wip: texas out of beta

Co-Authored-By: Sindre Rødseth Hansen <[email protected]>

Author: tronghn

docs/auth/entra-id/how-to/consume-m2m.md

@@ -25,75 +25,15 @@ spec:
 
 Depending on how you communicate with the API you're consuming, [configure the appropriate outbound access policies](../../../workloads/how-to/access-policies.md#outbound-access).
 
-{%- if tenant() == "nav" %}
-???+ warning "Use webproxy for outbound network connectivity from on-premises environments"
-
-    If you're on-premises, you must enable and use [`webproxy`](../../../workloads/application/reference/application-spec.md#webproxy) to access Entra ID.
-
-{%- endif %}
-
 ## Acquire token
 
 Now you can request a new token for the API that you want to consume.
 
-To acquire a token, you can either:
-
-- [acquire tokens with Texas](#acquire-tokens-with-texas), or
-- [acquire tokens manually](#acquire-tokens-manually) in your application
-
-### Acquire tokens with Texas
-
 {% set identity_provider = 'azuread' %}
 {% set target = 'api://<cluster>.<namespace>.<other-api-app-name>/.default' %}
 {% set target_description = 'The intended _audience_ (target API or recipient) of the new token.' %}
 {% include 'auth/partials/token.md' %}
 
-### Acquire tokens manually
-
-The token request is an HTTP POST request.
-It must have the `Content-Type` header set to `application/x-www-form-urlencoded`.
-
-The body of the request should contain the following parameters:
-
-| Parameter       | Example Value                                               | Description                                                                                                     |
-|:----------------|:------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------|
-| `client_id`     | `60dea49a-255b-48b5-b0c0-0974ac1c0b53`                      | Client identifier for your application. Set to the [`AZURE_APP_CLIENT_ID` environment variable][variables-ref]. |
-| `client_secret` | `<some-secret>`                                             | Client secret for your application. Set to the [`AZURE_APP_CLIENT_SECRET` environment variable][variables-ref]. |
-| `grant_type`    | `client_credentials`                                        | Always `client_credentials`.                                                                                    |
-| `scope`         | `api://<cluster>.<namespace>.<other-api-app-name>/.default` | The intended _audience_ (target API or recipient) of the new token.                                             |
-
-[variables-ref]: ../reference/README.md#variables-for-acquiring-tokens
-
-Send the request to the `token_endpoint`, i.e. the URL found in the [`AZURE_OPENID_CONFIG_TOKEN_ENDPOINT`][variables-ref] environment variable:
-
-```http title="Token request"
-POST ${AZURE_OPENID_CONFIG_TOKEN_ENDPOINT} HTTP/1.1
-Content-Type: application/x-www-form-urlencoded
-
-client_id=${AZURE_APP_CLIENT_ID]&
-client_secret=${AZURE_APP_CLIENT_SECRET}&
-grant_type=client_credentials&
-scope=api://<cluster>.<namespace>.<other-api-app-name>/.default
-```
-
-```json title="Successful response"
-{
-  "access_token" : "eyJ0eX[...]",
-  "expires_in" : 3599,
-  ...
-}
-```
-
-Your application does not need to validate this token.
-
-!!! tip "Token Caching"
-
-      The `expires_in` field denotes the lifetime of the token in seconds.
-
-      **Cache and reuse the token until it expires** to minimize network latency impact.
-
-      A safe cache key for this flow is `key = $scope`.
-
 ## Consume API
 
 Once you have acquired a new token, you can finally consume the target API by using the token as a [Bearer token](../../explanations/README.md#bearer-token):

docs/auth/entra-id/how-to/consume-obo.md

@@ -19,78 +19,14 @@ This is also known as the _on-behalf-of (OBO)_ flow.
 
 Depending on how you communicate with the API you're consuming, [configure the appropriate outbound access policies](../../../workloads/how-to/access-policies.md#outbound-access).
 
-{%- if tenant() == "nav" %}
-???+ warning "Use webproxy for outbound network connectivity from on-premises environments"
-
-    If you're on-premises, you must enable and use [`webproxy`](../../../workloads/application/reference/application-spec.md#webproxy) to access Entra ID.
-
-{%- endif %}
-
 ## Exchange token
 
-Now you can exchange the employees subject token for a new token targeting the API that you want to consume.
-
-To exchange a token, you can either:
-
-- [exchange tokens with Texas](#exchange-tokens-with-texas), or
-- [exchange tokens manually](#exchange-tokens-manually) in your application
-
-### Exchange tokens with Texas
+Now you can exchange the employee's subject token for a new token, targeting the API that you want to consume.
 
 {% set identity_provider = 'azuread' %}
 {% set target = 'api://<cluster>.<namespace>.<other-api-app-name>/.default' %}
 {% include 'auth/partials/token-exchange.md' %}
 
-### Exchange tokens manually
-
-The token request is an HTTP POST request.
-It must have the `Content-Type` header set to `application/x-www-form-urlencoded`.
-
-The body of the request should contain the following parameters:
-
-| Parameter             | Example Value                                               | Description                                                                                                     |
-|:----------------------|:------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------|
-| `assertion`           | `eyJraWQ...`                                                | The employee's subject token from the inbound request. Token that should be exchanged.                          |
-| `client_id`           | `60dea49a-255b-48b5-b0c0-0974ac1c0b53`                      | Client identifier for your application. Set to the [`AZURE_APP_CLIENT_ID` environment variable][variables-ref]. |
-| `client_secret`       | `<some-secret>`                                             | Client secret for your application. Set to the [`AZURE_APP_CLIENT_SECRET` environment variable][variables-ref]. |
-| `grant_type`          | `urn:ietf:params:oauth:grant-type:jwt-bearer`               | Always `urn:ietf:params:oauth:grant-type:jwt-bearer`.                                                           |
-| `requested_token_use` | `on_behalf_of`                                              | Always `on_behalf_of`.                                                                                          |
-| `scope`               | `api://<cluster>.<namespace>.<other-api-app-name>/.default` | The intended _audience_ (target API or recipient) of the new token.                                             |
-
-[variables-ref]: ../reference/README.md#variables-for-acquiring-tokens
-
-Send the request to the `token_endpoint`, i.e. the URL found in the [`AZURE_OPENID_CONFIG_TOKEN_ENDPOINT`][variables-ref] environment variable:
-
-```http title="Token request"
-POST ${AZURE_OPENID_CONFIG_TOKEN_ENDPOINT} HTTP/1.1
-Content-Type: application/x-www-form-urlencoded
-
-assertion=<subject_token>&
-client_id=${AZURE_APP_CLIENT_ID}&
-client_secret=${AZURE_APP_CLIENT_SECRET}&
-grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&
-requested_token_use=on_behalf_of&
-scope=api://<cluster>.<namespace>.<other-api-app-name>/.default
-```
-
-```json title="Successful response"
-{
-  "access_token" : "eyJ0eX[...]",
-  "expires_in" : 3599,
-  ...
-}
-```
-
-Your application does not need to validate this token.
-
-!!! tip "Token Caching"
-
-      The `expires_in` field denotes the lifetime of the token in seconds.
-
-      **Cache and reuse the token until it expires** to minimize network latency impact.
-
-      A safe cache key for this flow is `key = sha256($subject_token + $scope)`.
-
 ## Consume API
 
 Once you have acquired a new token, you can finally consume the target API by using the token as a [Bearer token](../../explanations/README.md#bearer-token):

docs/auth/entra-id/how-to/secure.md

@@ -7,13 +7,6 @@ conditional: [tenant, nav]
 
 This how-to guides you through the steps required to secure your API using [Entra ID](../README.md):
 
-{%- if tenant() == "nav" %}
-???+ warning "Use webproxy for outbound network connectivity from on-premises environments"
-
-    If you're on-premises, you must enable and use [`webproxy`](../../../workloads/application/reference/application-spec.md#webproxy) to access Entra ID.
-
-{%- endif %}
-
 ## Grant access to consumers
 
 Depending on who your consumers are, you must grant access to either applications, users, or both.
@@ -40,5 +33,3 @@ You will need to validate these tokens in your application.
 Verify incoming requests from consumers by validating the [JWT Bearer token](../../explanations/README.md#bearer-token) in the `Authorization` header.
 
 {% include 'auth/entra-id/partials/validate.md' %}
-
-[variables-ref]: ../reference/README.md#variables-for-validating-tokens

docs/auth/entra-id/partials/validate.md

@@ -1,32 +1,4 @@
 {% set identity_provider = 'azuread' %}
 {% set claims_reference = '../reference/README.md#claims' %}
+{% set token_validation_reference = '../reference/README.md#manual-token-validation' %}
 {% include 'auth/partials/validate.md' %}
-
-To validate the token, start by validating the [signature and standard time-related claims](../../explanations/README.md#token-validation).
-
-Additionally, perform the following validations:
-
-**Issuer Validation**
-
-Validate that the `iss` claim has a value that is equal to either:
-
-1. the `AZURE_OPENID_CONFIG_ISSUER` [environment variable](../reference/README.md#runtime-variables-credentials), or
-2. the `issuer` property from the [metadata discovery document](../../explanations/README.md#well-known-url-metadata-document).
-   The document is found at the endpoint pointed to by the `AZURE_APP_WELL_KNOWN_URL` environment variable.
-
-**Audience Validation**
-
-Validate that the `aud` claim is equal to the `AZURE_APP_CLIENT_ID` environment variable.
-
-**Signature Validation**
-
-Validate that the token is signed with a public key published at the JWKS endpoint.
-This endpoint URI can be found in one of two ways:
-
-1. the `AZURE_OPENID_CONFIG_JWKS_URI` environment variable, or
-2. the `jwks_uri` property from the metadata discovery document.
-   The document is found at the endpoint pointed to by the `AZURE_APP_WELL_KNOWN_URL` environment variable.
-
-**Claims Validation**
-
-[Other claims](../reference/README.md#claims) may be present in the token. Validation of these claims is optional.

docs/auth/entra-id/reference/README.md

@@ -217,38 +217,46 @@ We only use v2.0 tokens.
     Consumers defined in the [access policy](../how-to/secure.md#applications) are always assigned the default scope named `defaultaccess`.
     You can optionally define and grant them [custom scopes](#custom-scopes).
 
-## Runtime Variables & Credentials
+## Manual Token Validation
+
+{% include 'auth/partials/validate-manually.md' %}
+
+**Issuer Validation**
+
+Validate that the `iss` claim has a value that is equal to either:
 
-Your application will automatically be injected with environment variables at runtime.
+1. the `AZURE_OPENID_CONFIG_ISSUER` environment variable, or
+2. the `issuer` property from the [metadata discovery document](../../explanations/README.md#well-known-url-metadata-document).
+   The document is found at the endpoint pointed to by the `AZURE_APP_WELL_KNOWN_URL` environment variable.
 
-### Variables for acquiring tokens
+**Audience Validation**
 
-These variables are used to:
+Validate that the `aud` claim is equal to the `AZURE_APP_CLIENT_ID` environment variable.
 
-- [:dart: consume an API as an application](../how-to/consume-m2m.md) and
-- [:dart: consume an API on behalf of an employee](../how-to/consume-obo.md)
+**Signature Validation**
 
-| Name                                 | Description                                                                                                              |
-|:-------------------------------------|:-------------------------------------------------------------------------------------------------------------------------|
-| `AZURE_APP_CLIENT_ID`                | [Client ID](../../explanations/README.md#client-id) that uniquely identifies the application in Entra ID.                |
-| `AZURE_APP_CLIENT_SECRET`            | [Client secret](../../explanations/README.md#client-secret) for the application in Entra ID.                             |
-| `AZURE_APP_WELL_KNOWN_URL`           | The well-known URL for the [metadata discovery document](../../explanations/README.md#well-known-url-metadata-document). |
-| `AZURE_OPENID_CONFIG_TOKEN_ENDPOINT` | `token_endpoint` from the [metadata discovery document](../../explanations/README.md#token-endpoint).                    |
+Validate that the token is signed with a public key published at the JWKS endpoint.
+This endpoint URI can be found in one of two ways:
 
-`AZURE_APP_WELL_KNOWN_URL` is optional if you're using `AZURE_OPENID_CONFIG_TOKEN_ENDPOINT` directly.
+1. the `AZURE_OPENID_CONFIG_JWKS_URI` environment variable, or
+2. the `jwks_uri` property from the metadata discovery document.
+   The document is found at the endpoint pointed to by the `AZURE_APP_WELL_KNOWN_URL` environment variable.
 
-### Variables for validating tokens
+**Claims Validation**
+
+[Other claims](../reference/README.md#claims) may be present in the token. Validation of these claims is optional.
+
+## Runtime Variables & Credentials
 
-These variables are used to [:dart: secure your API](../how-to/secure.md):
+Your application will automatically be injected with the following environment variables at runtime.
 
-| Name                           | Description                                                                                                              |
-|:-------------------------------|:-------------------------------------------------------------------------------------------------------------------------|
-| `AZURE_APP_CLIENT_ID`          | [Client ID](../explanations/README.md#client-id) that uniquely identifies the application in Entra ID.                   |
-| `AZURE_APP_WELL_KNOWN_URL`     | The well-known URL for the [metadata discovery document](../../explanations/README.md#well-known-url-metadata-document). |
-| `AZURE_OPENID_CONFIG_ISSUER`   | `issuer` from the [metadata discovery document](../../explanations/README.md#issuer).                                    |
-| `AZURE_OPENID_CONFIG_JWKS_URI` | `jwks_uri` from the [metadata discovery document](../../explanations/README.md#jwks-endpoint-public-keys).               |
+| Environment Variable                | Description                                                                                             |
+|-------------------------------------|---------------------------------------------------------------------------------------------------------|
+| `NAIS_TOKEN_ENDPOINT`               | Used to [:dart: consume an API as an application](../how-to/consume-m2m.md).                            |
+| `NAIS_TOKEN_EXCHANGE_ENDPOINT`      | Used to [:dart: consume an API on behalf of an employee](../how-to/consume-obo.md).                     |
+| `NAIS_TOKEN_INTROSPECTION_ENDPOINT` | Used to [:dart: secure your API](../how-to/secure.md) or [:dart: log in employees](../how-to/login.md). |
 
-`AZURE_APP_WELL_KNOWN_URL` is optional if you're using `AZURE_OPENID_CONFIG_ISSUER` and `AZURE_OPENID_CONFIG_JWKS_URI` directly.
+For further details about these endpoints, see the [OpenAPI specification](../../reference/README.md#openapi-specification).
 
 ## Spec
 

docs/auth/explanations/README.md

@@ -192,14 +192,6 @@ Unless specified otherwise, all clients we use are confidential clients.
 A client ID is a unique identifier associated with your client for a given identity provider. The value of the
 identifier is generally not considered to be confidential.
 
-The client ID for your client is injected at runtime as an environment variable.
-See the respective identity provider page for details:
-
-- [Entra ID](../entra-id/reference/README.md#runtime-variables-credentials)
-- [ID-porten](../idporten/reference/README.md#runtime-variables-credentials)
-- [Maskinporten](../maskinporten/reference/README.md#runtime-variables-credentials)
-- [TokenX](../tokenx/reference/README.md#runtime-variables-credentials)
-
 #### Client Authentication
 
 A confidential client must authenticate itself to the identity provider.
@@ -426,8 +418,6 @@ Validation should always be performed before granting access to any [resource se
 Use well-known and widely used libraries and frameworks that take care of most
 of the heavy lifting for you.
 
-See [libraries and frameworks](../reference/README.md#libraries-and-frameworks-for-validating-and-acquiring-tokens) for a non-comprehensive list.
-
 #### Signature Validation
 
 A JWT usually contains the `kid` (key ID) claim in the token's [header](#header) to indicate which key was used to sign
@@ -467,7 +457,7 @@ Most libraries will have implementations to automatically validate these de fact
 
 See the individual identity provider pages for specific validation related to each provider:
 
-- [Entra ID](../entra-id/how-to/secure.md#validate-tokens)
+- [Entra ID](../entra-id/reference/README.md#manual-token-validation)
 - [ID-porten](../idporten/how-to/login.md#validate-token-in-authorization-header)
 - [Maskinporten](../maskinporten/how-to/secure.md#validate-tokens)
 - [TokenX](../tokenx/how-to/secure.md#validate-tokens)
@@ -706,40 +696,23 @@ Texas runs as a sidecar together with your application and offers HTTP endpoints
 - exchanging user tokens into on-behalf-of tokens
 - token validation with introspection
 
-???+ warning "Texas is currently in opt-in public beta"
-
-    To enable Texas for your application, set the `texas.nais.io/enabled: "true"` annotation on your `Application`:
-
-    ```yaml title="app.yaml" hl_lines="5"
-    apiVersion: "nais.io/v1alpha1"
-    kind: "Application"
-    metadata:
-      annotations:
-        texas.nais.io/enabled: "true"
-    ```
-
-    Texas is in beta as we gather feedback and test it in production environments.
-    We do not plan to make any breaking API changes.
-
-    Visit the `#texas` channel on Slack for updates, questions and feedback.
-
 All available [identity providers](#identity-provider) are supported:
 
 [Entra ID](../entra-id/README.md)
-:   - [:dart: Get a machine-to-machine token](../entra-id/how-to/consume-m2m.md#acquire-tokens-with-texas)
-    - [:dart: Exchange an on-behalf-of token](../entra-id/how-to/consume-obo.md#exchange-tokens-with-texas)
-    - [:dart: Validate token](../entra-id/how-to/secure.md#validate-with-texas)
+:   - [:dart: Get a machine-to-machine token](../entra-id/how-to/consume-m2m.md#acquire-token)
+    - [:dart: Exchange an on-behalf-of token](../entra-id/how-to/consume-obo.md#exchange-token)
+    - [:dart: Validate token](../entra-id/how-to/secure.md#validate-tokens)
 
 [ID-porten](../idporten/README.md)
-:   - [:dart: Validate token](../idporten/how-to/login.md#validate-with-texas)
+:   - [:dart: Validate token](../idporten/how-to/login.md#validate-token-in-authorization-header)
 
 [Maskinporten](../maskinporten/README.md)
-:   - [:dart: Get a machine-to-machine token](../maskinporten/how-to/consume.md#acquire-tokens-with-texas)
-    - [:dart: Validate token](../maskinporten/how-to/secure.md#validate-with-texas) 
+:   - [:dart: Get a machine-to-machine token](../maskinporten/how-to/consume.md#acquire-token)
+    - [:dart: Validate token](../maskinporten/how-to/secure.md#validate-tokens) 
 
 [TokenX](../tokenx/README.md)
-:   - [:dart: Exchange an on-behalf-of token](../tokenx/how-to/consume.md#exchange-tokens-with-texas) 
-    - [:dart: Validate token](../tokenx/how-to/secure.md#validate-with-texas) 
+:   - [:dart: Exchange an on-behalf-of token](../tokenx/how-to/consume.md#exchange-token) 
+    - [:dart: Validate token](../tokenx/how-to/secure.md#validate-tokens) 
 
 See the [Texas reference](../reference/README.md#texas) for API specifications and available environment variables.