manual cherrypick of update RHBK config docs with security consideration

Signed-off-by: Jessica He <[email protected]>

Author: JessicaJHee

modules/authentication/proc-enabling-authentication-with-rhsso.adoc

@@ -23,11 +23,6 @@ Save the value for the next step:
 * **Client ID**
 * **Client Secret**
 
-.. Configure your {rhsso} realm for performance and security:
-... Navigate to the **Configure** > **Realm Settings**.
-... Set the **Access Token Lifespan** to a value greater than five minutes (preferably 10 or 15 minutes) to prevent performance issues from frequent refresh token requests for every API call.
-... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy.
-
 .. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.6/html-single/getting_started_guide/index#create-user_[create a user]. Save the user credential information for the verification steps.
 
 . To add your {rhsso} credentials to your {product-short} secrets, edit your {product-short} secrets, such as `secrets-rhdh`, and add the following key/value pairs:
@@ -182,6 +177,13 @@ auth:
 
 --
 
+.Security consideration
+If multiple valid refresh tokens are issued due to frequent refresh token requests, older tokens will remain valid until they expire. To enhance security and prevent potential misuse of older tokens, enable a refresh token rotation strategy in your {rhbk} realm.
+
+. From the *Configure* section of the navigation menu, click *Realm Settings*.
+. From the *Realm Settings* page, click the *Tokens* tab.
+. From the *Refresh tokens* section of the *Tokens* tab, toggle the *Revoke Refresh Token* to the *Enabled* position.
+
 .Verification
 . Go to the {product-short} login page.
 . Your {product-short} sign-in page displays *Sign in using OIDC* and the Guest user sign-in is disabled.

modules/release-notes/ref-release-notes-known-issues.adoc

@@ -31,5 +31,15 @@ Permissions associated only with front-end plugins do not appear in the UI becau
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-3396[RHIDP-3396]
 
+[id="known-issue-rhidp-4695"]
+== [Doc] OIDC refresh token behavior 
+
+When using {rhsso-brand-name} or {rhbk-brand-name} as an OIDC provider, the default access token lifespan is set to 5 minutes, which corresponds to the token refresh grace period set in {product-short}. This 5-minute grace period is the threshold used to trigger a new refresh token call. Since the token is always near expiration, frequent refresh token requests will cause performance issues.
+
+This issue will be resolved in the 1.5 release. To prevent the performance issues, increase the lifespan in the {rhsso-brand-name} or {rhbk-brand-name} server by setting *Configure > Realm Settings > Access Token Lifespan* to a value greater than five minutes (preferably 10 or 15 minutes).
+
+
+.Additional resources
+* link:https://issues.redhat.com/browse/RHIDP-4695[RHIDP-4695]