From 2262d5b0c1db3c721f08658132cdfad1cea856b2 Mon Sep 17 00:00:00 2001
From: OpenIddict Bot <32257313+openiddict-bot@users.noreply.github.com>
Date: Wed, 4 Jul 2018 11:22:23 +0000
Subject: [PATCH] Update the documentation pages

---
 features/application-permissions.html | 66 ++++++++++++++++++---------
 features/index.html                   |  3 ++
 guide/getting-started.html            |  3 ++
 guide/index.html                      |  3 ++
 guide/migration.html                  |  3 ++
 guide/samples.html                    |  3 ++
 index.html                            |  3 ++
 manifest.json                         | 30 ++++++------
 8 files changed, 78 insertions(+), 36 deletions(-)

diff --git a/features/application-permissions.html b/features/application-permissions.html
index e42351f..a9bad10 100644
--- a/features/application-permissions.html
+++ b/features/application-permissions.html
@@ -69,23 +69,24 @@
             <article class="content wrap" id="_content" data-uid="">
 <h1 id="application-permissions">Application permissions</h1>
 
-<p>Starting with RC2, OpenIddict includes an optional feature codenamed &quot;app permissions&quot; that allows
-controlling and limiting the OAuth2/OpenID Connect features a client application is able to use.</p>
+<p>Starting with RC2, OpenIddict includes a built-in feature codenamed &quot;application permissions&quot; that
+<strong>allows controlling and limiting the OAuth2/OpenID Connect features a client application is able to use</strong>.</p>
 <p>3 categories of permissions are currently supported:</p>
 <ul>
 <li>Endpoint permissions</li>
 <li>Grant type/flow permissions</li>
 <li>Scope permissions.</li>
 </ul>
-<blockquote><p>Configuring application permissions is recommended when dealing with
-third-party clients, to ensure they can only use the features they need. </p>
-</blockquote>
+<div class="WARNING"><h5>Warning</h5><p>Note: <strong>prior to OpenIddict RC3, application permissions were mostly optional</strong> and OpenIddict had a fallback mechanism
+called &quot;implicit permissions&quot; it used to determine whether an application could perform the requested action.</p>
+<p>If no permission was explicitly attached to the application, it was considered fully trusted and was granted all the permissions.
+Similarly, if you granted the &quot;token endpoint&quot; permission to an application but NO &quot;grant type&quot; permission,
+it was assumed the client application was allowed to use the password or client credentials grants.</p>
+<p>Retrospectively, this logic was too complex and it removed in RC3 and <strong>application permissions MUST now be explicitly granted</strong>.</p>
+</div>
 <h2 id="endpoint-permissions">Endpoint permissions</h2>
 <h3 id="definition">Definition</h3>
 <p>Endpoint permissions limit the endpoints a client application can use.</p>
-<blockquote><p>If no endpoint permission is explicitly granted, the client application
-is allowed to use all the endpoints enabled in <code>Startup.ConfigureServices()</code>.</p>
-</blockquote>
 <h3 id="supported-permissions">Supported permissions</h3>
 <table>
 <thead>
@@ -137,12 +138,16 @@ token endpoints but will get an error when trying to send an introspection or re
         }
     });
 }
+</code></pre><h3 id="disabling-endpoint-permissions">Disabling endpoint permissions</h3>
+<p>If you don&#39;t want to use endpoint permissions, call <code>options.IgnoreEndpointPermissions()</code> to ignore them:</p>
+<pre><code class="lang-csharp">services.AddOpenIddict()
+    .AddServer(options =&gt;
+    {
+        options.IgnoreEndpointPermissions();
+    });
 </code></pre><h2 id="grant-type-permissions">Grant type permissions</h2>
 <h3 id="definition">Definition</h3>
 <p>Grant type permissions limit the flows a client application is allowed to use.</p>
-<blockquote><p>If no grant type permission is explictly attached to an application, all the flows enabled in <code>Startup.ConfigureServices()</code>
-can be freely used by the application (as long as the authorization or token endpoint permissions are granted).</p>
-</blockquote>
 <h3 id="supported-permissions">Supported permissions</h3>
 <table>
 <thead>
@@ -188,6 +193,9 @@ while <code>console</code> is restricted to the <code>password</code> and <code>
         RedirectUris = { new Uri(&quot;https://www.getpostman.com/oauth2/callback&quot;) },
         Permissions =
         {
+            OpenIddictConstants.Permissions.Endpoints.Authorization,
+            OpenIddictConstants.Permissions.Endpoints.Token,
+
             OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode
         }
     });
@@ -201,21 +209,28 @@ if (await manager.FindByClientIdAsync(&quot;console&quot;) == null)
         DisplayName = &quot;Console&quot;,
         Permissions =
         {
+            OpenIddictConstants.Permissions.Endpoints.Token,
+
             OpenIddictConstants.Permissions.GrantTypes.Password,
             OpenIddictConstants.Permissions.GrantTypes.RefreshToken
         }
     });
 }
+</code></pre><h3 id="disabling-grant-type-permissions">Disabling grant type permissions</h3>
+<p>If you don&#39;t want to use grant type permissions, call <code>options.IgnoreGrantTypePermissions()</code> to ignore them:</p>
+<pre><code class="lang-csharp">services.AddOpenIddict()
+    .AddServer(options =&gt;
+    {
+        options.IgnoreGrantTypePermissions();
+    });
 </code></pre><h2 id="scope-permissions">Scope permissions</h2>
 <h3 id="definition">Definition</h3>
 <p>Scope permissions limit the scopes (standard or custom) a client application is allowed to use.</p>
-<blockquote><p>Like the other permissions, <strong>scope permissions are optional</strong>: if no scope permission is explictly attached,
-a client application is free to specify any scope in the authorization or token requests.</p>
-<p>The <code>openid</code> and <code>offline_access</code> scopes are special-cased by OpenIddict and don&#39;t require explicit permissions.</p>
+<blockquote><p>The <code>openid</code> and <code>offline_access</code> scopes are special-cased by OpenIddict and don&#39;t require explicit permissions.</p>
 </blockquote>
 <h3 id="example">Example</h3>
 <p>In the following sample, the <code>angular</code> client is allowed to request the <code>address</code>,
-<code>profile</code> and <code>custom</code> scopes: any other scope will result in an error being returned.</p>
+<code>profile</code> and <code>marketing_api</code> scopes: any other scope will result in an error being returned.</p>
 <pre><code class="lang-csharp">if (await manager.FindByClientIdAsync(&quot;angular&quot;) == null)
 {
     await manager.CreateAsync(new OpenIddictApplicationDescriptor
@@ -225,16 +240,22 @@ a client application is free to specify any scope in the authorization or token
         RedirectUris = { new Uri(&quot;https://localhost:34422/callback&quot;) },
         Permissions =
         {
-            OpenIddictConstants.Permissions.Prefixes.Scope +
-                OpenIdConnectConstants.Scopes.Address,
+            OpenIddictConstants.Permissions.Endpoints.Authorization,
+            OpenIddictConstants.Permissions.GrantTypes.Implicit,
 
-            OpenIddictConstants.Permissions.Prefixes.Scope +
-                OpenIdConnectConstants.Scopes.Profile,
-
-            OpenIddictConstants.Permissions.Prefixes.Scope + &quot;custom&quot;
+            OpenIddictConstants.Permissions.Scopes.Address,
+            OpenIddictConstants.Permissions.Scopes.Profile,
+            OpenIddictConstants.Permissions.Prefixes.Scope + &quot;marketing_api&quot;
         }
     });
 }
+</code></pre><h3 id="disabling-scope-permissions">Disabling scope permissions</h3>
+<p>If you don&#39;t want to use scope permissions, call <code>options.IgnoreScopePermissions()</code> to ignore them:</p>
+<pre><code class="lang-csharp">services.AddOpenIddict()
+    .AddServer(options =&gt;
+    {
+        options.IgnoreScopePermissions();
+    });
 </code></pre></article>
           </div>
           
@@ -242,6 +263,9 @@ a client application is free to specify any scope in the authorization or token
             <div class="sideaffix">
               <div class="contribution">
                 <ul class="nav">
+                  <li>
+                    <a href="https://github.com/openiddict/openiddict-documentation/blob/dev/features/application-permissions.md/#L1" class="contribution-link">Improve this Doc</a>
+                  </li>
                 </ul>
               </div>
               <nav class="bs-docs-sidebar hidden-print hidden-xs hidden-sm affix" id="affix">
diff --git a/features/index.html b/features/index.html
index e2a758b..ff2dca9 100644
--- a/features/index.html
+++ b/features/index.html
@@ -85,6 +85,9 @@
             <div class="sideaffix">
               <div class="contribution">
                 <ul class="nav">
+                  <li>
+                    <a href="https://github.com/openiddict/openiddict-documentation/blob/dev/features/index.md/#L1" class="contribution-link">Improve this Doc</a>
+                  </li>
                 </ul>
               </div>
               <nav class="bs-docs-sidebar hidden-print hidden-xs hidden-sm affix" id="affix">
diff --git a/guide/getting-started.html b/guide/getting-started.html
index 196ecc8..9e94771 100644
--- a/guide/getting-started.html
+++ b/guide/getting-started.html
@@ -229,6 +229,9 @@ using (var scope = app.ApplicationServices.GetRequiredService&lt;IServiceScopeFa
             <div class="sideaffix">
               <div class="contribution">
                 <ul class="nav">
+                  <li>
+                    <a href="https://github.com/openiddict/openiddict-documentation/blob/dev/guide/getting-started.md/#L1" class="contribution-link">Improve this Doc</a>
+                  </li>
                 </ul>
               </div>
               <nav class="bs-docs-sidebar hidden-print hidden-xs hidden-sm affix" id="affix">
diff --git a/guide/index.html b/guide/index.html
index abf5f83..11af666 100644
--- a/guide/index.html
+++ b/guide/index.html
@@ -90,6 +90,9 @@ with the power to control who can access your API and the information that is ex
             <div class="sideaffix">
               <div class="contribution">
                 <ul class="nav">
+                  <li>
+                    <a href="https://github.com/openiddict/openiddict-documentation/blob/dev/guide/index.md/#L1" class="contribution-link">Improve this Doc</a>
+                  </li>
                 </ul>
               </div>
               <nav class="bs-docs-sidebar hidden-print hidden-xs hidden-sm affix" id="affix">
diff --git a/guide/migration.html b/guide/migration.html
index 6afe776..8e1dc16 100644
--- a/guide/migration.html
+++ b/guide/migration.html
@@ -335,6 +335,9 @@ controlling and limiting the OAuth2/OpenID Connect features a client application
             <div class="sideaffix">
               <div class="contribution">
                 <ul class="nav">
+                  <li>
+                    <a href="https://github.com/openiddict/openiddict-documentation/blob/dev/guide/migration.md/#L1" class="contribution-link">Improve this Doc</a>
+                  </li>
                 </ul>
               </div>
               <nav class="bs-docs-sidebar hidden-print hidden-xs hidden-sm affix" id="affix">
diff --git a/guide/samples.html b/guide/samples.html
index c79a5b6..868b782 100644
--- a/guide/samples.html
+++ b/guide/samples.html
@@ -86,6 +86,9 @@
             <div class="sideaffix">
               <div class="contribution">
                 <ul class="nav">
+                  <li>
+                    <a href="https://github.com/openiddict/openiddict-documentation/blob/dev/guide/samples.md/#L1" class="contribution-link">Improve this Doc</a>
+                  </li>
                 </ul>
               </div>
               <nav class="bs-docs-sidebar hidden-print hidden-xs hidden-sm affix" id="affix">
diff --git a/index.html b/index.html
index c75e23c..b34c12e 100644
--- a/index.html
+++ b/index.html
@@ -96,6 +96,9 @@
             <div class="sideaffix">
               <div class="contribution">
                 <ul class="nav">
+                  <li>
+                    <a href="https://github.com/openiddict/openiddict-documentation/blob/dev/index.md/#L1" class="contribution-link">Improve this Doc</a>
+                  </li>
                 </ul>
               </div>
               <nav class="bs-docs-sidebar hidden-print hidden-xs hidden-sm affix" id="affix">
diff --git a/manifest.json b/manifest.json
index 8bd6eff..16123ca 100644
--- a/manifest.json
+++ b/manifest.json
@@ -9,7 +9,7 @@
       "output": {
         ".html": {
           "relative_path": "docfx.console.2.24.0/content/api/index.html",
-          "hash": "ch82uriRR0OThwO7n4f9Hw=="
+          "hash": "vZUtKskqnVmuRNs2Sv+lQw=="
         }
       },
       "is_incremental": false,
@@ -21,7 +21,7 @@
       "output": {
         ".html": {
           "relative_path": "docfx.console.2.24.0/content/articles/intro.html",
-          "hash": "xYl8aLEnwon5Os7BJ4wrVw=="
+          "hash": "bpZc6vqcbT8cJX1mlpAwrA=="
         }
       },
       "is_incremental": false,
@@ -45,7 +45,7 @@
       "output": {
         ".html": {
           "relative_path": "docfx.console.2.24.0/content/index.html",
-          "hash": "cLiCc5J10JV7nas0vhYA2w=="
+          "hash": "qLnUmlcAcyotqfgMLQkzPA=="
         }
       },
       "is_incremental": false,
@@ -80,7 +80,7 @@
       "output": {
         ".html": {
           "relative_path": "features/application-permissions.html",
-          "hash": "+zDwiYOsBIcQHuzWUvgnMg=="
+          "hash": "osvJQ5zmtnhcRGO72gRe6Q=="
         }
       },
       "is_incremental": false,
@@ -92,7 +92,7 @@
       "output": {
         ".html": {
           "relative_path": "features/index.html",
-          "hash": "PyjUMJrW39Vm6T1FinV9RQ=="
+          "hash": "XqKWaZORYS552qmlWgIl8A=="
         }
       },
       "is_incremental": false,
@@ -116,7 +116,7 @@
       "output": {
         ".html": {
           "relative_path": "guide/getting-started.html",
-          "hash": "g1WBUGkcQNKlY3Mg6VwZJg=="
+          "hash": "1XJUTyg0gItxGGe1z7Xn0w=="
         }
       },
       "is_incremental": false,
@@ -128,7 +128,7 @@
       "output": {
         ".html": {
           "relative_path": "guide/index.html",
-          "hash": "48EUV62nFyOQ6oJze8x2Zg=="
+          "hash": "RPB+31ltfkC/6PHrk4fVAQ=="
         }
       },
       "is_incremental": false,
@@ -140,7 +140,7 @@
       "output": {
         ".html": {
           "relative_path": "guide/migration.html",
-          "hash": "eLiFoTairridZ4ufIkf8hw=="
+          "hash": "mAZUkc9pqaTHFLWIYyzbyw=="
         }
       },
       "is_incremental": false,
@@ -152,7 +152,7 @@
       "output": {
         ".html": {
           "relative_path": "guide/samples.html",
-          "hash": "w0jPJDcWAvgoHiMxYfhCFg=="
+          "hash": "KV9on+AGPqCnWLmPoBs8iQ=="
         }
       },
       "is_incremental": false,
@@ -176,7 +176,7 @@
       "output": {
         ".html": {
           "relative_path": "index.html",
-          "hash": "OO5By8zH1VNzKFYqJHpvlw=="
+          "hash": "HRJyLPnyGiVyxOQ+haZo9A=="
         }
       },
       "is_incremental": false,
@@ -203,6 +203,11 @@
         "incrementalPhase": "build"
       },
       "processors": {
+        "RestApiDocumentProcessor": {
+          "can_incremental": false,
+          "details": "Processor RestApiDocumentProcessor cannot suppport incremental build because the processor doesn't implement ISupportIncrementalDocumentProcessor interface.",
+          "incrementalPhase": "build"
+        },
         "TocDocumentProcessor": {
           "can_incremental": false,
           "details": "Processor TocDocumentProcessor cannot suppport incremental build because the processor doesn't implement ISupportIncrementalDocumentProcessor interface.",
@@ -212,11 +217,6 @@
           "can_incremental": false,
           "incrementalPhase": "build"
         },
-        "RestApiDocumentProcessor": {
-          "can_incremental": false,
-          "details": "Processor RestApiDocumentProcessor cannot suppport incremental build because the processor doesn't implement ISupportIncrementalDocumentProcessor interface.",
-          "incrementalPhase": "build"
-        },
         "ManagedReferenceDocumentProcessor": {
           "can_incremental": false,
           "incrementalPhase": "build"