From b97084e58d13d2641c598eb6aaa27c36253fc13e Mon Sep 17 00:00:00 2001
From: David Mueller <David.Mueller1@ibm.com>
Date: Mon, 20 Nov 2023 15:28:00 -0500
Subject: [PATCH 1/3] add new example

#7023
---
 .../feature/openidConnectClient/examples.adoc      | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/modules/reference/pages/feature/openidConnectClient/examples.adoc b/modules/reference/pages/feature/openidConnectClient/examples.adoc
index 54953cb4cf..1ab1525f74 100644
--- a/modules/reference/pages/feature/openidConnectClient/examples.adoc
+++ b/modules/reference/pages/feature/openidConnectClient/examples.adoc
@@ -13,7 +13,7 @@ The following examples demonstrate configuration options for the OpenID Connect
 - <<#oauth,Accept an OAuth 2.0 bearer access token without redirecting to an OpenID Connect provider>>
 - <<#context,Modify the context root>>
 - <<#params,Pass request parameters to OpenID Connect>>
-
+- <<#access-token,Check the access token for user group information>>
 
 [#minimal]
 === Minimal configuration for Open Liberty to act as an OpenID Connect client
@@ -360,3 +360,15 @@ To provide extra authorization parameters to the OP, configure `authzParameter`
 ----
 
 To configure parameters for the token endpoint, use the `tokenParameter` element.
+
+[#access-token]
+=== Check the access token for user group information
+
+If a user's group information is not found in the ID token, you can configure Open Liberty to also check for this information in the Access token and `userinfo`. Set the `tokensOrderToFetchCallerClaims` attribute to `AccessToken IDToken Userinfo`, as shown in the following example.
+
+[source,xml]
+----
+<openidConnectClient tokensOrderToFetchCallerClaims="AccessToken IDToken Userinfo"  userIdentifier="unique_name" groupIdentifier="aud" ... />
+----
+
+In this example, Open Liberty checks the Access Token first, then the ID token, and lastly, `userinfo`. If no group information is found in these locations, an unauthorized response code is returned.

From eada11103cdcae0ca1f24bba975450c9c78a619d Mon Sep 17 00:00:00 2001
From: David Mueller <David.Mueller1@ibm.com>
Date: Mon, 20 Nov 2023 15:51:20 -0500
Subject: [PATCH 2/3] Update examples.adoc

---
 .../pages/feature/openidConnectClient/examples.adoc         | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/modules/reference/pages/feature/openidConnectClient/examples.adoc b/modules/reference/pages/feature/openidConnectClient/examples.adoc
index 1ab1525f74..072dc1be29 100644
--- a/modules/reference/pages/feature/openidConnectClient/examples.adoc
+++ b/modules/reference/pages/feature/openidConnectClient/examples.adoc
@@ -364,11 +364,13 @@ To configure parameters for the token endpoint, use the `tokenParameter` element
 [#access-token]
 === Check the access token for user group information
 
-If a user's group information is not found in the ID token, you can configure Open Liberty to also check for this information in the Access token and `userinfo`. Set the `tokensOrderToFetchCallerClaims` attribute to `AccessToken IDToken Userinfo`, as shown in the following example.
+If a user's group information is not found in the ID token, you can configure Open Liberty to also check for this information in the Access token and the `UserInfo` endpoint. Set the `tokensOrderToFetchCallerClaims` attribute to `AccessToken IDToken Userinfo`, as shown in the following example.
 
 [source,xml]
 ----
 <openidConnectClient tokensOrderToFetchCallerClaims="AccessToken IDToken Userinfo"  userIdentifier="unique_name" groupIdentifier="aud" ... />
 ----
 
-In this example, Open Liberty checks the Access Token first, then the ID token, and lastly, `userinfo`. If no group information is found in these locations, an unauthorized response code is returned.
+In this example, Open Liberty checks the access token first, then the ID token, and lastly, calls the `UserInfo` endpoint. If no group information is found in any of these these locations, an unauthorized response code is returned.
+
+If the `tokensOrderToFetchCallerClaims` attribute is not specified, the default value is `IDToken` and Open Liberty checks only the ID token for group information.

From 4ee1750102a16d83342d9e1512ce87cd74269cac Mon Sep 17 00:00:00 2001
From: David Mueller <David.Mueller1@ibm.com>
Date: Tue, 21 Nov 2023 11:58:52 -0500
Subject: [PATCH 3/3] edits per review

#7023
---
 .../pages/feature/openidConnectClient/examples.adoc  | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/modules/reference/pages/feature/openidConnectClient/examples.adoc b/modules/reference/pages/feature/openidConnectClient/examples.adoc
index 072dc1be29..88eea01d92 100644
--- a/modules/reference/pages/feature/openidConnectClient/examples.adoc
+++ b/modules/reference/pages/feature/openidConnectClient/examples.adoc
@@ -13,7 +13,7 @@ The following examples demonstrate configuration options for the OpenID Connect
 - <<#oauth,Accept an OAuth 2.0 bearer access token without redirecting to an OpenID Connect provider>>
 - <<#context,Modify the context root>>
 - <<#params,Pass request parameters to OpenID Connect>>
-- <<#access-token,Check the access token for user group information>>
+- <<#access-token,Check the access token for user and group information>>
 
 [#minimal]
 === Minimal configuration for Open Liberty to act as an OpenID Connect client
@@ -362,15 +362,17 @@ To provide extra authorization parameters to the OP, configure `authzParameter`
 To configure parameters for the token endpoint, use the `tokenParameter` element.
 
 [#access-token]
-=== Check the access token for user group information
+=== Check the access token for user and group information
 
-If a user's group information is not found in the ID token, you can configure Open Liberty to also check for this information in the Access token and the `UserInfo` endpoint. Set the `tokensOrderToFetchCallerClaims` attribute to `AccessToken IDToken Userinfo`, as shown in the following example.
+If `userIdentifier` or `groupIdentifier` values are not found in the ID token, Open Liberty can also check in the access token and the `UserInfo` endpoint.
+
+Set the `tokensOrderToFetchCallerClaims` attribute to `AccessToken IDToken Userinfo`, as shown in the following example.
 
 [source,xml]
 ----
 <openidConnectClient tokensOrderToFetchCallerClaims="AccessToken IDToken Userinfo"  userIdentifier="unique_name" groupIdentifier="aud" ... />
 ----
 
-In this example, Open Liberty checks the access token first, then the ID token, and lastly, calls the `UserInfo` endpoint. If no group information is found in any of these these locations, an unauthorized response code is returned.
+In this example, Open Liberty checks for `userIdentifier` and `groupIdentifier` values first in the access token, then the ID token, and lastly, calls the `UserInfo` endpoint. If the values are not found in any of those locations, an unauthorized response code is returned.
 
-If the `tokensOrderToFetchCallerClaims` attribute is not specified, the default value is `IDToken` and Open Liberty checks only the ID token for group information.
+If the `tokensOrderToFetchCallerClaims` attribute is not specified, the default value is `IDToken` and Open Liberty checks only the ID token for user and group information.