add oidc

b1455d9d · T. Hinrichsmeyer · c25b6762 · b1455d9d · b1455d9d
Unverified Commit b1455d9d authored 3 months ago by T. Hinrichsmeyer
--- a/docs/container/security.md
+++ b/docs/container/security.md
@@ -3,7 +3,12 @@
 ## Trivy

 - [GitHub](https://github.com/aquasecurity/trivy)
- [Docs](https://aquasecurity.github.io/trivy)
+- [Docs](https://trivy.dev/latest/docs/)
+
+### Config
+
+- [Configuration](https://trivy.dev/latest/docs/configuration/)
+- Cli options can be exported as env vars (i.e. `--debug` -> `TRIVY_DEBUG=true trivy ...`)

 ### Usage

@@ -25,6 +30,7 @@ Scan container image:
 ```sh
 trivy image php:8.4.4-apache-bullseye
 trivy image php:8.4.4-apache-bullseye | head -5  # Hide details
+TRIVY_IGNORE_UNFIXED=true trivy image php:8.4.4-apache-bullseye # Only show fixed CVEs
 ```

 ### Ignore checks

--- a/docs/security/authentication/oidc.md
+++ b/docs/security/authentication/oidc.md
+# OpenID Connect
+
+- Central identity provider (IDP), also calles OpenID Provider
+- Client (or relying party)
+- Identity Token includes personal information
+  (`Claims`, i.e. name, role, email etc.)
+  - Identity tokens are signed by the IDP, and verified by the client
+  - JSON Web token (`JWT`)
+  - Standard claims (`iss`, `sub`, `aud`, `email` etc.)
+  - Custom claims (i.e. `roles`)
+
+## OIDC flows
+
+### Authorization code flow
+
+- Most relevant
+- Token is transferred via the `Backend channel` (CLient <-> IDP)
+  - SAML uses the `Frontend channel` via Browser, which makes
+    it less secure
+
+## Scopes
+
+- Defines the content of the ID token, i.e. which `claims` can an application get from the IDP ?