details links

docs/user-guides/anonymous-access.md

@@ -5,11 +5,12 @@ Bypass identity verification or fall back to anonymous access when credentials f
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Identity verification & authentication → <a href="./../features.md#anonymous-access-authenticationanonymous">Anonymous access</a></li>
-    </ul>
   </summary>
 
+  <ul>
+    <li>Identity verification & authentication → <a href="./../features.md#anonymous-access-authenticationanonymous">Anonymous access</a></li>
+  </ul>
+
   For further details about Authorino features in general, check the [docs](./../features.md).
 </details>
 

docs/user-guides/api-key-authentication.md

@@ -5,11 +5,12 @@ Issue API keys stored in Kubernetes `Secret`s for clients to authenticate with y
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-    </ul>
   </summary>
 
+  <ul>
+    <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
+  </ul>
+
   In Authorino, API keys are stored as Kubernetes `Secret`s. Each resource must contain an `api_key` entry with the value of the API key, and labeled to match the selectors specified in `spec.identity.apiKey.selector` of the `AuthConfig`.
 
   API key `Secret`s must also include labels that match the `secretLabelSelector` field of the Authorino instance. See [Resource reconciliation and status update](../architecture.md#resource-reconciliation-and-status-update) for details.

docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md

@@ -5,13 +5,14 @@ Provide Envoy with dynamic metadata about the external authorization process to
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Dynamic response → Response wrappers → <a href="../features.md#envoy-dynamic-metadata">Envoy Dynamic Metadata</a></li>
-      <li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-    </ul>
   </summary>
 
+  <ul>
+    <li>Dynamic response → Response wrappers → <a href="../features.md#envoy-dynamic-metadata">Envoy Dynamic Metadata</a></li>
+    <li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
+  </ul>
+
   Dynamic JSON objects built out of static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json) can be wrapped to be returned to the reverse-proxy as Envoy Well Known Dynamic Metadata content. Envoy can use those to inject data returned by the external authorization service into the other filters, such as the rate limiting filter.
 
   Check out as well the user guides about [Injecting data in the request](injecting-data.md) and [Authentication with API keys](api-key-authentication.md).

docs/user-guides/authzed.md

@@ -5,11 +5,11 @@ Permission requests sent to a Google Zanzibar-based [Authzed/SpiceDB](https://au
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Authorization → <a href="../features.md#spicedb-authorizationspicedb">SpiceDB</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-    </ul>
   </summary>
+  <ul>
+    <li>Authorization → <a href="../features.md#spicedb-authorizationspicedb">SpiceDB</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
+  </ul>
 </details>
 
 <br/>

docs/user-guides/caching.md

@@ -19,15 +19,15 @@ Cases where one will **NOT** want to enable caching, due to relatively cheap com
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Common feature → <a href="../features.md#common-feature-caching-cache">Caching</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#anonymous-access-authenticationanonymous">Anonymous access</a></li>
-      <li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
-      <li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
-      <li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
-    </ul>
   </summary>
-
+  <ul>
+    <li>Common feature → <a href="../features.md#common-feature-caching-cache">Caching</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#anonymous-access-authenticationanonymous">Anonymous access</a></li>
+    <li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
+    <li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
+    <li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
+  </ul>
+
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 

docs/user-guides/deny-with-redirect-to-login.md

@@ -5,13 +5,13 @@ Customize response status code and headers on failed requests to redirect users
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Dynamic response → <a href="../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized">Custom denial status</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
-    </ul>
   </summary>
-
+  <ul>
+    <li>Dynamic response → <a href="../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized">Custom denial status</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
+  </ul>
+
   Authorino's default response status codes, messages and headers for unauthenticated (`401`) and unauthorized (`403`) requests can be customized with static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json).
 
   Check out as well the user guides about [HTTP "Basic" Authentication (RFC 7235)](http-basic-authentication.md) and [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md).

docs/user-guides/edge-authentication-architecture-festival-wristbands.md

@@ -13,14 +13,15 @@ As a minimum, EAA allows to simplify authentication between applications and mic
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Dynamic response → <a href="../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband">Festival Wristband tokens</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#extra-identity-extension-authenticationdefaults-and-authenticationoverrides">Identity extension</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
-    </ul>
   </summary>
 
+  <ul>
+    <li>Dynamic response → <a href="../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband">Festival Wristband tokens</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#extra-identity-extension-authenticationdefaults-and-authenticationoverrides">Identity extension</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
+  </ul>
+
   Festival Wristbands are OpenID Connect ID tokens (signed JWTs) issued by Authorino by the end of the Auth Pipeline, for authorized requests. It can be configured to include claims based on static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json).
 
   Check out as well the user guides about [Token normalization](token-normalization.md), [Authentication with API keys](api-key-authentication.md) and [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md).

docs/user-guides/envoy-jwt-authn-and-authorino.md

@@ -11,14 +11,13 @@ All requests to the Talker API will be authenticated in Envoy. However, requests
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Identity verification & authentication → <a href="../features.md#plain-authenticationplain">Plain</a></li>
-      <li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
-      <li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
-      <li>Dynamic response → <a href="../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized">Custom denial status</a></li>
-    </ul>
   </summary>
-
+  <ul>
+    <li>Identity verification & authentication → <a href="../features.md#plain-authenticationplain">Plain</a></li>
+    <li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
+    <li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
+    <li>Dynamic response → <a href="../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized">Custom denial status</a></li>
+  </ul>
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 

docs/user-guides/external-metadata.md

@@ -5,13 +5,14 @@ Get online data from remote HTTP services to enhance authorization rules.
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-      <li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
-    </ul>
   </summary>
 
+  <ul>
+    <li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
+    <li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
+  </ul>
+
   You can configure Authorino to fetch additional metadata from external sources in request-time, by sending either GET or POST request to an HTTP service. The service is expected to return a JSON content which is appended to the [Authorization JSON](../architecture.md#the-authorization-json), thus becoming available for usage in other configs of the Auth Pipeline, such as in authorization policies or custom responses.
 
   URL, parameters and headers of the request to the external source of metadata can be configured, including with dynamic values. Authentication between Authorino and the service can be set as part of these configuration options, or based on shared authentication token stored in a Kubernetes `Secret`.

docs/user-guides/http-basic-authentication.md

@@ -5,12 +5,12 @@ Turn Authorino API key `Secret`s settings into HTTP basic auth.
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-        <li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
-    </ul>
   </summary>
-
+  <ul>
+    <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
+    <li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
+  </ul>
+
   HTTP "Basic" Authentication ([RFC 7235](https://datatracker.ietf.org/doc/html/rfc7235)) is not recommended if you can afford other more secure methods such as OpenID Connect. To support legacy nonetheless it is sometimes necessary to implement it.
 
   In Authorino, HTTP "Basic" Authentication can be modeled leveraging the API key authentication feature (stored as Kubernetes `Secret`s with an `api_key` entry and labeled to match selectors specified in `spec.identity.apiKey.selector` of the `AuthConfig`).

docs/user-guides/injecting-data.md

@@ -5,12 +5,12 @@ Inject HTTP headers with serialized JSON content.
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-    </ul>
   </summary>
-
+  <ul>
+    <li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
+  </ul>
+
   Inject serialized custom JSON objects as HTTP request headers. Values can be static or fetched from the [Authorization JSON](../architecture.md#the-authorization-json).
 
   Check out as well the user guide about [Authentication with API keys](api-key-authentication.md).

docs/user-guides/json-pattern-matching-authorization.md

@@ -5,12 +5,13 @@ Write simple authorization rules based on JSON patterns matched against Authorin
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
-    </ul>
   </summary>
 
+  <ul>
+    <li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
+  </ul>
+
   Authorino provides a built-in authorization module to check simple pattern-matching rules against the [Authorization JSON](../architecture.md#the-authorization-json). This is an alternative to [OPA](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) when all you want is to check for some simple rules, without complex logics, such as match the value of a JWT claim.
 
   Check out as well the user guide about [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md).

docs/user-guides/keycloak-authorization-services.md

@@ -7,12 +7,11 @@ This user guide is an example of how to use Authorino as an adapter to Keycloak
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
-      <li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
-    </ul>
   </summary>
-
+  <ul>
+    <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
+    <li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
+  </ul>
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 

docs/user-guides/kubernetes-subjectaccessreview.md

@@ -5,11 +5,11 @@ Manage permissions in the Kubernetes RBAC and let Authorino to check them in req
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Authorization → <a href="../features.md#kubernetes-subjectaccessreview-authorizationkubernetessubjectaccessreview">Kubernetes SubjectAccessReview</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#kubernetes-tokenreview-authenticationkubernetestokenreview">Kubernetes TokenReview</a></li>
-    </ul>
   </summary>
+  <ul>
+    <li>Authorization → <a href="../features.md#kubernetes-subjectaccessreview-authorizationkubernetessubjectaccessreview">Kubernetes SubjectAccessReview</a></li>
+    <li>Identity verification & authentication → <a href="../features.md#kubernetes-tokenreview-authenticationkubernetestokenreview">Kubernetes TokenReview</a></li>
+  </ul>
 
   Authorino can delegate authorization decision to the Kubernetes authorization system, allowing permissions to be stored and managed using the Kubernetes Role-Based Access Control (RBAC) for example. The feature is based on the `SubjectAccessReview` API and can be used for `resourceAttributes` (parameters defined in the `AuthConfig`) or `nonResourceAttributes` (inferring HTTP path and verb from the original request).
 

docs/user-guides/kubernetes-tokenreview.md

@@ -5,11 +5,11 @@ Validate Kubernetes Service Account tokens to authenticate requests to your prot
 <details markdown="1">
   <summary>
     <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Identity verification & authentication → <a href="../features.md#kubernetes-tokenreview-authenticationkubernetestokenreview">Kubernetes TokenReview</a></li>
-    </ul>
   </summary>
-
+  <ul>
+    <li>Identity verification & authentication → <a href="../features.md#kubernetes-tokenreview-authenticationkubernetestokenreview">Kubernetes TokenReview</a></li>
+  </ul>
+
   Authorino can verify Kubernetes-valid access tokens (using Kubernetes [TokenReview](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1) API).
 
   These tokens can be either `ServiceAccount` tokens or any valid user access tokens issued to users of the Kubernetes server API.