however, dCache needs to