markdown links

docs/user-guides/anonymous-access.md

@@ -3,17 +3,12 @@
 Bypass identity verification or fall back to anonymous access when credentials fail to validate
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Identity verification & authentication → <a href="./../features.md#anonymous-access-authenticationanonymous">Anonymous access</a></li>
-    </ul>
-  </summary>
-
-  For further details about Authorino features in general, check the [docs](./../features.md).
-</details>
+  <summary>Authorino capabilities featured in this guide:</summary>
 
-<br/>
+  - Identity verification & authentication → [Anonymous access](./../features.md#anonymous-access-authenticationanonymous)
+
+    For further details about Authorino features in general, check the [docs](./../features.md).
+</details>
 
 ## Requirements
 

docs/user-guides/api-key-authentication.md

@@ -3,12 +3,9 @@
 Issue API keys stored in Kubernetes `Secret`s for clients to authenticate with your protected hosts.
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-    </ul>
-  </summary>
+  <summary>Authorino capabilities featured in this guide:</summary>
+
+  - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
 
   In Authorino, API keys are stored as Kubernetes `Secret`s. Each resource must contain an `api_key` entry with the value of the API key, and labeled to match the selectors specified in `spec.identity.apiKey.selector` of the `AuthConfig`.
 
@@ -17,8 +14,6 @@ Issue API keys stored in Kubernetes `Secret`s for clients to authenticate with y
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 
-<br/>
-
 ## Requirements
 
 - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)

docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md

@@ -3,14 +3,12 @@
 Provide Envoy with dynamic metadata about the external authorization process to be injected into the rate limiting filter.
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Dynamic response → Response wrappers → <a href="../features.md#envoy-dynamic-metadata">Envoy Dynamic Metadata</a></li>
-      <li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-    </ul>
-  </summary>
+  <summary>Authorino capabilities featured in this guide</summary>
+
+  - Dynamic response → Response wrappers → [Envoy Dynamic Metadata](../features.md#envoy-dynamic-metadata)
+  - Dynamic response → [JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson)
+  - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
+
 
   Dynamic JSON objects built out of static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json) can be wrapped to be returned to the reverse-proxy as Envoy Well Known Dynamic Metadata content. Envoy can use those to inject data returned by the external authorization service into the other filters, such as the rate limiting filter.
 

docs/user-guides/authzed.md

@@ -3,16 +3,11 @@
 Permission requests sent to a Google Zanzibar-based [Authzed/SpiceDB](https://authzed.com) instance, via gRPC.
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Authorization → <a href="../features.md#spicedb-authorizationspicedb">SpiceDB</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-    </ul>
-  </summary>
-</details>
+  <summary>Authorino capabilities featured in this guide</summary>
 
-<br/>
+  - Authorization → [SpiceDB](../features.md#spicedb-authorizationspicedb)
+  - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
+</details>
 
 ## Requirements
 

docs/user-guides/caching.md

@@ -17,22 +17,17 @@ Cases where one will **NOT** want to enable caching, due to relatively cheap com
 - Anonymous access
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Common feature → <a href="../features.md#common-feature-caching-cache">Caching</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#anonymous-access-authenticationanonymous">Anonymous access</a></li>
-      <li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
-      <li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
-      <li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
-    </ul>
-  </summary>
+  <summary>Authorino capabilities featured in this guide</summary>
+
+  - Common feature → [Caching](../features.md#common-feature-caching-cache)
+  - Identity verification & authentication → [Anonymous access](../features.md#anonymous-access-authenticationanonymous)
+  - External auth metadata → [HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp)
+  - Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa)
+  - Dynamic response → [JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson)
 
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 
-<br/>
-
 ## Requirements
 
 - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)

docs/user-guides/deny-with-redirect-to-login.md

@@ -3,14 +3,11 @@
 Customize response status code and headers on failed requests to redirect users of a web application protected with Authorino to a login page instead of a `401 Unauthorized`.
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Dynamic response → <a href="../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized">Custom denial status</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
-    </ul>
-  </summary>
+  <summary>Authorino capabilities featured in this guide</summary>
+
+  - Dynamic response → [Custom denial status](../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized)
+  - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
+  - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt)
 
   Authorino's default response status codes, messages and headers for unauthenticated (`401`) and unauthorized (`403`) requests can be customized with static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json).
 
@@ -19,8 +16,6 @@ Customize response status code and headers on failed requests to redirect users
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 
-<br/>
-
 ## Requirements
 
 - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)

docs/user-guides/edge-authentication-architecture-festival-wristbands.md

@@ -11,15 +11,12 @@ The very definition of "edge" is subject to discussion, but the underlying idea
 As a minimum, EAA allows to simplify authentication between applications and microservices inside the network, as well as to reduce authorization to domain-specific rules and policies, rather than having to deal all the complexity to support all types of clients in every node.
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Dynamic response → <a href="../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband">Festival Wristband tokens</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#extra-identity-extension-authenticationdefaults-and-authenticationoverrides">Identity extension</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
-    </ul>
-  </summary>
+  <summary>Authorino capabilities featured in this guide</summary>
+
+  - Dynamic response → [Festival Wristband tokens](../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband)
+  - Identity verification & authentication → [Identity extension](../features.md#extra-identity-extension-authenticationdefaults-and-authenticationoverrides)
+  - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
+  - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt)
 
   Festival Wristbands are OpenID Connect ID tokens (signed JWTs) issued by Authorino by the end of the Auth Pipeline, for authorized requests. It can be configured to include claims based on static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json).
 
@@ -28,8 +25,6 @@ As a minimum, EAA allows to simplify authentication between applications and mic
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 
-<br/>
-
 ## Requirements
 
 - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)

docs/user-guides/envoy-jwt-authn-and-authorino.md

@@ -9,21 +9,16 @@ The policy defines a geo-fence by which only requests originated in Great Britai
 All requests to the Talker API will be authenticated in Envoy. However, requests to `/global` will **not** trigger the external authorization.
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Identity verification & authentication → <a href="../features.md#plain-authenticationplain">Plain</a></li>
-      <li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
-      <li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
-      <li>Dynamic response → <a href="../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized">Custom denial status</a></li>
-    </ul>
-  </summary>
+  <summary>Authorino capabilities featured in this guide</summary>
+
+  - Identity verification & authentication → [Plain](../features.md#plain-authenticationplain)
+  - External auth metadata → [HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp)
+  - Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching)
+  - Dynamic response → [Custom denial status](../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized)
 
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 
-<br/>
-
 ## Requirements
 
 - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)

docs/user-guides/external-metadata.md

@@ -3,14 +3,11 @@
 Get online data from remote HTTP services to enhance authorization rules.
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-      <li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
-    </ul>
-  </summary>
+  <summary>Authorino capabilities featured in this guide</summary>
+
+  - External auth metadata → [HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp)
+  - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
+  - Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa)
 
   You can configure Authorino to fetch additional metadata from external sources in request-time, by sending either GET or POST request to an HTTP service. The service is expected to return a JSON content which is appended to the [Authorization JSON](../architecture.md#the-authorization-json), thus becoming available for usage in other configs of the Auth Pipeline, such as in authorization policies or custom responses.
 
@@ -21,8 +18,6 @@ Get online data from remote HTTP services to enhance authorization rules.
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 
-<br/>
-
 ## Requirements
 
 - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)

docs/user-guides/http-basic-authentication.md

@@ -3,13 +3,10 @@
 Turn Authorino API key `Secret`s settings into HTTP basic auth.
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-        <li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
-    </ul>
-  </summary>
+  <summary>Authorino capabilities featured in this guide</summary>
+
+  - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
+  - Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching)
 
   HTTP "Basic" Authentication ([RFC 7235](https://datatracker.ietf.org/doc/html/rfc7235)) is not recommended if you can afford other more secure methods such as OpenID Connect. To support legacy nonetheless it is sometimes necessary to implement it.
 
@@ -20,8 +17,6 @@ Turn Authorino API key `Secret`s settings into HTTP basic auth.
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 
-<br/>
-
 ## Requirements
 
 - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)

docs/user-guides/injecting-data.md

@@ -3,13 +3,10 @@
 Inject HTTP headers with serialized JSON content.
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
-    </ul>
-  </summary>
+  <summary>Authorino capabilities featured in this guide</summary>
+
+  - Dynamic response → [JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson)
+  - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
 
   Inject serialized custom JSON objects as HTTP request headers. Values can be static or fetched from the [Authorization JSON](../architecture.md#the-authorization-json).
 
@@ -18,8 +15,6 @@ Inject HTTP headers with serialized JSON content.
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 
-<br/>
-
 ## Requirements
 
 - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)

docs/user-guides/json-pattern-matching-authorization.md

@@ -3,13 +3,10 @@
 Write simple authorization rules based on JSON patterns matched against Authorino's Authorization JSON; check contextual information of the request, validate JWT claims, cross metadata fetched from external sources, etc.
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
-      <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
-    </ul>
-  </summary>
+  <summary>Authorino capabilities featured in this guide</summary>
+
+  - Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching)
+  - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt)
 
   Authorino provides a built-in authorization module to check simple pattern-matching rules against the [Authorization JSON](../architecture.md#the-authorization-json). This is an alternative to [OPA](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) when all you want is to check for some simple rules, without complex logics, such as match the value of a JWT claim.
 
@@ -18,8 +15,6 @@ Write simple authorization rules based on JSON patterns matched against Authorin
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 
-<br/>
-
 ## Requirements
 
 - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)

docs/user-guides/keycloak-authorization-services.md

@@ -5,19 +5,15 @@ Keycloak provides a powerful set of tools (REST endpoints and administrative UIs
 This user guide is an example of how to use Authorino as an adapter to Keycloak Authorization Services while still relying on the reverse-proxy integration pattern, thus not involving importing an authorization library nor rebuilding the application's code.
 
 <details markdown="1">
-  <summary>
-    <strong>Authorino capabilities featured in this guide:</strong>
-    <ul>
-      <li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
-      <li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
-    </ul>
-  </summary>
+  <summary>Authorino capabilities featured in this guide</summary>
+
+  - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt)
+  - Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa)
+
 
   For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 
-<br/>
-
 ## Requirements
 
 - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)