Doc format, add api-token section (#2975)

* Doc format, add api-token section

RELEASE_NOTES.md

@@ -16,21 +16,22 @@ report it to our [issue tracker].
 
 ## 2024-08-07 - Kanidm 1.3.0
 
-This is the latest stable release of the Kanidm Identity Management project. Every release is
+This is the latest stable release of the Kanidm Identity Management project. Every release is the
-the combined effort of our community and we appreciate their invaluable contributions, comments,
+combined effort of our community and we appreciate their invaluable contributions, comments,
 questions, feedback and support.
 
 You should review our
-[support documentation](https://github.com/kanidm/kanidm/blob/master/book/src/support.md)
+[support documentation](https://github.com/kanidm/kanidm/blob/master/book/src/support.md) as this
-as this may have important effects on your distribution or upgrades in future.
+may have important effects on your distribution or upgrades in future.
 
-Before upgrading you should review [our upgrade documentation](https://github.com/kanidm/kanidm/blob/master/book/src/server_updates.md#general-update-notes)
+Before upgrading you should review
+[our upgrade documentation](https://github.com/kanidm/kanidm/blob/master/book/src/server_updates.md#general-update-notes)
 
 ### 1.3.0 Important Changes
 
 - New GID number constraints are now enforced in this version. To upgrade from 1.2.0 all accounts
-  and groups must adhere to these rules. See [our upgrade documentation].
+  and groups must adhere to these rules. See [our upgrade documentation]. about tools to help you
-  about tools to help you detect and correct affected entries.
+  detect and correct affected entries.
 - OAuth2 URIs require stricter matching rules to be applied from 1.4.0.
 - Security Keys will be removed as a second factor alternative to TOTP from accounts in 1.4.0. It
   has not been possible to register a new security for more than 1 year. Security Keys are surpassed

book/src/access_control/intro.md

@@ -77,6 +77,7 @@ groups.
 | `idm_schema_admins`          | add and modify elements of schema                                       |
 | `idm_service_account_admins` | create and modify service accounts                                      |
 | `idm_unix_admins`            | enable posix attributes on accounts and groups                          |
+| `idm_application_admins`     | create and modify ldap applications which use per-user application passwords |
 
 ## Default Roles
 

book/src/accounts/authentication_and_credentials.md

@@ -16,8 +16,8 @@ secure method of authentication in Kanidm.
 
 > [!WARNING]
 >
-> Kanidm's definition of Passkeys may differ from that of other systems. This is because
+> Kanidm's definition of Passkeys may differ from that of other systems. This is because we adopted
-> we adopted the term very early, before it has changed and evolved.
+> the term very early, before it has changed and evolved.
 
 ### Attested Passkeys
 
@@ -101,8 +101,8 @@ update interface. This allows the user to directly manage the credentials of ano
 
 > [!WARNING]
 >
-> Don't use the direct credential reset to lock or invalidate an account. You should
+> Don't use the direct credential reset to lock or invalidate an account. You should expire the
-> expire the account instead.
+> account instead.
 
 ```bash
 kanidm person credential update demo_user --name idm_admin
@@ -155,6 +155,5 @@ kanidm reauth -D william
 
 > [!NOTE]
 >
-> During reauthentication an account must use the same credential that was used to
+> During reauthentication an account must use the same credential that was used to initially
-> initially authenticate to the session. The reauth flow will not allow any other credentials to be
+> authenticate to the session. The reauth flow will not allow any other credentials to be used!
-> used!

book/src/accounts/people_accounts.md

@@ -37,16 +37,16 @@ kanidm person get demo_user --name anonymous
 
 > [!NOTE]
 >
-> Only members of `idm_people_pii_read` and `idm_people_admins` may read personal
+> Only members of `idm_people_pii_read` and `idm_people_admins` may read personal information by
-> information by default.
+> default.
 
 Also
 
 > [!WARNING]
 >
-> Persons may change their own displayname, name and legal name at any time. You MUST NOT
+> Persons may change their own displayname, name and legal name at any time. You MUST NOT use these
-> use these values as primary keys in external systems. You MUST use the `uuid` attribute present on
+> values as primary keys in external systems. You MUST use the `uuid` attribute present on all
-> all entries as an external primary key.
+> entries as an external primary key.
 
 ## Account Validity
 

book/src/accounts/service_accounts.md

@@ -23,7 +23,7 @@ kanidm service-account get demo_service --name idm_admin
 By delegating the administration of this service account to `demo_group` this allows our `demo_user`
 to administer the service account.
 
-## Using API Tokens with Service Accounts
+## Generating API Tokens For Service Accounts
 
 Service accounts can have API tokens generated and associated with them. These tokens can be used
 for identification of the service account, and for granting extended access rights where the service
@@ -66,7 +66,15 @@ kanidm service-account api-token destroy --name ENTRY_MANAGER ACCOUNT_ID TOKEN_I
 kanidm service-account api-token destroy --name demo_user demo_service 4de2a4e9-e06a-4c5e-8a1b-33f4e7dd5dc7
 ```
 
-## API Tokens with LDAP
+### API Tokens with Kanidm HTTPS/REST API
+
+The API token issued for a service account can be used by putting the token into the HTTP request
+`Authorization` header with the format `Bearer <token>`.
+
+For more see the
+[MDN documentation for Authorisation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization)
+
+### API Tokens with LDAP
 
 API tokens can also be used to gain extended search permissions with LDAP. To do this you can bind
 with a dn of `dn=token` and provide the API token as the password.

book/src/developers/designs/access_profiles_original.md

@@ -185,12 +185,13 @@ moment.
 
 An example:
 
-Alice should only be able to modify a user's password if that user is a member of the students group.
+Alice should only be able to modify a user's password if that user is a member of the students
+group.
 
 > [!NOTE]
 >
-> `modify` does not imply `read` of the attribute. Care should be taken that we don't
+> `modify` does not imply `read` of the attribute. Care should be taken that we don't disclose the
-> disclose the current value in any error messages if the operation fails.
+> current value in any error messages if the operation fails.
 
 ## Targeting Requirements
 
@@ -416,9 +417,9 @@ depending on the entries and if you can/can't see them.
 
 > [!NOTE]
 >
-> You can only `delete`/`modify` within the read scope you have. If you can't read it (based
+> You can only `delete`/`modify` within the read scope you have. If you can't read it (based on the
-> on the read rules of `search`), you can't `delete` it. This is in addition to the filter rules of
+> read rules of `search`), you can't `delete` it. This is in addition to the filter rules of the
-> the `delete` applying as well. So performing a `delete` of `Pres(class)`, will only delete in your
+> `delete` applying as well. So performing a `delete` of `Pres(class)`, will only delete in your
 > `read` scope and will never disclose if you are denied access.
 
 <!-- TODO

book/src/developers/designs/profile_display.md

@@ -1,86 +1,109 @@
 ## User Settings Display Web UI
 
-We need a usable centralized location for users to view and manage their own user settings.
+We need a usable centralized location for users to view and manage their own user settings. User
-User settings do not envelop credentials, these have their own flow as they are also used in user setup.
+settings do not envelop credentials, these have their own flow as they are also used in user setup.
 
- - Writing new values requires a writable session -> we will make the user reauthenticate to obtain a temporary profile-update-token when they want to update their user settings.
+- Writing new values requires a writable session -> we will make the user reauthenticate to obtain a
- - The UI must display and make editable the following categories:
+  temporary profile-update-token when they want to update their user settings.
-   - user attributes
+- The UI must display and make editable the following categories:
-   - user ssh public-keys
+  - user attributes
- - The UI must display:
+  - user ssh public-keys
-   - user credential status as per [credential-display.rst](credential-display.rst)
+- The UI must display:
-   - user groups
+  - user credential status as per [credential-display.rst](credential-display.rst)
+  - user groups
 
 ### User attributes
+
 These consist of:
- - username
+
- - displayname
+- username
- - legal name
+- displayname
- - email address
+- legal name
-In the future:
+- email address
- - picture
+
- - zoneinfo/timezone
+Future attributes we intend to add:
- - locale/preferred language
+
- - other business related attributes: address, phone number, ...
+- profile picture
+- zoneinfo/timezone
+- locale/preferred language
+- address
+- phone number
 
 #### Displaying attributes
+
 Attributes should be displayed with
- - their descriptive name with tooltips or links if the name may be confusing to non IT people.
+
- - their current value OR if not set: some clear indication that the attribute is not set.
+- their descriptive name with tooltips or links if the name may be confusing to non IT people.
- - A method to edit the attribute if it is editable
+- their current value OR if not set: some clear indication that the attribute is not set.
+- A method to edit the attribute if it is editable
 
 #### Editing attributes
-Users must be able to edit attributes individually.
+
-Users should be able to see their changes before saving them. 
+Users must be able to edit attributes individually. Users should be able to see their changes before
-  E.g. via a popup that shows the old vs new value asking to confirm.
+saving them. E.g. via a popup that shows the old vs new value asking to confirm.
 
 #### TODO: Personal Identifiable Information attributes (currently we don't have these attributes)
+
 Certain information should not be displayed in the UI without reauthentication:
- - addresses
+
- - phone numbers
+- addresses
- - personal emails
+- phone numbers
- - birthdate
+- personal emails
+- birthdate
 
 ### SSH public keys
-Ssh public key entries in kanidm consist of a:
- - label : practically the ID of the key in kanidm
- - value : the public key
 
-A user may want to change their laptop ssh key by updating the value while keeping the label the same.
+Ssh public key entries in Kanidm consist of a:
-// TODO: Should a user be allowed to relabel their kanidm ssh keys ?
+
+- label : practically the ID of the key in kanidm
+- value : the public key
+
+A user may want to change their laptop ssh key by updating the value while keeping the label the
+same. // TODO: Should a user be allowed to relabel their kanidm ssh keys ?
 
 #### Displaying ssh keys
-Due to their long length they should be line-wrapped into a text field so the entirety is visible when shown.
+
-To reduce visible clutter and inconsistent spacing we will put the values into collapsable elements.
+Due to their long length they should be line-wrapped into a text field so the entirety is visible
+when shown. To reduce visible clutter and inconsistent spacing we will put the values into
+collapsable elements.
 
 These collapsed elements must include:
- - label
- - value's key type (ECDSA, rsa, ect..)
-and may include:
- - value's comment, truncated to some max length
 
+- label
+- value's key type (ECDSA, rsa, ect..) and may include:
+- value's comment, truncated to some max length
 
 #### Editing keys
-When editing keys users must be able to add keys, remove keys and update individual key values
+
-Each action will be committed immediately, thus proper prompts and icons indicating this must be shown (like a floppy disk save icon ?)
+When editing keys users must be able to add keys, remove keys and update individual key values. Each
+action will be committed immediately, thus proper prompts and icons indicating this must be shown
+(like a floppy disk save icon ?)
 
 ### Credential status
-Described in [credential-display.rst](credential-display.rst)
+
-Must inform the user of the credential update/reset page, since it is very related and might be what they were looking for instead.
+Described in [credential-display.rst](credential-display.rst) Must inform the user of the credential
+update/reset page, since it is very related and might be what they were looking for instead.
 
 ### User groups
-Mostly a technical piece of info, should not be in direct view to avoid confusing users.
+
-Could be displayed in tree form. 
+Mostly a technical piece of info, should not be in direct view to avoid confusing users. Could be
+displayed in tree form.
 
 ### User profile HTML Structure
-To keep things oranised each category will be their own page with a subnavigation bar to navigate between them.
-Since htmx cannot (without extensions) swap new scripts into the <head> on swap during boosted navigation, we must do non-boosted navigation to our profile page OR enable some htmx extension library.
 
-The same htmx limitation means that all JS for every profile categories must be loaded on all profile categories.
+To keep things organised each category will be their own page with a subnavigation bar to navigate
-Because want to use htmx to swap out content on form submission or page navigation to represent the new state as this is more efficient than triggering the client to do a redirect.
+between them. Since htmx cannot (without extensions) swap new scripts into the <head> on swap during
+boosted navigation, we must do non-boosted navigation to our profile page OR enable some htmx
+extension library.
+
+The same htmx limitation means that all JS for every profile categories must be loaded on all
+profile categories. Because want to use htmx to swap out content on form submission or page
+navigation to represent the new state as this is more efficient than triggering the client to do a
+redirect.
+
+Every category will get their own Askama template which requires the relevant fields described for
+each category above. And example would be
 
-Every category will get their own Askama template which requires the relevant fields described for each category above.
-And example would be 
 ```html
 <!-- /profile_templates/ssh_keys_partial.html -->
 
@@ -100,19 +123,19 @@ And example would be
 ```
 
 ```js
-<!-- ../static/profile.js -->
+// ../static/profile.js -->
 
 // Magically gets called on page load and swaps
 function onProfileSshKeysSwapped() {
-    // Do implementation things like attaching event listeners
+  // Do implementation things like attaching event listeners
 }
 
-indow.onload = function () {
+window.onload = function () {
-    // Event triggered by HTMX because we supply a HxTrigger response header when loading this profile category.
+  // Event triggered by HTMX because we supply a HxTrigger response header when loading this profile category.
-    document.body.addEventListener("profileSshKeysSwapped", () => {
+  document.body.addEventListener("profileSshKeysSwapped", () => {
-        onProfileSshKeysSwapped()
+    onProfileSshKeysSwapped();
-    });
+  });
-}
+};
 ```
 
 ```rust

book/src/developers/designs/rest_interface.md

@@ -2,8 +2,8 @@
 
 > [!NOTE]
 >
-> This is a work in progress and not all endpoints have perfect schema definitions, but
+> This is a work in progress and not all endpoints have perfect schema definitions, but they're all
-> they're all covered!
+> covered!
 
 We're generating an OpenAPI specification file and Swagger interface using
 [utoipa](https://crates.io/crates/utoipa).

book/src/developers/readme.md

@@ -84,8 +84,8 @@ deployment, will aim to provide a positive experience to all people.
 It's important before you start trying to write code and contribute that you understand what Kanidm
 does and its goals.
 
-An important first step is to [install the server](../installing_the_server.md) so if you have not done
+An important first step is to [install the server](../installing_the_server.md) so if you have not
-that yet, go and try that now! 😄
+done that yet, go and try that now! 😄
 
 ## Setting up your Machine
 
@@ -169,8 +169,8 @@ Tested with Ubuntu 20.04 and 22.04.
 
 > [!CAUTION]
 >
-> Our support for Windows is still in development, so you may encounter some compilation
+> Our support for Windows is still in development, so you may encounter some compilation or build
-> or build issues.
+> issues.
 
 You need [rustup](https://rustup.rs/) to install a Rust toolchain.
 
@@ -227,8 +227,8 @@ cargo test
 
 > [!IMPORTANT]
 >
-> Kanidm is unable to accept code that is generated by an AI for legal reasons. copilot
+> Kanidm is unable to accept code that is generated by an AI for legal reasons. copilot and other
-> and other tools that generate code in this way can not be used in Kanidm.
+> tools that generate code in this way can not be used in Kanidm.
 
 When you are ready for review (even if the feature isn't complete and you just want some advice):
 
@@ -331,7 +331,7 @@ KANIDM_BUILD_PROFILE=release_linux cargo build --release --bin kanidmd
 > [!NOTE:]
 >
 > There is a pre-packaged version of the Web UI at `/server/web_ui/pkg/`, which can be used
-directly. This means you don't need to build the Web UI yourself.
+> directly. This means you don't need to build the Web UI yourself.
 
 The Web UI uses Rust WebAssembly rather than Javascript. To build this you need to set up the
 environment:
@@ -398,8 +398,8 @@ You may find it easier to modify `~/.config/kanidm` per the
 
 > [!NOTICE]
 >
-> It's not recommended to use these tools outside of extremely complex or advanced
+> It's not recommended to use these tools outside of extremely complex or advanced development
-> development requirements. These are a last resort!
+> requirements. These are a last resort!
 
 The server has a low-level stateful API you can use for more complex or advanced tasks on large
 numbers of entries at once. Some examples are below, but generally we advise you to use the APIs or

book/src/domain_rename.md

@@ -6,17 +6,17 @@ or other needs which may prompt this needing to be changed.
 
 > [!WARNING]
 >
-> This WILL break ALL u2f/webauthn tokens that have been enrolled, which MAY cause
+> This WILL break ALL PassKeys (WebAuthn tokens) that have been enrolled, which MAY cause accounts to be
-> accounts to be locked out and unrecoverable until further action is taken. DO NOT CHANGE the
+> locked out and unrecoverable until further action is taken. DO NOT CHANGE the domain name unless
-> domain name unless REQUIRED and have a plan on how to manage these issues.
+> REQUIRED and have a plan on how to manage these issues.
 
  
 
 > [!NOTE]
 >
-> This operation can take an extensive amount of time as ALL accounts and groups in the
+> This operation MAY take an extensive amount of time as ALL accounts and groups in the domain MUST
-> domain MUST have their Security Principal Names (SPNs) regenerated. This WILL also cause a large
+> have their Security Principal Names (SPNs) regenerated. This WILL also cause a large delay in
-> delay in replication once the system is restarted.
+> replication once the system is restarted.
 
 You should make a backup before proceeding with this operation.
 

book/src/evaluation_quickstart.md

@@ -7,7 +7,8 @@ considerations you should be aware of for production deployments.
 
 ## Requirements
 
-The only thing you'll need for this is Docker, Podman, or a compatible containerd environment installed and running.
+The only thing you'll need for this is Docker, Podman, or a compatible containerd environment
+installed and running.
 
 ## Get the software
 
@@ -17,7 +18,8 @@ docker pull docker.io/kanidm/server:latest
 
 ## Create your configuration
 
-Create `server.toml`. The important parts are the `domain` and `origin`. For this example, if you use `localhost` and `https://localhost:8443` this will match later commands.
+Create `server.toml`. The important parts are the `domain` and `origin`. For this example, if you
+use `localhost` and `https://localhost:8443` this will match later commands.
 
 ```toml
 {{#rustdoc_include ../../examples/server_container.toml}}
@@ -105,7 +107,8 @@ Then follow the presented steps.
 
 ## What next?
 
-You'll probably want to set it up properly, so that other computers can access it, so [choose a domain name](choosing_a_domain_name.md) and complete the full server installation.
+You'll probably want to set it up properly, so that other computers can access it, so
+[choose a domain name](choosing_a_domain_name.md) and complete the full server installation.
 
 Alternatively you might like to try configurig one of these:
 

book/src/examples/kubernetes_ingress.md

@@ -15,8 +15,7 @@ We recommend you have the following before continuing:
 ## Instructions
 
 1. Create a Kanidm account and group:
-   1. Create a Kanidm account. Please see the section
+   1. Create a Kanidm account. Please see the section [Creating Accounts](../accounts/intro.md).
-      [Creating Accounts](../accounts/intro.md).
    2. Give the account a password. Please see the section
       [Resetting Account Credentials](../accounts/authentication_and_credentials.md).
    3. Make the account a person. Please see the section

book/src/examples/traefik.md

@@ -14,9 +14,9 @@ line `traefik.http.services.kanidm.loadbalancer.server.port=8443` sets this on t
 
 > [!NOTE]
 >
-> You will need to generate self-signed certificates for Kanidm, and copy the configuration
+> You will need to generate self-signed certificates for Kanidm, and copy the configuration into the
-> into the `kanidm_data` volume. Some instructions are available in the "Installing the Server"
+> `kanidm_data` volume. Some instructions are available in the "Installing the Server" section of
-> section of this book.
+> this book.
 
 `docker-compose.yml`
 

book/src/installing_client_tools.md

@@ -2,9 +2,9 @@
 
 > [!NOTE]
 >
-> Running different release versions will likely present incompatibilities. Ensure you're
+> Running different release versions will likely present incompatibilities. Ensure you're running
-> running matching release versions of client and server binaries. If you have any issues, check
+> matching release versions of client and server binaries. If you have any issues, check that you
-> that you are running the latest version of Kanidm.
+> are running the latest version of Kanidm.
 
 ## From packages
 
@@ -65,9 +65,9 @@ brew install kanidm
 
 > [!NOTE]
 >
-> Kanidm frequently uses new Rust versions and features, however Fedora and CentOS
+> Kanidm frequently uses new Rust versions and features, however Fedora and CentOS frequently are
-> frequently are behind in Rust releases. As a result, they may not always have the latest Kanidm
+> behind in Rust releases. As a result, they may not always have the latest Kanidm versions
-> versions available.
+> available.
 
 Fedora has limited support through the development repository. You need to add the repository
 metadata into the correct directory:
@@ -91,11 +91,13 @@ dnf install kanidm-clients
 
 ### Ubuntu and Debian
 
-See <https://kanidm.github.io/kanidm_ppa/> for nightly-built packages of the current development builds, and how to install them.
+See <https://kanidm.github.io/kanidm_ppa/> for nightly-built packages of the current development
+builds, and how to install them.
 
 ## Alpine Linux
 
-Kanidm is available in the [Alpine Linux testing repository](https://pkgs.alpinelinux.org/packages?name=kanidm%2A).
+Kanidm is available in the
+[Alpine Linux testing repository](https://pkgs.alpinelinux.org/packages?name=kanidm%2A).
 
 To install the Kanidm client use:
 

book/src/integrations/ldap.md

@@ -8,9 +8,9 @@ interface for these legacy applications and services.
 
 > [!WARNING]
 >
-> The LDAP server in Kanidm is not a complete LDAP implementation. This is intentional,
+> The LDAP server in Kanidm is not a complete LDAP implementation. This is intentional, as Kanidm
-> as Kanidm wants to cover the common use cases - simple bind and search. The parts we do support
+> wants to cover the common use cases - simple bind and search. The parts we do support are RFC
-> are RFC compliant however.
+> compliant however.
 
 ## What is LDAP
 
@@ -144,8 +144,8 @@ with a dn of `dn=token` and provide the api token in the password.
 
 > [!NOTE]
 >
-> The `dn=token` keyword is guaranteed to not be used by any other entry, which is why it
+> The `dn=token` keyword is guaranteed to not be used by any other entry, which is why it was chosen
-> was chosen as the keyword to initiate api token binds.
+> as the keyword to initiate api token binds.
 
 ```bash
 ldapwhoami -H ldaps://URL -x -D "dn=token" -w "TOKEN"
@@ -163,8 +163,8 @@ name.
 
 > [!WARNING]
 >
-> Changing the LDAP Basedn will require you to reconfigure your client applications so
+> Changing the LDAP Basedn will require you to reconfigure your client applications so they search
-> they search the correct basedn. Be careful when changing this value!
+> the correct basedn. Be careful when changing this value!
 
 As an admin you can change the domain ldap basedn with:
 

book/src/integrations/oauth2.md

@@ -2,8 +2,8 @@
 
 OAuth is a web authorisation protocol that allows "single sign on". It's key to note OAuth only
 provides authorisation, as the protocol in its default forms do not provide identity or
-authentication information. All that OAuth can provide is information that an entity is authorised for
+authentication information. All that OAuth can provide is information that an entity is authorised
-the requested resources.
+for the requested resources.
 
 OAuth can tie into extensions allowing an identity provider to reveal information about authorised
 sessions. This extends OAuth from an authorisation only system to a system capable of identity and
@@ -12,11 +12,13 @@ connect.
 
 ## Resource Server and Clients
 
-This is the resource that a user wants to access. Common [examples](oauth2/examples.md) could be Nextcloud, a Wiki, or a
+This is the resource that a user wants to access. Common [examples](oauth2/examples.md) could be
-chat service. In these cases the service is both the _client_ and the _resource server_ within the
+Nextcloud, a Wiki, or a chat service. In these cases the service is both the _client_ and the
-OAuth2 workflow. We will refer to the combination of both client and resource server as a service.
+_resource server_ within the OAuth2 workflow. We will refer to the combination of both client and
+resource server as a service.
 
-It's important for you to know _how_ your service will interact with OAuth2. For example, does it rely on OpenID connect for identity information, or does it support RFC7662 token introspection?
+It's important for you to know _how_ your service will interact with OAuth2. For example, does it
+rely on OpenID connect for identity information, or does it support RFC7662 token introspection?
 
 Kanidm will expose its OAuth2 APIs at the following URLs:
 
@@ -36,8 +38,8 @@ Kanidm issues tokens that are RFC9068 JWT's allowing service introspection.
 
 > [!NOTE]
 >
-> Previous versions of this document incorrectly named clients as resource servers due to
+> Previous versions of this document incorrectly named clients as resource servers due to clarity
-> clarity issues in the OAuth2 RFC.
+> issues in the OAuth2 RFC.
 
 ### OAuth2 Server Metadata
 
@@ -64,10 +66,12 @@ You need to substitute your OAuth2 `:client_id:` in the following urls:
 
 ### Create the Kanidm Configuration
 
-By default, members of the `system_admins` or `idm_hp_oauth2_manage_priv` groups are able to create or manage OAuth2 client integrations.
+By default, members of the `system_admins` or `idm_hp_oauth2_manage_priv` groups are able to create
+or manage OAuth2 client integrations.
 
 You can create a new client by specifying its client name, application display name and the landing
-page (home page) of the client. The landing page is where users will be redirected to from the Kanidm application portal.
+page (home page) of the client. The landing page is where users will be redirected to from the
+Kanidm application portal.
 
 ```bash
 kanidm system oauth2 create <name> <displayname> <landing page url>
@@ -90,13 +94,13 @@ kanidm system oauth2 update-scope-map nextcloud nextcloud_admins admin
 
 > [!TIP]
 >
-> OpenID connect allows a number of scopes that affect the content of the resulting
+> OpenID connect allows a number of scopes that affect the content of the resulting authorisation
-> authorisation token. If one of the following scopes are requested by the OpenID client, then the
+> token. If one of the following scopes are requested by the OpenID client, then the associated
-> associated claims may be added to the authorisation token. It is not guaranteed that all of the
+> claims may be added to the authorisation token. It is not guaranteed that all of the associated
-> associated claims will be added.
+> claims will be added.
 >
-> - **profile** - name, family_name, given_name, middle_name, nickname, preferred_username,
+> - **profile** - name, family_name, given_name, middle_name, nickname, preferred_username, profile,
->   profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at
+>   picture, website, gender, birthdate, zoneinfo, locale, and updated_at
 > - **email** - email, email_verified
 > - **address** - address
 > - **phone** - phone_number, phone_number_verified
@@ -105,8 +109,8 @@ kanidm system oauth2 update-scope-map nextcloud nextcloud_admins admin
 
 > [!WARNING]
 >
-> If you are creating an OpenID Connect (OIDC) client you **MUST** provide a scope map
+> If you are creating an OpenID Connect (OIDC) client you **MUST** provide a scope map named
-> named `openid`. Without this, OpenID Connect clients **WILL NOT WORK**!
+> `openid`. Without this, OpenID Connect clients **WILL NOT WORK**!
 
 You can create a supplemental scope map with:
 
@@ -148,9 +152,10 @@ You should now be able to test authorisation to the client.
 
 ## Scope Relationships
 
-For an authorisation to proceed, the client will request a list of scopes. For example, when a user wishes to login to the admin panel of the resource server, it may
+For an authorisation to proceed, the client will request a list of scopes. For example, when a user
-request the "admin" scope from Kanidm for authorisation. But when a user wants to login, it may only
+wishes to login to the admin panel of the resource server, it may request the "admin" scope from
-request "access" as a scope from Kanidm.
+Kanidm for authorisation. But when a user wants to login, it may only request "access" as a scope
+from Kanidm.
 
 As each service may have its own scopes and understanding of these, Kanidm isolates scopes to each
 service connected to Kanidm. Kanidm has two methods of granting scopes to accounts (users).
@@ -162,11 +167,11 @@ groups/roles in Kanidm which can be specific to that service.
 For an authorisation to proceed, all scopes requested by the client must be available in the final
 scope set that is granted to the account.
 
-The second part is supplemental scope mappings. These function the same as scope maps where membership of
+The second part is supplemental scope mappings. These function the same as scope maps where
-a group provides a set of scopes to the account. However these scopes are NOT consulted during
+membership of a group provides a set of scopes to the account. However these scopes are NOT
-authorisation decisions made by Kanidm. These scopes exist to allow optional properties to be
+consulted during authorisation decisions made by Kanidm. These scopes exist to allow optional
-provided (such as personal information about a subset of accounts to be revealed) or so that the
+properties to be provided (such as personal information about a subset of accounts to be revealed)
-service may make its own authorisation decisions based on the provided scopes.
+or so that the service may make its own authorisation decisions based on the provided scopes.
 
 This use of scopes is the primary means to control who can access what resources. These access
 decisions can take place either on Kanidm or the service.
@@ -214,8 +219,8 @@ kanidm system oauth2 enable-localhost-redirects mywebapp
 >
 > You **MUST NOT** share a single OAuth2 client definition between multiple applications.
 >
-> The ability to configure multiple redirect URLs is **NOT** intended to allow you to share a single Kanidm
+> The ability to configure multiple redirect URLs is **NOT** intended to allow you to share a single
-> client definition between multiple OAuth2 clients.
+> Kanidm client definition between multiple OAuth2 clients.
 >
 > Sharing OAuth2 client configurations between applications **FUNDAMENTALLY BREAKS** the OAuth2
 > security model and is **NOT SUPPORTED** as a configuration. The Kanidm Project **WILL NOT**
@@ -266,8 +271,8 @@ settings are explained in detail in [our FAQ](../frequently_asked_questions.html
 
 > [!WARNING]
 >
-> Changing these settings MAY have serious consequences on the security of your services.
+> Changing these settings MAY have serious consequences on the security of your services. You should
-> You should avoid changing these if at all possible!
+> avoid changing these if at all possible!
 
 To disable PKCE for a confidential client:
 

book/src/integrations/oauth2/how_does_oauth2_work.md

@@ -3,15 +3,15 @@
 OAuth2 uses a number of terms in ways that can make it unclear and difficult to understand.
 
 A user wishes to access a service (resource, resource server) through an OAuth2 client. The client
-does not have an active session for the userm so it redirects to the authorisation server (Kanidm) to
+does not have an active session for the userm so it redirects to the authorisation server (Kanidm)
-determine if the user has the appropriate permissions (scopes) for
+to determine if the user has the appropriate permissions (scopes) for the requested resources, and
-the requested resources, and should be allowed to proceed.
+should be allowed to proceed.
 
 The authorisation server checks the current session of the user and may present a login flow if
-required. Based on the identity of the user and the requested scopes,
+required. Based on the identity of the user and the requested scopes, the authorisation server makes
-the authorisation server makes a decision if it allows the authorisation to proceed. The user is
+a decision if it allows the authorisation to proceed. The user is then prompted to consent to the
-then prompted to consent to the authorisation from the authorisation server to the client as some
+authorisation from the authorisation server to the client as some identity information may be
-identity information may be revealed by granting this consent.
+revealed by granting this consent.
 
 If successful and consent is given, the user is redirected back to the client with an authorisation
 code. The client then contacts the authorisation server directly with this code and exchanges it for

book/src/integrations/pam_and_nsswitch.md

@@ -39,9 +39,9 @@ systemctl status kanidm-unixd-tasks
 
 > [!NOTE]
 >
-> The `kanidm_unixd_tasks` daemon is not required for PAM and nsswitch functionality. If
+> The `kanidm_unixd_tasks` daemon is not required for PAM and nsswitch functionality. If disabled,
-> disabled, your system will function as usual. It is however strongly recommended due to the
+> your system will function as usual. It is however strongly recommended due to the features it
-> features it provides supporting Kanidm's capabilities.
+> provides supporting Kanidm's capabilities.
 
 Both unixd daemons use the connection configuration from /etc/kanidm/config. This is the covered in
 [client_tools](../client_tools.md#kanidm-configuration).
@@ -54,11 +54,10 @@ You can also configure some unixd-specific options with the file /etc/kanidm/uni
 
 > [!NOTE]
 >
-> All users in Kanidm can change their name (and their spn) at any time. If you change
+> All users in Kanidm can change their name (and their spn) at any time. If you change `home_attr`
-> `home_attr` from `uuid` you _must_ have a plan on how to manage these directory renames in your
+> from `uuid` you _must_ have a plan on how to manage these directory renames in your system. We
-> system. We recommend that you have a stable ID (like the UUID), and symlinks from the name to the
+> recommend that you have a stable ID (like the UUID), and symlinks from the name to the UUID
-> UUID folder. Automatic support is provided for this via the unixd tasks daemon, as documented
+> folder. Automatic support is provided for this via the unixd tasks daemon, as documented here.
-> here.
 >
 > Ubuntu users please see:
 > [Why aren't snaps launching with home_alias set?](../frequently_asked_questions.md#why-arent-snaps-launching-with-home_alias-set)
@@ -122,9 +121,9 @@ testgroup:x:2439676479:testunix
 
 > [!WARNING]
 >
-> Modifications to PAM configuration _may_ leave your system in a state where you are
+> Modifications to PAM configuration _may_ leave your system in a state where you are unable to
-> unable to login or authenticate. You should always have a recovery shell open while making changes
+> login or authenticate. You should always have a recovery shell open while making changes (for
-> (for example, root), or have access to single-user mode at the machine's console.
+> example, root), or have access to single-user mode at the machine's console.
 
 Pluggable Authentication Modules (PAM) is the mechanism a UNIX-like system that authenticates users,
 and to control access to some resources. This is configured through a stack of modules that are

book/src/integrations/pam_and_nsswitch/fedora.md

@@ -2,8 +2,8 @@
 
 > [!WARNING]
 >
-> Kanidm currently has no support for SELinux policy - this may mean you need to run
+> Kanidm currently has no support for SELinux policy - this may mean you need to run the daemon with
-> the daemon with permissive mode for the `unconfined_service_t` daemon type. To do this run:
+> permissive mode for the `unconfined_service_t` daemon type. To do this run:
 > `semanage permissive -a unconfined_service_t`. To undo this run
 > `semanage permissive -d unconfined_service_t`.
 >

book/src/integrations/pam_and_nsswitch/suse.md

@@ -71,5 +71,5 @@ session optional    pam_env.so
 
 > [!WARNING]
 >
-> Ensure that `pam_mkhomedir` or `pam_oddjobd` are _not_ present in any stage of your
+> Ensure that `pam_mkhomedir` or `pam_oddjobd` are _not_ present in any stage of your PAM
-> PAM configuration, as they interfere with the correct operation of the Kanidm tasks daemon.
+> configuration, as they interfere with the correct operation of the Kanidm tasks daemon.

book/src/integrations/ssh_key_distribution.md

@@ -77,8 +77,8 @@ management tool such as salt or ansible.
 
 > [!NOTE]
 >
-> With a working SSH key setup, you should also consider adding the following
+> With a working SSH key setup, you should also consider adding the following `sshd_config` options
-> `sshd_config` options as hardening.
+> as hardening.
 
 ```text
 PermitRootLogin no
@@ -94,9 +94,9 @@ In this mode, the authorised keys commands will contact Kanidm directly.
 
 > [!NOTE]
 >
-> As Kanidm is being contacted directly there is no SSH public key cache. Any network outage
+> As Kanidm is being contacted directly there is no SSH public key cache. Any network outage or
-> or communication loss may prevent you accessing your systems. You should only use this version if
+> communication loss may prevent you accessing your systems. You should only use this version if you
-> you have a requirement for it.
+> have a requirement for it.
 
 The `kanidm_ssh_authorizedkeys_direct` command is part of the kanidm-clients package, so should be
 installed on the servers.

book/src/integrations/sssd.md

@@ -1,12 +1,12 @@
 # SSSD
 
-[SSSD](https://sssd.io/) is an alternative [PAM and nsswitch](./pam_and_nsswitch.md) provider that is
+[SSSD](https://sssd.io/) is an alternative [PAM and nsswitch](./pam_and_nsswitch.md) provider that
-commonly available on Linux.
+is commonly available on Linux.
 
 > [!WARNING]
 >
-> SSSD should be considered a "last resort". If possible, always use the native Kanidm
+> SSSD should be considered a "last resort". If possible, always use the native Kanidm pam and
-> pam and nsswitch tools instead.
+> nsswitch tools instead.
 
 ## Limitations
 

book/src/preparing_for_your_deployment.md

@@ -18,11 +18,10 @@ docker pull kanidm/tools:latest
 
 > [!NOTE]
 >
-> Our preferred deployment method is in containers, and this documentation assumes you're
+> Our preferred deployment method is in containers, and this documentation assumes you're running in
-> running in docker. Kanidm will alternately run as a daemon/service, and server builds are
+> docker. Kanidm will alternately run as a daemon/service, and server builds are available for
-> available for multiple platforms if you prefer this option. You may need to adjust the example
+> multiple platforms if you prefer this option. You may need to adjust the example commands
-> commands throughout this document to suit your desired server type if you choose not to use
+> throughout this document to suit your desired server type if you choose not to use containers.
-> containers.
 
 ## Development Version
 
@@ -102,8 +101,8 @@ the series of intermediates, and the final certificate should be the CA root. Fo
 
 > [!NOTE]
 >
-> If you are using Let's Encrypt the provided files "fullchain.pem" and "privkey.pem" are
+> If you are using Let's Encrypt the provided files "fullchain.pem" and "privkey.pem" are already
-> already correctly formatted as required for Kanidm.
+> correctly formatted as required for Kanidm.
 
 You can validate that the leaf certificate matches the key with the command:
 
@@ -136,9 +135,9 @@ openssl verify -untrusted fullchain.pem fullchain.pem
 
 > [!NOTE]
 >
-> Here "-untrusted" flag means a list of further certificates in the chain to build up to
+> Here "-untrusted" flag means a list of further certificates in the chain to build up to the root
-> the root is provided, but that the system CA root should be consulted. Verification is NOT
+> is provided, but that the system CA root should be consulted. Verification is NOT bypassed or
-> bypassed or allowed to be invalid.
+> allowed to be invalid.
 
 If these verifications pass you can now use these certificates with Kanidm. To put the certificates
 in place you can use a shell container that mounts the volume such as:

book/src/recycle_bin.md

@@ -5,8 +5,8 @@ for a period of time.
 
 > [!WARNING]
 >
-> The recycle bin is a best effort - when recovering in some cases not everything can be
+> The recycle bin is a best effort - when recovering in some cases not everything can be "put back"
-> "put back" the way it was. Be sure to check your entries are valid once they have been revived.
+> the way it was. Be sure to check your entries are valid once they have been revived.
 
 ## Where is the Recycle Bin?
 

book/src/repl/administration.md

@@ -16,8 +16,8 @@ You must then copy the new certificate to other nodes in the topology.
 
 > [!NOTE]
 >
-> In the future we will develop a replication coordinator so that you don't have to
+> In the future we will develop a replication coordinator so that you don't have to manually renew
-> manually renew this. But for now, if you want replication, you have to do it the hard way.
+> this. But for now, if you want replication, you have to do it the hard way.
 
 ## Refresh a Lagging Consumer
 

book/src/repl/deployment.md

@@ -2,8 +2,8 @@
 
 > [!WARNING]
 >
-> Replication is a newly developed feature. This means it requires manual configuration
+> Replication is a newly developed feature. This means it requires manual configuration and careful
-> and careful monitoring. You should take regular backups if you choose to proceed.
+> monitoring. You should take regular backups if you choose to proceed.
 
 ## Node Setup
 
@@ -32,8 +32,8 @@ Once configured, deploy this config to your servers and restart the nodes.
 
 > [!NOTE]
 >
-> In the future we will develop a replication coordinator so that you don't have to
+> In the future we will develop a replication coordinator so that you don't have to manually
-> manually configure this. But for now, if you want replication, you have to do it the hard way.
+> configure this. But for now, if you want replication, you have to do it the hard way.
 
 Each node has an identify certificate that is internally generated and used to communicate with
 other nodes in the topology. This certificate is also used by other nodes to validate this node.
@@ -95,8 +95,8 @@ docker exec -i -t <container name> \
 
 > [!NOTE]
 >
-> In the future we will develop a replication coordinator so that you don't have to
+> In the future we will develop a replication coordinator so that you don't have to manually
-> manually configure this. But for now, if you want replication, you have to do it the hard way.
+> configure this. But for now, if you want replication, you have to do it the hard way.
 
 This is the same as the manual process, but a single server is defined as the "primary" and the
 partner server is the "secondary". This means that if database issues occur the content of the

book/src/repl/planning.md

@@ -2,8 +2,8 @@
 
 > [!WARNING]
 >
-> Replication is a newly developed feature. This means it requires manual configuration
+> Replication is a newly developed feature. This means it requires manual configuration and careful
-> and careful monitoring. You should keep backups if you choose to proceed.
+> monitoring. You should keep backups if you choose to proceed.
 
 It is important that you plan your replication deployment before you proceed. You may have a need
 for high availability within a datacentre, geographic redundancy, or improvement of read scaling.

book/src/security_hardening.md

@@ -151,8 +151,8 @@ docker run --rm -i -t -u 1000:1000 -v kanidmd:/data kanidm/server:latest /sbin/k
 
 > [!HINT]
 >
-> You need to use the UID or GID number with the `-u` argument, as the container can't
+> You need to use the UID or GID number with the `-u` argument, as the container can't resolve
-> resolve usernames from the host system.
+> usernames from the host system.
 
 ## Minimum TLS key lengths
 

book/src/server_configuration.md

@@ -18,8 +18,8 @@ docs page for your particular build.
 
 > [!WARNING]
 >
-> You MUST set the `domain`, `origin`, `tls_chain` and `tls_path` options via one method
+> You MUST set the `domain`, `origin`, `tls_chain` and `tls_path` options via one method or the
-> or the other, or the server cannot start!
+> other, or the server cannot start!
 
 The following is a commented example configuration.
 
@@ -32,13 +32,14 @@ This example is located in
 
 > [!WARNING]
 >
-> You MUST set the "domain" name correctly, aligned with your "origin", else the server
+> You MUST set the "domain" name correctly, aligned with your "origin", else the server may refuse
-> may refuse to start or some features (e.g. WebAuthn, OAuth2) may not work correctly!
+> to start or some features (e.g. WebAuthn, OAuth2) may not work correctly!
 
 ### Check the configuration is valid
 
 You should test your configuration is valid before you proceed. This defaults to using
-`-c /data/server.toml`. The `kanidmd` volume was created in the [evaluation quickstart](evaluation_quickstart.md)
+`-c /data/server.toml`. The `kanidmd` volume was created in the
+[evaluation quickstart](evaluation_quickstart.md)
 
 ```bash
 docker run --rm -i -t -v kanidmd:/data \
@@ -69,8 +70,8 @@ docker run --cap-add NET_BIND_SERVICE \
 
 > [!TIP]
 >
-> However you choose to run your server, you should document and keep note of the docker run
+> However you choose to run your server, you should document and keep note of the docker run /
-> / create command you chose to start the instance. This will be used in the upgrade procedure.
+> create command you chose to start the instance. This will be used in the upgrade procedure.
 
 ### Default Admin Accounts
 

book/src/server_updates.md

@@ -32,9 +32,9 @@ process.
 
 > [!TIP]
 >
-> You should have documented and preserved your Kanidm container create / run command from
+> You should have documented and preserved your Kanidm container create / run command from the
-> the server preparation guide. If not, you'll need to use `docker inspect` to work out how to
+> server preparation guide. If not, you'll need to use `docker inspect` to work out how to recreate
-> recreate these parameters.
+> these parameters.
 
 ### Upgrade Check
 
@@ -80,8 +80,8 @@ See [backup and restore](backup_and_restore.md)
 
 > [!WARNING]
 >
-> Downgrades are not possible. It is critical you know how to backup and restore before
+> Downgrades are not possible. It is critical you know how to backup and restore before you proceed
-> you proceed with this step.
+> with this step.
 
 Docker updates operate by deleting and recreating the container. All state that needs to be
 preserved is within your storage volume.

book/src/sync/concepts.md

@@ -55,8 +55,8 @@ token: eyJhbGci...
 
 > [!WARNING]
 >
-> The sync account token has a high level of privilege, able to create new accounts and
+> The sync account token has a high level of privilege, able to create new accounts and groups. It
-> groups. It should be treated carefully as a result!
+> should be treated carefully as a result!
 
 If you need to revoke the token, you can do so with:
 
@@ -120,8 +120,8 @@ sync account.
 
 > [!WARNING]
 >
-> You can not undo this operation. Once you have finalised an agreement, Kanidm owns all
+> You can not undo this operation. Once you have finalised an agreement, Kanidm owns all of the
-> of the synchronised data, and you can not resume synchronisation.
+> synchronised data, and you can not resume synchronisation.
 
 ```bash
 kanidm system sync finalise <sync account name>
@@ -138,8 +138,8 @@ account, you can choose to terminate the agreement removing all data that was im
 
 > [!WARNING]
 >
-> You can not undo this operation. Once you have terminated an agreement, Kanidm deletes
+> You can not undo this operation. Once you have terminated an agreement, Kanidm deletes all of the
-> all of the synchronised data, and you can not resume synchronisation.
+> synchronised data, and you can not resume synchronisation.
 
 ```bash
 kanidm system sync terminate <sync account name>