RHIDP-9017 Updated authenticating with GitHub (#1429)

Co-authored-by: Jessica He <[email protected]>
Co-authored-by: Priyanka Abel <[email protected]>

Author: 3 people

assemblies/assembly-enabling-authentication-with-github.adoc

@@ -0,0 +1,11 @@
+:_mod-docs-content-type: ASSEMBLY
+:optional-steps: enable
+
+[id='enabling-authentication-with-github']
+= Enabling authentication with GitHub
+
+include::modules/authentication/proc-enabling-user-authentication-with-github.adoc[leveloffset=+1]
+
+
+include::modules/authentication/proc-enabling-user-authentication-with-github-as-an-auxiliary-authentication-provider.adoc[leveloffset=+1]
+

assemblies/assembly-enabling-authentication.adoc

@@ -13,7 +13,7 @@ include::assembly-authenticating-with-the-guest-user.adoc[leveloffset=+1]
 include::assembly-authenticating-with-rhbk.adoc[leveloffset=+1]
 
 
-include::modules/authentication/proc-enabling-user-authentication-with-github.adoc[leveloffset=+1]
+include::assembly-enabling-authentication-with-github.adoc[leveloffset=+1]
 
 
 include::modules/authentication/proc-enabling-user-authentication-with-microsoft-azure.adoc[leveloffset=+1]

modules/authentication/proc-enabling-user-authentication-with-github-as-an-auxiliary-authentication-provider.adoc

@@ -0,0 +1,47 @@
+:_mod-docs-content-type: PROCEDURE
+
+[id="enabling-user-authentication-with-github-as-an-auxiliary-authentication-provider"]
+= Enabling user authentication with GitHub as an auxiliary authentication provider
+
+To allow users to access GitHub templates or plugins that require GitHub authentication, configure GitHub as an auxiliary authentication provider. This method relies on a primary authentication provider for user identity management, and skips resolving user identity from this provider.
+
+.Prerequisites
+* You have {configuring-book-link}[added a custom {product-short} application configuration] with another authentication provider enabled, and have enough permissions to change it.
+
+include::snip-enabling-user-authentication-with-github-common-steps.adoc[]
+
+. To set up the GitHub authentication provider as an auxiliary authentication provider, add the `auth.providers.github` section to your `{my-app-config-file}` file:
++
+[source,yaml]
+----
+auth:
+  providers:
+    github:
+      production:
+        clientId: ${GITHUB_CLIENT_ID}
+        clientSecret: ${GITHUB_CLIENT_SECRET}
+        disableIdentityResolution: true
+----
++
+where:
+`clientId`::
+Enter the configured secret variable name: `$\{GITHUB_CLIENT_ID}`.
+
+`clientSecret`::
+Enter the configured secret variable name: `$\{GITHUB_CLIENT_SECRET}`.
+
+`disableIdentityResolution`::
+Enter `true`to skip user identity resolution for this provider to enable sign-in from an auxiliary authentication provider.
+Do not enable this setting on the primary authentication provider you plan on using for sign-in and identity management.
+
+.Verification
+
+. Go to the {product-short} login page.
+. Log in with your primary authentication provider account.
+. In the top user menu, go to *Settings* > *Authentication Providers*.
+. In the *GitHub* line, click the *Sign in* button and log in.
+. In the *GitHub* line, the button displays *Sign out*.
+
+.Additional resources
+* {integrating-with-github-book-link}[{integrating-with-github-book-title}]
+

modules/authentication/proc-enabling-user-authentication-with-github.adoc

@@ -8,68 +8,7 @@ Authenticate users with GitHub by provisioning the users and groups from GitHub
 .Prerequisites
 * You {configuring-book-link}[added a custom {product-short} application configuration], and have enough permissions to change it.
 
-* You have enough permissions in GitHub to create and manage a link:https://docs.github.com/en/apps/overview[GitHub App].
-Alternatively, you can ask your GitHub administrator to prepare the required GitHub App.
-
-.Procedure
-. To allow {product-short} to authenticate with GitHub, create a GitHub App.
-Opt for a GitHub App instead of an OAuth app to use fine-grained permissions and use short-lived tokens.
-
-.. link:https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app[Register a GitHub App] with the following configuration:
-
-GitHub App name::
-Enter a unique name identifying your GitHub App, such as `authenticating-with-rhdh-__<GUID>__`.
-
-Homepage URL::
-Enter your {product-short} URL: `pass:c,a,q[{my-product-url}]`.
-
-Authorization callback URL::
-Enter your {product-short} authentication backend URL: `pass:c,a,q[{my-product-url}/api/auth/github/handler/frame]`.
-
-Webhook::
-Clear "Active", as this is not needed for authentication and catalog providers.
-
-Organization permissions::
-Enable `Read-only` access to *Members*.
-
-Where can this GitHub App be installed?::
-Select `Only on this account`.
-
-.. In the *General* -> *Clients secrets* section, click *Generate a new client secret*.
-
-.. In the *Install App* tab, choose an account to install your GitHub App on.
-
-.. Save the following values for the next step:
-
-* **Client ID**
-* **Client secret**
-
-. To add your GitHub credentials to {product-short}, add the following key/value pairs to {configuring-book-link}#provisioning-your-custom-configuration[your {product-short} secrets].
-You can use these secrets in the {product-short} configuration files by using their environment variable name.
-
-`GITHUB_CLIENT_ID`::
-Enter the saved **Client ID**.
-
-`GITHUB_CLIENT_SECRET`::
-Enter the saved **Client Secret**.
-
-`GITHUB_URL`::
-Enter the GitHub host domain: `github.com`.
-
-`GITHUB_ORG`::
-Enter your GitHub organization name, such as `__<your_github_organization_name>__`.
-
-. Enable the GitHub organization provisioning plugin (`backstage-plugin-catalog-backend-module-github-org`).
-This plugin imports GitHub users and groups to the {product-short} software catalog.
-+
-`dynamic-plugins.yaml` file fragment:
-+
-[source,yaml]
-----
-plugins:
-  - package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github-org'
-    disabled: false
-----
+include::snip-enabling-user-authentication-with-github-common-steps.adoc[]
 
 . Provision GitHub users and groups to the {product-short} software catalog by adding the `catalog.providers.githubOrg` section to your custom {product-short} `{my-app-config-file}` configuration file:
 +

modules/authentication/snip-enabling-user-authentication-with-github-common-steps.adoc

@@ -0,0 +1,64 @@
+:_mod-docs-content-type: SNIPPET
+
+* You have enough permissions in GitHub to create and manage a link:https://docs.github.com/en/apps/overview[GitHub App].
+Alternatively, you can ask your GitHub administrator to prepare the required GitHub App.
+
+.Procedure
+. To allow {product-short} to authenticate with GitHub, create a GitHub App.
+Opt for a GitHub App instead of an OAuth app to use fine-grained permissions, use short-lived tokens, scale with the number of installations by avoiding rate limits, and have a more transparent integration by avoiding to request user input.
+
+.. link:https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app[Register a GitHub App] with the following configuration:
+
+GitHub App name::
+Enter a unique name identifying your GitHub App, such as `authenticating-with-rhdh-__<GUID>__`.
+
+Homepage URL::
+Enter your {product-short} URL: `pass:c,a,q[{my-product-url}]`.
+
+Authorization callback URL::
+Enter your {product-short} authentication backend URL: `pass:c,a,q[{my-product-url}/api/auth/github/handler/frame]`.
+
+Webhook::
+Clear "Active", as this is not needed for authentication and catalog providers.
+
+Organization permissions::
+Enable `Read-only` access to *Members*.
+
+Where can this GitHub App be installed?::
+Select `Only on this account`.
+
+.. In the *General* -> *Clients secrets* section, click *Generate a new client secret*.
+
+.. In the *Install App* tab, choose an account to install your GitHub App on.
+
+.. Save the following values for the next step:
+
+* **Client ID**
+* **Client secret**
+
+. To add your GitHub credentials to {product-short}, add the following key/value pairs to {configuring-book-link}#provisioning-your-custom-configuration[your {product-short} secrets].
+You can use these secrets in the {product-short} configuration files by using their environment variable name.
+
+`GITHUB_CLIENT_ID`::
+Enter the saved **Client ID**.
+
+`GITHUB_CLIENT_SECRET`::
+Enter the saved **Client Secret**.
+
+`GITHUB_URL`::
+Enter the GitHub host domain: `github.com`.
+
+`GITHUB_ORG`::
+Enter your GitHub organization name, such as `__<your_github_organization_name>__`.
+
+. Enable the GitHub organization provisioning plugin (`backstage-plugin-catalog-backend-module-github-org`).
+This plugin imports GitHub users and groups to the {product-short} software catalog.
++
+`dynamic-plugins.yaml` file fragment:
++
+[source,yaml]
+----
+plugins:
+  - package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github-org'
+    disabled: false
+----

modules/integrating-with-github/proc-enabling-github-repository-discovery.adoc

@@ -11,6 +11,8 @@ If a repository contains a `catalog-info.yaml` file, {product-short} ingests the
 
 * You have sufficient permissions in GitHub to create and manage a link:https://docs.github.com/en/apps/overview[GitHub App].
 
+* To allow users to access GitHub templates or plugins that require GitHub authentication, you have configured GitHub either {authentication-book-link}#enabling-user-authentication-with-github-as-an-auxiliary-authentication-provider[as an auxiliary authentication provider] or {authentication-book-link}#enabling-user-authentication-with-github[as your main authentication provider].
+
 .Procedure
 . To allow {product-short} to access the GitHub API, create a GitHub App.
 Opt for a GitHub App instead of an OAuth app to use fine-grained permissions, gain more control over which repositories the application can access, and use short-lived tokens.