fix and clarify openidConnectClient selection algorithm

[jimmy1wu]

Please describe the problem you are having with the documentation. Is information missing, inaccurate, or unclear? Tell us about the context where you encountered the problem so we can understand how to address it.

Doc:
https://openliberty.io/docs/latest/reference/feature/openidConnectClient-1.0.html#jwt

As-is:
Open Liberty selects the openidConnectClient configuration to use for a JWT request according to the following algorithm.

1. If the authentication filter for a openidConnectClient configuration matches the request, choose that configuration.
2. If the issuer claim from the JWT matches the issuerIdentifier attribute in only one openidConnectClient configuration element, choose that configuration.
3. If the issuer claim from the JWT matches the issuerIdentifier attribute in multiple openidConnectClient configuration elements, choose the first configuration that matches.
4. If the issuer claim from the JWT does not match the issuerIdentifier attribute in any openidConnectClient configuration elements, choose between all of the configuration elements in a nondeterministic manner.

Issue:
Step 4 is not accurate and Step 1 does not explain the one vs multiple case like Step 2 and 3.

Proposal:
Open Liberty selects the openidConnectClient configuration to use for a JWT request according to the following algorithm.

1. If the authentication filter matches the request in only one openidConnectClient configuration element, choose that configuration.
2. If the authentication filter matches the request in multiple openidConnectClient configuration elements, choose one of the configurations in a nondeterministic manner.
3. If the issuer claim from the JWT matches the issuerIdentifier attribute in only one openidConnectClient configuration element, choose that configuration.
4. If the issuer claim from the JWT matches the issuerIdentifier attribute in multiple openidConnectClient configuration elements, choose one of the configurations in a nondeterministic manner.
5. If there is one openidConnectClient configuration without an authentication filter, choose that configuration.
6. If there are multiple openidConnectClient configurations without an authentication filter, choose one of the configurations in a nondeterministic manner.
7. If no match is found, determine if an alternative authentication method is available.

[ramkumar-k-9286]

Hi Jimmy @jimmy1wu

The suggested correction has been made to the document:

Draft link: https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/openidConnectClient-1.0.html#jwt

Please review the same and add the Developer reviewed label if you are satisfied with the changes.

Regards,
Ramkumar.

[jimmy1wu]

hi @ramkumar-k-9286 ,

can we update:
7. If no match is found, determine if an alternative authentication method is available.

to

7. If no match is found, the request is not processed by openidConnectClient and determine if an alternative authentication method is available.

[ramkumar-k-9286]

Hi Jimmy @jimmy1wu

The suggested correction has been made to the document:

Draft link: https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/openidConnectClient-1.0.html#jwt

Please review the same and add the Developer reviewed label if you are satisfied with the changes.

Regards,
Ramkumar.