Merge pull request #262603 from shikhagarg1/main

Fix the redirection uri content

Author: Stacyrch140

articles/energy-data-services/concepts-entitlements.md

@@ -13,38 +13,31 @@ ms.custom: template-concept
 
 Access management is a critical function for any service or resource. The entitlement service lets you control who can use your Azure Data Manager for Energy, what they can see or change, and which services or data they can use.
 
-## OSDU Groups Structure
+## OSDU groups structure and naming
 
-The entitlements service of Azure Data Manager for Energy allows you to create groups and manage memberships of the groups. An entitlement group defines permissions on services/data sources for a given data partition in your Azure Data Manager for Energy instance. Users added to a given group obtain the associated permissions. 
+The entitlements service of Azure Data Manager for Energy allows you to create groups and manage memberships of the groups. An entitlement group defines permissions on services/data sources for a given data partition in your Azure Data Manager for Energy instance. Users added to a given group obtain the associated permissions. All group identifiers (emails) are of form `{groupType}.{serviceName|resourceName}.{permission}@{partition}.{domain}`.
 
 Please note that different groups and associated user entitlements need to be set for every **new data partition** even in the same Azure Data Manager for Energy instance.
 
 The entitlements service enables three use cases for authorization:
 
 1. **Data groups** are used to enable authorization for data.
-   1. Some examples are data.welldb.viewers and data.welldb.owners.
+   1. The data groups start with the word "data." such as data.welldb.viewers and data.welldb.owners.
    2. Individual users are added to the data groups which are added in the ACL of individual data records to enable `viewer` and `owner` access of the data once the data has been loaded in the system.
    3. To `upload` the data, you need to have entitlements of various OSDU services which are used during ingestion process. The combination of OSDU services depends on the method of ingestion. E.g., for manifest ingestion, refer [this](concepts-manifest-ingestion.md) to understand the OSDU services APIs used. The user **need not be part of the ACL** to upload the data.
 
 2. **Service groups** are used to enable authorization for services.
-   1. Some examples are service.storage.user and service.storage.admin.
+   1. The service groups start with the word "service." such as service.storage.user and service.storage.admin. 
    2. The service groups are **predefined** when OSDU services are provisioned in each data partition of Azure Data Manager for Energy instance.
    3. These groups enable `viewer`, `editor`, and `admin` access to call the OSDU APIs corresponding to the OSDU services.
 
 3. **User groups** are used for hierarchical grouping of user and service groups.
-   1. Some examples are users.datalake.viewers and users.datalake.editors.
+   1. The service groups start with the word "users." such as users.datalake.viewers and users.datalake.editors. 
    2. Some user groups are created by default when a data partition is provisioned. Details of these groups and their hierarchy scope are in [Bootstrapped OSDU Entitlements Groups](https://community.opengroup.org/osdu/platform/deployment-and-operations/infra-azure-provisioning/-/blob/master/docs/osdu-entitlement-roles.md).
-   3. The `users@{partition}.{domain}` has the list of all the users with any type of access in a given data partition. Before adding a new user to any entitlement groups, you need to add the new user to the `users@{partition}.{domain}` group as well.
+   3. There's one exception of this group naming rule for "users" group. It gets created when a new data partition is provisioned and its name follows the pattern of `users@{partition}.{domain}`. It has the list of all the users with any type of access in a given data partition. Before adding a new user to any entitlement groups, you need to add the new user to the `users@{partition}.{domain}` group as well.
 
 Individual users can be added to a `user group`. The `user group` is then added to a `data group`. The data group is added to the ACL of the data record. It enables abstraction for the data groups since individual users need not be added one by one to the data group and instead can be added to the `user group`. This `user group` can then be used repeatedly for multiple `data groups`. The nested structure thus helps provide scalability to manage memberships in OSDU.
 
-## Group naming
-
-All group identifiers (emails) are of form `{groupType}.{serviceName|resourceName}.{permission}@{partition}.{domain}`. A group naming convention is adopted by OSDU such that the group's name starts with 
-1. the word "data." for data groups;
-2. the word "service." for service groups;
-3. the word "users." for user groups. There's one exception of this group naming rule for "users" group. It gets created when a new data partition is provisioned and its name follows the pattern of `users@{partition}.{domain}`.
-
 ## Users
 
 For each OSDU group, you can either add a user as an OWNER or a MEMBER. 

articles/energy-data-services/how-to-generate-auth-token.md

@@ -15,17 +15,13 @@ ms.custom: template-how-to
 In this article, you learn how to generate the service principal auth token, user's auth token and user's refresh token. 
 
 ## Register your app with Microsoft Entra ID
-To use the Azure Data Manager for Energy platform endpoint, you must register your app in the [Azure portal app registration page](https://go.microsoft.com/fwlink/?linkid=2083908). You can use either a Microsoft account or a work or school account to register an app. For steps on how to configure, see [Register your app documentation](../active-directory/develop/quickstart-register-app.md#register-an-application).
-
-To use the OAuth 2.0 authorization code grant flow, save the following values when registering the app:
-
-- The `Directory (tenant) ID` is used as `{tenant-id}`
-- The `application (client) ID` assigned by the app registration portal is used as `client-id`.
-- A `client (application) secret`, either a password or a public/private key pair (certificate). The client secret isn't required for native apps. This secret is used as `{client-secret}`.
-- A `redirect URI (or reply URL)` for your app to receive responses from Microsoft Entra ID. If there's no redirect URIs specified, you can add a platform, select "Web", add `http://localhost:8080`, and select save.
+1. To provision the Azure Data Manager for Energy platform, you must register your app in the [Azure portal app registration page](https://go.microsoft.com/fwlink/?linkid=2083908). You can use either a Microsoft account or a work or school account to register an app. For steps on how to configure, see [Register your app documentation](../active-directory/develop/quickstart-register-app.md#register-an-application).
+2. In the app overview section, if there's no redirect URIs specified, you can add a platform, select "Web", add `http://localhost:8080`, and select save.
 
 :::image type="content" source="media/how-to-generate-auth-token/app-registration-uri.png" alt-text="Screenshot of adding URI to the app.":::
 
+3. Fetch the `redirect-uri` (or reply URL) for your app to receive responses from Microsoft Entra ID.
+
 
 ## Fetch parameters
 You can also find the parameters once the app is registered on the Azure portal. 
@@ -67,8 +63,9 @@ A `client-secret` is a string value your app can use in place of a certificate t
 :::image type="content" source="media/how-to-generate-auth-token/client-secret.png" alt-text="Screenshot of finding the client secret.":::
 
 #### Find the `URL` for your Azure Data Manager for Energy instance
-1. Navigate to your Azure Data Manager for Energy *Overview* page on the Azure portal.
-2. Copy the URI from the essentials pane. 
+1. Create [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md).
+2. Navigate to your Azure Data Manager for Energy *Overview* page on the Azure portal.
+3. Copy the URI from the essentials pane. 
 
 :::image type="content" source="media/how-to-generate-auth-token/endpoint-url.png" alt-text="Screenshot of finding the URL from Azure Data Manager for Energy instance.":::
 
@@ -117,15 +114,21 @@ Generating a user's auth token is a two step process.
 ### Get authorization code
 The first step to getting an access token for many OpenID Connect (OIDC) and OAuth 2.0 flows is to redirect the user to the Microsoft identity platform `/authorize` endpoint. Microsoft Entra ID signs the user in and requests their consent for the permissions your app requests. In the authorization code grant flow, after consent is obtained, Microsoft Entra ID returns an `authorization_code` to your app that it can redeem at the Microsoft identity platform `/token` endpoint for an access token.
 
-#### Request format
-1. After replacing the parameters, you can paste the below in the URL of any browser and hit enter.
+1. After replacing the parameters, you can paste the request in the URL of any browser and hit enter.
 2. It asks you to log in to your Azure portal if not logged in already.
-3. You get the response in the URL.
- 
-```bash
+3. You might see 'can't reach this page' error in the browser. You can ignore that.
+   
+:::image type="content" source="media/how-to-generate-auth-token/localhost-redirection-error.png" alt-text="Screenshot of localhost redirection.":::
+
+4. The browser redirects to `http://localhost:8080/?code={authorization code}&state=...` upon successful authentication.
+5. Copy the response from the URL bar of the browser and fetch the text between `code=` and `&state`
+6. This is the `authorization_code` to keep handy for future use.
+   
+#### Request format
+ ```bash
   https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?client_id={client-id}
   &response_type=code
-  &redirect_uri=http%3a%2f%2flocalhost%3a8080
+  &redirect_uri={redirect-uri}
   &response_mode=query
   &scope={client-id}%2f.default&state=12345&sso_reload=true
 ```
@@ -141,15 +144,9 @@ The first step to getting an access token for many OpenID Connect (OIDC) and OAu
 | state |Recommended |A value included in the request that can be a string of any content that you want to use. Usually, a randomly generated unique value is  used, to prevent cross-site request forgery attacks. The state also is used to encode information about the user's state in the app before the authentication request occurred. For example, the page the user was on, or the user flow that was being executed. |
 
 #### Sample response
-1. The browser redirects to `http://localhost:8080/?code={authorization code}&state=...` upon successful authentication.
-2. In the URL bar, you see the response of the below format.
-
 ```bash
 http://localhost:8080/?code=0.BRoAv4j5cvGGr0...au78f&state=12345&session....
 ```
-3. Copy the response and fetch the text between `code=` and `&state`
-4. This is the `authorization_code` to keep handy for future use.
-
 > [!NOTE] 
 > The browser may say that the site can't be reached, but it should still have the authorization code in the URL bar.
 

articles/energy-data-services/how-to-manage-users.md

@@ -44,7 +44,7 @@ In this article, you learn how to manage users and their memberships in OSDU gro
 
 ## Get the list of all available groups in a data partition
 
-Run the below curl command in Azure Cloud Bash to get all the groups that are available for your Azure Data Manager for the Energy instance and its data partitions.
+Run the below curl command in Azure Cloud Bash to get all the groups that are available for you or you have access to in the given data partition of Azure Data Manager for the Energy instance.
 
 ```bash
     curl --location --request GET "https://<URI>/api/entitlements/v2/groups/" \