Merging to release-5.6: New IA - Authentication & Authorization (#5690)…

… (#5751)

tyk-docs/content/advanced-configuration/integrate/sso.md

@@ -13,7 +13,7 @@ weight: 0
 ### SSO - The generic use case
 
 SSO gives users the ability to log in to multiple applications without the need to enter their password more than once.
-[OIDC]({{< ref "basic-config-and-security/security/authentication-authorization/openid-connect" >}}) or SAML enables an application to verify the identity of users from an organization without the need to self store and manage them, and without doing the identification process and exposing their passwords to that application. Their lists of users and passwords are kept safe in one single place, in the IDP that the organization has chosen to use. The Authorization server of the IdP identify the users for a pre-registered and approved application (`client` in OAuth and OIDC terminology).
+[OIDC]({{< ref "/api-management/authentication-authorization#use-openid-connect" >}}) or SAML enables an application to verify the identity of users from an organization without the need to self store and manage them, and without doing the identification process and exposing their passwords to that application. Their lists of users and passwords are kept safe in one single place, in the IDP that the organization has chosen to use. The Authorization server of the IdP identify the users for a pre-registered and approved application (`client` in OAuth and OIDC terminology).
 
 ### SSO in Tyk
 

tyk-docs/content/advanced-configuration/transform-traffic/endpoint-designer.md

@@ -25,7 +25,7 @@ The **Core Settings** tab provides access to configure basic settings for the AP
    - [Service Discovery]({{< ref "planning-for-production/ensure-high-availability/service-discovery" >}})
 - [API Ownership]({{< ref "product-stack/tyk-dashboard/advanced-configurations/user-management/api-ownership" >}})
 - [API level rate limiting]({{< ref "basic-config-and-security/control-limit-traffic/rate-limiting#configuring-the-rate-limiter-at-the-api-level" >}})
-- [Authentication]({{< ref "basic-config-and-security/security/authentication-&-authorization" >}})
+- [Authentication]({{< ref "/api-management/authentication-authorization" >}})
 
 ## Versions
 

tyk-docs/content/api-management/automations.md

@@ -288,10 +288,10 @@ To address this challenge, Tyk Operator allows you to directly reference certifi
 
 | Certificate Type | Supported in ApiDefinition | Supported in TykOasApiDefinition |
 |------------------|-------------|---------|
-| Client certifates | ✅ [Client mTLS]({{<ref "basic-config-and-security/security/mutual-tls/client-mtls#tyk-operator-classic">}}) | ✅ [Client mTLS]({{<ref "basic-config-and-security/security/mutual-tls/client-mtls#tyk-operator-oas">}}) |
+| Client certifates | ✅ [Client mTLS]({{<ref "api-management/authentication-authorization#setup-static-mtls-in-tyk-operator-using-the-tyk-classic-api-definition">}}) | ✅ [Client mTLS]({{<ref "api-management/authentication-authorization#setup-static-mtls-in-tyk-operator-using-tyk-oas-api-definition">}}) |
 | Custom domain certificates | ✅ [TLS and SSL]({{<ref "basic-config-and-security/security/tls-and-ssl#tyk-operator-classic">}}) | ✅ [TLS and SSL]({{<ref "basic-config-and-security/security/tls-and-ssl#tyk-operator-oas">}}) |
 | Public keys pinning | ✅ [Certificate pinning]({{<ref "security/certificate-pinning#tyk-operator-classic">}}) | ✅ [Certificate pinning]({{<ref "security/certificate-pinning#tyk-operator-oas">}}) |
-| Upstream mTLS | ✅ [Upstream mTLS via Operator]({{<ref "basic-config-and-security/security/mutual-tls/upstream-mtls#tyk-operator-classic">}}) | ✅ [Upstream mTLS via Operator]({{<ref "basic-config-and-security/security/mutual-tls/upstream-mtls#tyk-operator-oas">}}) |
+| Upstream mTLS | ✅ [Upstream mTLS via Operator]({{<ref "api-management/authentication-authorization#via-tyk-operator-using-the-tyk-classic-api-definition">}}) | ✅ [Upstream mTLS via Operator]({{<ref "api-management/authentication-authorization#tyk-operator-oas">}}) |
 
 
 ### Install and Configure Tyk Operator
@@ -1210,7 +1210,7 @@ Client to Gateway Authentication in Tyk ensures secure communication between cli
 
 ##### Keyless (Open)
 
-This configuration allows [keyless (open)]({{<ref "basic-config-and-security/security/authentication-authorization/open-keyless">}}) access to the API without any authentication.
+This configuration allows [keyless (open)]({{<ref "api-management/authentication-authorization#use-open-keyless-authentication">}}) access to the API without any authentication.
 
 ```yaml {hl_lines=["7-7"],linenos=false}
 apiVersion: tyk.tyk.io/v1alpha1
@@ -1230,7 +1230,7 @@ spec:
 
 ##### Auth Token (Bearer Token)
 
-This setup requires a [bearer token]({{<ref "basic-config-and-security/security/authentication-authorization/bearer-tokens">}}) for access.
+This setup requires a [bearer token]({{<ref "api-management/authentication-authorization#use-bearer-tokens">}}) for access.
 
 In the below example, the authentication token is set by default to the `Authorization` header of the request. You can customize this behavior by configuring the following fields:
 
@@ -1239,7 +1239,7 @@ In the below example, the authentication token is set by default to the `Authori
 - `use_param`: Set to true to allow the token to be passed as a query parameter.
 - `param_name`: Specify the parameter name if use_param is enabled.
 - `use_certificate`: Enable client certificate. This allows you to create dynamic keys based on certificates.
-- `validate_signature`: Enable [signature validation]({{<ref "basic-config-and-security/security/authentication-authorization/bearer-tokens#signature-validation">}}).
+- `validate_signature`: Enable [signature validation]({{<ref "api-management/authentication-authorization#use-bearer-tokens">}}).
 
 ```yaml {hl_lines=["13-35"],linenos=false}
 apiVersion: tyk.tyk.io/v1alpha1
@@ -1281,11 +1281,11 @@ spec:
 
 ##### JWT
 
-This configuration uses [JWT tokens]({{<ref "basic-config-and-security/security/authentication-authorization/json-web-tokens">}}) for authentication.
+This configuration uses [JWT tokens]({{<ref "api-management/authentication-authorization#use-json-web-tokens-jwt">}}) for authentication.
 
 Users can configure JWT authentication by defining the following fields:
 
-- `jwt_signing_method`: Specify the method used to sign the JWT. Refer to [JWT Signing Method]({{<ref "basic-config-and-security/security/authentication-authorization/json-web-tokens#jwt-signing-method">}}) for supported methods.
+- `jwt_signing_method`: Specify the method used to sign the JWT. Refer to [JWT Signing Method]({{<ref "api-management/authentication-authorization#set-up-jwt-signing-method">}}) for supported methods.
 - `jwt_source`: Specify the public key used for verifying the JWT.
 - `jwt_identity_base_field`: Define the identity source, typically set to `sub` (subject), which uniquely identifies the user or entity.
 - `jwt_policy_field_name`: Specify the claim within the JWT payload that indicates the policy ID to apply.
@@ -1372,7 +1372,7 @@ curl http://localhost:8080/httpbin-jwt1/get -H 'Authorization: Bearer eyJhbGciOi
 
 ##### Basic Authentication
 
-This configuration uses [Basic Authentication]({{<ref "basic-config-and-security/security/authentication-authorization/basic-auth">}}), requiring a username and password for access.
+This configuration uses [Basic Authentication]({{<ref "api-management/authentication-authorization#use-basic-authentication">}}), requiring a username and password for access.
 
 ```yaml {hl_lines=["13-13"],linenos=false}
 apiVersion: tyk.tyk.io/v1alpha1
@@ -1457,9 +1457,9 @@ spec:
 
 ##### Multiple (Chained) Auth
 
-This setup allows for [multiple authentication]({{<ref "basic-config-and-security/security/authentication-authorization/multiple-auth">}}) methods to be chained together, requiring clients to pass through each specified authentication provider.
+This setup allows for [multiple authentication]({{<ref "api-management/authentication-authorization#multiple-chained-authentication">}}) methods to be chained together, requiring clients to pass through each specified authentication provider.
 
-To enable multiple (chained) auth, you should set `base_identity_provided_by` field to one of the supported chained enums. Consult [Enable Multi (Chained) Authentication in your API Definition]({{<ref "basic-config-and-security/security/authentication-authorization/multiple-auth#enable-multi-chained-authentication-in-your-api-definition">}}) for the supported auths.
+To enable multiple (chained) auth, you should set `base_identity_provided_by` field to one of the supported chained enums. Consult [Enable Multi (Chained) Authentication in your API Definition]({{<ref "api-management/authentication-authorization#enable-multi-chained-authentication-in-your-api-definition">}}) for the supported auths.
 
 In this example, we are creating an API definition with basic authentication and mTLS with basic authentication as base identity for `httpbin-multiple-authentications`.
 

tyk-docs/content/apim-best-practice/api-security-best-practice/authentication.md

@@ -9,7 +9,7 @@ Authentication is the process of identifying API clients. It’s a broad topic,
 
 ### Implement Appropriate Authentication
 
-Choose a suitable authentication approach based on the risk profile of the API. Is it publicly accessible or internal? Does it require user interaction or is it machine to machine? How sensitive is the data and functionality provided by the API? Simplistic approaches, such as [Bearer Tokens]({{< ref "basic-config-and-security/security/authentication-authorization/bearer-tokens" >}}), can work for low risk, basic APIs, but for higher risk or more sophisticated APIs, it may be more appropriate to use a standards-based approach such as [OAuth 2.0]({{< ref "basic-config-and-security/security/authentication-authorization/oauth-2-0" >}}) or [OpenID Connect]({{< ref "basic-config-and-security/security/authentication-authorization/openid-connect" >}}). Furthermore, using an [external identity provider]({{< ref "basic-config-and-security/security/authentication-authorization/ext-oauth-middleware" >}}) can deliver additional benefits, such as [single sign-on]({{< ref "advanced-configuration/integrate/sso" >}}), as well as multi-factor authentication approaches such as [biometric verification](https://www.okta.com/identity-101/biometrics-secure-authentication).
+Choose a suitable authentication approach based on the risk profile of the API. Is it publicly accessible or internal? Does it require user interaction or is it machine to machine? How sensitive is the data and functionality provided by the API? Simplistic approaches, such as [Bearer Tokens]({{< ref "/api-management/authentication-authorization#use-bearer-tokens" >}}), can work for low risk, basic APIs, but for higher risk or more sophisticated APIs, it may be more appropriate to use a standards-based approach such as [OAuth 2.0]({{< ref "/api-management/authentication-authorization#set-up-oauth-20-authorization" >}}) or [OpenID Connect]({{< ref "/api-management/authentication-authorization#use-openid-connect" >}}). Furthermore, using an [external identity provider]({{< ref "/api-management/authentication-authorization#integrate-external-oauth-middleware" >}}) can deliver additional benefits, such as [single sign-on]({{< ref "advanced-configuration/integrate/sso" >}}), as well as multi-factor authentication approaches such as [biometric verification](https://www.okta.com/identity-101/biometrics-secure-authentication).
 
 ### Handle Data Securely
 

tyk-docs/content/apim-best-practice/api-security-best-practice/configuration.md

@@ -9,7 +9,7 @@ Modern APIs are often backed by large technology stacks composed of numerous com
 
 ### Secure Connections
 
-Use [transport layer security]({{< ref "basic-config-and-security/security/tls-and-ssl" >}}) where possible. Most importantly, on inbound connections to the gateway and outbound connection from the gateway to the upstream API and other services. TLS can also be used as a form of authentication, using [Mutual TLS]({{< ref "basic-config-and-security/security/mutual-tls" >}}).
+Use [transport layer security]({{< ref "basic-config-and-security/security/tls-and-ssl" >}}) where possible. Most importantly, on inbound connections to the gateway and outbound connection from the gateway to the upstream API and other services. TLS can also be used as a form of authentication, using [Mutual TLS]({{< ref "/api-management/authentication-authorization#enable-mutual-tls" >}}).
 
 ### Limit Functionality
 

tyk-docs/content/apim-best-practice/api-security-best-practice/governance.md

@@ -9,7 +9,7 @@ APIs need to be managed and governed just like any other resource, otherwise org
 
 **Restrict Version Availability**: Enforce the expiry of [API versions]({{< ref "getting-started/key-concepts/versioning" >}}) that are planned for deprecation, by setting a sunset date, beyond which they will not be accessible.
 
-**Enforce Key Expiry**: In many situations it’s best to issue API keys that have a short, finite lifetime, especially when serving anonymous, external consumers. Set [expiry dates]({{< ref "basic-config-and-security/control-limit-traffic/key-expiry" >}}) for API keys, or use ephemeral credentials with complementary authentication techniques that support key renewal, such as [OAuth 2.0 refresh tokens]({{< ref "basic-config-and-security/security/authentication-&-authorization/oauth2-0/refresh-token-grant" >}}) and [dynamic client registration]({{< ref "tyk-stack/tyk-developer-portal/enterprise-developer-portal/api-access/dynamic-client-registration" >}}). Then, should an API key fall into the wrong hands, there’s a chance that it has already expired.
+**Enforce Key Expiry**: In many situations it’s best to issue API keys that have a short, finite lifetime, especially when serving anonymous, external consumers. Set [expiry dates]({{< ref "basic-config-and-security/control-limit-traffic/key-expiry" >}}) for API keys, or use ephemeral credentials with complementary authentication techniques that support key renewal, such as [OAuth 2.0 refresh tokens]({{< ref "/api-management/authentication-authorization#use-refresh-token-grant" >}}) and [dynamic client registration]({{< ref "tyk-stack/tyk-developer-portal/enterprise-developer-portal/api-access/dynamic-client-registration" >}}). Then, should an API key fall into the wrong hands, there’s a chance that it has already expired.
 
 **Use Standardized Specifications**: Use the [OpenAPI Specification](https://en.wikipedia.org/wiki/OpenAPI_Specification) standard to design APIs. These specification documents act as a source of truth that can generate [API configuration]({{< ref "getting-started/using-oas-definitions/import-an-oas-api" >}}) and [portal documentation]({{< ref "tyk-apis/tyk-portal-api/portal-documentation#create-documentation" >}}).
 

tyk-docs/content/basic-config-and-security/control-limit-traffic/rate-limiting.md

@@ -42,7 +42,7 @@ If you want to restrict an API client to a certain rate of requests to your APIs
 {{< note success >}}
 **Note**  
 
- It is assumed that the APIs being protected with a rate limit are using our [Authentication token]({{< ref "basic-config-and-security/security/authentication-authorization/bearer-tokens" >}}) Authentication mode and have policies already created
+ It is assumed that the APIs being protected with a rate limit are using our [Authentication token]({{< ref "/api-management/authentication-authorization#use-bearer-tokens" >}}) Authentication mode and have policies already created
 {{< /note >}}
 
 You can configure this rate limit from the API Designer in Tyk Dashboard as follows:
@@ -59,7 +59,7 @@ If you want to restrict API clients to a certain rate of requests for a specific
 {{< note success >}}
 **Note**  
 
- It is assumed that the APIs being protected with a rate limit are using our [Authentication token]({{< ref "basic-config-and-security/security/authentication-authorization/bearer-tokens" >}}) Authentication mode and have policies already created
+ It is assumed that the APIs being protected with a rate limit are using our [Authentication token]({{< ref "/api-management/authentication-authorization#use-bearer-tokens" >}}) Authentication mode and have policies already created
 {{< /note >}}
 
 You can configure this rate limit from the API Designer in Tyk Dashboard as follows:

tyk-docs/content/basic-config-and-security/security.md

@@ -31,7 +31,7 @@ Tyk supports TLS connections and Mutual TLS. All TLS connections also support HT
 
 ### Trusted Certificates
 
-As part of using Mutual TLS, you can create a list of [trusted certificates]({{< ref "basic-config-and-security/security/mutual-tls/concepts#certificates" >}}).
+As part of using Mutual TLS, you can create a list of [trusted certificates]({{< ref "/api-management/authentication-authorization#how-does-mutual-tls-work" >}}).
 
 ### Certificate Pinning
 
@@ -48,7 +48,7 @@ Tyk supports various ways to secure your APIs, including:
 * OAuth 2.0
 * OpenID Connect
 
-See [Authentication and Authorization]({{< ref "basic-config-and-security/security/authentication-&-authorization" >}}) for more details.
+See [Authentication and Authorization]({{< ref "/api-management/authentication-authorization" >}}) for more details.
 
 ### Security Policies