keycloak · stianst · Nov 14, 2023 · Nov 9, 2023
diff --git a/...umentation/server_admin/images/user-profile-select-options-custom-validator.png b/...umentation/server_admin/images/user-profile-select-options-custom-validator.png
diff --git a/docs/documentation/server_admin/topics/account.adoc b/docs/documentation/server_admin/topics/account.adoc
@@ -7,7 +7,7 @@
 [role="_additional-resources"]
 .Additional resources
 
-* The Account Console can be configured in terms of appearance and language preferences. An example is adding attributes to the *Personal info* page by clicking *Personal info* link and completing and saving details. For more information, see reference:{developerguide_link}[{developerguide_name}].
+* The Account Console can be configured in terms of appearance and language preferences. An example is adding attributes to the *Personal info* page by clicking *Personal info* link and completing and saving details. For more information, see {developerguide_link}[{developerguide_name}].
 
 === Accessing the Account Console
 

diff --git a/docs/documentation/server_admin/topics/admin-cli.adoc b/docs/documentation/server_admin/topics/admin-cli.adoc
@@ -948,7 +948,7 @@ Use the client ID to construct an endpoint URI, such as `clients/ID/client-secre
 For example:
 [options="nowrap"]
 ----
-$ kcadm.sh get clients/$CID/client-secret
+$ kcadm.sh get clients/$CID/client-secret -r demorealm
 ----
 
 [discrete]
@@ -959,7 +959,7 @@ Use the client ID to construct an endpoint URI, such as `clients/ID/client-secre
 For example:
 [options="nowrap"]
 ----
-$ kcadm.sh create clients/$CID/client-secret
+$ kcadm.sh create clients/$CID/client-secret -r demorealm
 ----
 
 [discrete]
@@ -970,7 +970,7 @@ Use the client ID to construct an endpoint URI, such as `clients/ID`.
 For example:
 [options="nowrap"]
 ----
-$ kcadm.sh update clients/$CID -s "secret=newSecret"
+$ kcadm.sh update clients/$CID -s "secret=newSecret" -r demorealm
 ----
 
 [discrete]
@@ -1272,7 +1272,7 @@ For example:
 +
 [options="nowrap"]
 ----
-$kcadm get users/6da5ab89-3397-4205-afaa-e201ff638f9e/sessions
+$ kcadm.sh get users/6da5ab89-3397-4205-afaa-e201ff638f9e/sessions -r demorealm
 ----
 
 [discrete]
@@ -1286,7 +1286,7 @@ For example:
 +
 [options="nowrap"]
 ----
-$ kcadm.sh delete sessions/d0eaa7cc-8c5d-489d-811a-69d3c4ec84d1
+$ kcadm.sh delete sessions/d0eaa7cc-8c5d-489d-811a-69d3c4ec84d1 -r demorealm
 ----
 
 [discrete]
@@ -1919,7 +1919,7 @@ $ kcadm.sh get authentication/flows/Copy%20of%20browser/executions -r demorealm
 For example:
 [options="nowrap"]
 ----
-$ kcadm create "authentication/executions/a3147129-c402-4760-86d9-3f2345e401c7/config" -r examplerealm -b '{"config":{"x509-cert-auth.mapping-source-selection":"Match SubjectDN using regular expression","x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.mapper-selection.user-attribute-name":"usercertificate","x509-cert-auth.crl-checking-enabled":"","x509-cert-auth.crldp-checking-enabled":false,"x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.ocsp-checking-enabled":"","x509-cert-auth.ocsp-responder-uri":"","x509-cert-auth.keyusage":"","x509-cert-auth.extendedkeyusage":"","x509-cert-auth.confirmation-page-disallowed":""},"alias":"my_otp_config"}'
+$ kcadm.sh create "authentication/executions/a3147129-c402-4760-86d9-3f2345e401c7/config" -r demorealm -b '{"config":{"x509-cert-auth.mapping-source-selection":"Match SubjectDN using regular expression","x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.mapper-selection.user-attribute-name":"usercertificate","x509-cert-auth.crl-checking-enabled":"","x509-cert-auth.crldp-checking-enabled":false,"x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.ocsp-checking-enabled":"","x509-cert-auth.ocsp-responder-uri":"","x509-cert-auth.keyusage":"","x509-cert-auth.extendedkeyusage":"","x509-cert-auth.confirmation-page-disallowed":""},"alias":"my_otp_config"}'
 ----
 
 
@@ -1933,7 +1933,7 @@ $ kcadm create "authentication/executions/a3147129-c402-4760-86d9-3f2345e401c7/c
 For example:
 [options="nowrap"]
 ----
-$ kcadm get "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r examplerealm
+$ kcadm get "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r demorealm
 ----
 
 
@@ -1948,7 +1948,7 @@ $ kcadm get "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r exam
 For example:
 [options="nowrap"]
 ----
-$ kcadm update "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r examplerealm -b '{"id":"dd91611a-d25c-421a-87e2-227c18421833","alias":"my_otp_config","config":{"x509-cert-auth.extendedkeyusage":"","x509-cert-auth.mapper-selection.user-attribute-name":"usercertificate","x509-cert-auth.ocsp-responder-uri":"","x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.crl-checking-enabled":"true","x509-cert-auth.confirmation-page-disallowed":"","x509-cert-auth.keyusage":"","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.crldp-checking-enabled":"false","x509-cert-auth.mapping-source-selection":"Match SubjectDN using regular expression","x509-cert-auth.ocsp-checking-enabled":""}}'
+$ kcadm update "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r demorealm -b '{"id":"dd91611a-d25c-421a-87e2-227c18421833","alias":"my_otp_config","config":{"x509-cert-auth.extendedkeyusage":"","x509-cert-auth.mapper-selection.user-attribute-name":"usercertificate","x509-cert-auth.ocsp-responder-uri":"","x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.crl-checking-enabled":"true","x509-cert-auth.confirmation-page-disallowed":"","x509-cert-auth.keyusage":"","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.crldp-checking-enabled":"false","x509-cert-auth.mapping-source-selection":"Match SubjectDN using regular expression","x509-cert-auth.ocsp-checking-enabled":""}}'
 ----
 
 
@@ -1963,5 +1963,5 @@ $ kcadm update "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r e
 For example:
 [options="nowrap"]
 ----
-$ kcadm delete "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r examplerealm
+$ kcadm delete "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r demorealm
 ----
diff --git a/docs/documentation/server_admin/topics/authentication/flows.adoc b/docs/documentation/server_admin/topics/authentication/flows.adoc
@@ -85,17 +85,17 @@ You can copy and then modify an existing flow. Click the "Action list" (the thre
 
 When creating a new flow, you must create a top-level flow first with the following options:
 
-Alias::
+Name::
   The name of the flow.
 Description::
   The description you can set to the flow.
 Top-Level Flow Type::
-  The type of flow. The type *client* is used only for the authentication of clients (applications). For all other cases, choose *generic*.
+  The type of flow. The type *client* is used only for the authentication of clients (applications). For all other cases, choose *basic*.
 
 .Create a top-level flow
 image:images/Create-top-level-flow.png[Top Level Flow]
 
-When {project_name} has created the flow, {project_name} displays the *Add step*, and *Add flow* buttons.
+When {project_name} has created the flow, {project_name} displays the *Add step*, and *Add sub-flow* buttons.
 
 .An empty new flow
 image:images/New-flow.png[New Flow]
@@ -106,24 +106,23 @@ Three factors determine the behavior of flows and sub-flows.
 * The executions within the flows
 * The requirements set within the sub-flows and the executions.
 
-Executions have a wide variety of actions, from sending a reset email to validating an OTP. Add executions with the *Add step* button. Hover over the question mark next to *Provider*, to see a description of the execution.
+Executions have a wide variety of actions, from sending a reset email to validating an OTP. Add executions with the *Add step* button.
 
 .Adding an authentication execution
 image:images/Create-authentication-execution.png[Adding an Authentication Execution]
 
 Two types of executions exist, _automatic executions_ and _interactive executions_. _Automatic executions_ are similar to the *Cookie* execution and will automatically
 perform their action in the flow. _Interactive executions_ halt the flow to get input. Executions executing successfully set their status to _success_.  For a flow to complete, it needs at least one execution with a status of _success_. 
 
-You can add sub-flows to top-level flows with the *Add flow* button. The *Add flow* button displays the *Create Execution Flow* page. This page is similar to the *Create Top Level Form* page. The difference is that the *Flow Type* can be *generic* (default) or *form*. The *form* type constructs a sub-flow that generates a form for the user, similar to the built-in *Registration* flow.
+You can add sub-flows to top-level flows with the *Add sub-flow* button. The *Add sub-flow* button displays the *Create Execution Flow* page. This page is similar to the *Create Top Level Form* page. The difference is that the *Flow Type* can be *basic* (default) or *form*. The *form* type constructs a sub-flow that generates a form for the user, similar to the built-in *Registration* flow.
 Sub-flows success depends on how their executions evaluate, including their contained sub-flows. See the <<_execution-requirements, execution requirements section>> for an in-depth explanation of how sub-flows work.
 
 [NOTE]
 ====
 After adding an execution, check the requirement has the correct value.
 ====
 
-All elements in a flow have a *Delete* option in the *Actions* menu. This action removes the element from the flow.
-Executions have a *⚙️* menu item (the gear icon) to configure the execution. It is also possible to add executions and sub-flows to sub-flows with the *Add step* and *Add flow* links.
+All elements in a flow have a *Delete* option next to the element. Some executions have a *⚙️* menu item (the gear icon) to configure the execution. It is also possible to add executions and sub-flows to sub-flows with the *Add step* and *Add sub-flow* links.
 
 Since the order of execution is important, you can move executions and sub-flows up and down by dragging their names.
 
@@ -181,7 +180,7 @@ At this stage, the form requires a username but no password. We must enable pass
 . Select *Required* for the *Authentication* authentication type to set its requirement to required.
 . Click *+* menu of the *Authentication* sub-flow.
 . Click *Add step*.
-. Select *Webauthn Passwordless Authenticator* from the list.
+. Select *WebAuthn Passwordless Authenticator* from the list.
 . Click *Add*.
 . Select *Alternative* for the *Webauthn Passwordless Authenticator* authentication type to set its requirement to alternative.
 . Click *+* menu of the *Authentication* sub-flow.
@@ -262,7 +261,6 @@ Now you configure the flow for the first authentication level.
 . Select *Conditional - Level Of Authentication* from the list.
 . Click *Add*.
 . Click *Required* for the *Conditional - Level Of Authentication* authentication type to set its requirement to required.
-. Click *+* menu of the *Conditional - Level Of Authentication*.
 . Click *⚙️* (gear icon).
 . Enter `Level 1` as an alias.
 . Enter `1` for the Level of Authentication (LoA).

diff --git a/docs/documentation/server_admin/topics/authentication/otp-policies.adoc b/docs/documentation/server_admin/topics/authentication/otp-policies.adoc
@@ -1,9 +1,15 @@
 
 === One Time Password (OTP) policies
 
-{project_name} has several policies for setting up a FreeOTP or Google Authenticator One-Time Password generator. Click the *Authentication* menu and click the *OTP Policy* tab.
+{project_name} has several policies for setting up a FreeOTP or Google Authenticator One-Time Password generator.
 
-.Otp policy
+.Procedure
+
+. Click *Authentication* in the menu.
+. Click the *Policy* tab.
+. Click the *OTP Policy* tab.
+
+.Otp Policy
 image:images/otp-policy.png[OTP Policy]
 
 {project_name} generates a QR code on the OTP set-up page, based on information configured in the *OTP Policy* tab. FreeOTP and Google Authenticator scan the QR code when configuring OTP.

diff --git a/docs/documentation/server_admin/topics/authentication/webauthn.adoc b/docs/documentation/server_admin/topics/authentication/webauthn.adoc
@@ -59,7 +59,6 @@ Users can log in with WebAuthn if they have a WebAuthn credential registered onl
 . Click *+* menu of the *WebAuthn Browser Forms* row.
 . Click *Add sub-flow*.
 . Enter "Conditional 2FA" for the _name_ field.
-. On the *WebAuthn Browser Forms* row, click the plus sign + and select *Add step*.
 . Select *Conditional* for the *Conditional 2FA* to set its requirement to conditional.
 . On the *Conditional 2FA* row, click the plus sign + and select *Add condition*.
 . Click *Add condition*.
@@ -75,7 +74,6 @@ The user can choose between using WebAuthn and OTP for the second factor:
 
 .Procedure
 . On the *Conditional 2FA* row, click the plus sign + and select *Add step*.
-. Click *Add step*.
 . Select *OTP Form* from the list.
 . Click *Add*.
 . Select *Alternative* for the *OTP Form* to set its requirement to alternative.

diff --git a/docs/documentation/server_admin/topics/sessions/revocation.adoc b/docs/documentation/server_admin/topics/sessions/revocation.adoc
@@ -8,7 +8,7 @@ If your system is compromised, you can revoke all active sessions and access tok
 
 .Procedure
 . Click *Sessions* in the menu.
-. From the *Actions* list, select *Sign out all active sessions*.
+. From the *Actions* list, select *Revocation*.
 +
 .Revocation
 image:images/revocation.png[Revocation]

diff --git a/docs/documentation/server_admin/topics/users/proc-creating-otp.adoc b/docs/documentation/server_admin/topics/users/proc-creating-otp.adoc
@@ -18,7 +18,5 @@ Alternatively, you can send an email to the user that requests the user reset th
 . Select a user.
 . Click the *Credentials* tab.
 . Click *Credential Reset*.
-. Select *Configure OTP*. 
-. Navigate to the *Reset Actions* list.
-. Click *Configure OTP*. 
+. Set *Reset Actions* to *Configure OTP*. 
 . Click *Send Email*. The sent email contains a link that directs the user to the *OTP setup page*. 
diff --git a/docs/documentation/server_admin/topics/users/proc-deleting-user.adoc b/docs/documentation/server_admin/topics/users/proc-deleting-user.adoc
@@ -11,7 +11,6 @@ You can delete a user, who no longer needs access to applications. If a user is
 .Procedure
 . Click *Users* in the menu. The *Users* page is displayed.
 . Click *View all users* to find a user to delete.
-. Click *Users* in the menu. The *Users* page is displayed.
 +
 NOTE: Alternatively, you can use the search bar to find a user.
 +

diff --git a/docs/documentation/server_admin/topics/users/proc-enabling-user-registration.adoc b/docs/documentation/server_admin/topics/users/proc-enabling-user-registration.adoc
@@ -12,6 +12,5 @@ Enable users to self-register.
 . Click *Realm Settings* in the main menu.  
 . Click the *Login* tab.  
 . Toggle *User Registration* to *ON*. 
-. Click *Save*.
 
 After you enable this setting, a *Register* link displays on the login page of the Admin Console.
diff --git a/docs/documentation/server_admin/topics/users/proc-registering-new-user.adoc b/docs/documentation/server_admin/topics/users/proc-registering-new-user.adoc
@@ -18,4 +18,4 @@ image:images/registration-form.png[]
 . Click the *Register* link on the login page. The registration page is displayed.
 . Enter the user profile information.
 . Enter the new password.
-. Click *Save*.
+. Click *Register*.
diff --git a/...ion/server_admin/topics/users/proc-requiring-tac-agreement-at-registration.adoc b/...ion/server_admin/topics/users/proc-requiring-tac-agreement-at-registration.adoc
@@ -16,7 +16,8 @@ image:images/registration-form-with-required-tac.png[]
 * Terms and conditions required action is enabled.
 
 .Procedure
-. Click the *Flows* tab.
+. Click *Authentication* in the menu.
+Click the *Flows* tab.
 . Click the *registration* flow.
 . Select *Required* on the *Terms and Conditions* row.
 +

diff --git a/docs/documentation/server_admin/topics/users/proc-setting-password-user.adoc b/docs/documentation/server_admin/topics/users/proc-setting-password-user.adoc
@@ -18,9 +18,17 @@ If a user already has a password, it can be reset in the *Reset Password* sectio
 . Click *Set Password*.
 +
 NOTE: If *Temporary* is *ON*, the user must change the password at the first login. To allow users to keep the password supplied, set *Temporary* to *OFF.*  The user must click *Set Password* to change the password.
-+
-. Alternatively, you can send an email to the user that requests the user reset the password.
-.. Click *Credential Reset*.
-.. Select *Update Password* from the list.
-.. Click *Send Email*. The sent email contains a link that directs the user to the *Update Password* window.
-.. Optionally, you can set the validity of the email link. This is set to the default preset in the *Tokens* tab in *Realm Settings*.
+
+= Requesting a user reset a password
+
+You can also request that the user reset the password.
+
+.Procedure
+
+. Click *Users* in the menu. The *Users* page is displayed.
+. Select a user.
+. Click the *Credentials* tab.
+. Click *Credential Reset*.
+. Select *Update Password* from the list.
+. Click *Send Email*. The sent email contains a link that directs the user to the *Update Password* window.
+. Optionally, you can set the validity of the email link. This is set to the default preset in the *Tokens* tab in *Realm Settings*.