feat: Add docs for third party OIDC providers

[Nikpolik]

Important

🔎 Previews:

• https://clerk.com/docs/pr/1769/authentication/enterprise-connections/overview
• https://clerk.com/docs/pr/1769/authentication/enterprise-connections/oidc/custom-provider

This PR:

Adds instructions on how to configure any OIDC compatible OAuth provider to be used with enterprise_sso and enterprise_connections.

Also updated the overview to have an OIDC section similar to SAML that mentions EASIE and custom OAuth providers as an alternative.

Checklist

• I have clicked on "Files changed" and performed a thorough self-review
• I have added the "deploy-preview" label and added the preview link(s) to this PR description
• All existing checks pass

Note

• Opened PR to change title to "Third Party" and fix OIDC abbreviation
• Need to also update /authentication/social-connections/custom-provider doc re: manual configuration section

[github-actions]

Hey, here’s your docs preview: https://clerk.com/docs/pr/1769

[victoriaxyz]

Suggested change

	1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
	1. Select **Add connection** and select **For specific domains**.
	1. Under **Third party**, select **OIDC**.
	1. Add the **Name** of the connection.
	1. Add the **Key** of the provider. This is the provider's unique identifier (cannot be changed after creation).
	1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application.
	1. Select **Add connection**. You will be redirected to the connection's configuration page.
	The next steps involve configuring both your Identity Provider (IdP) and Clerk. Keep both dashboards open as you'll need to reference them.
	1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
	1. Select **Add connection** and select **For specific domains**.
	1. Under **Or connect a third party**, select **OIDC (OpenID Connect)**.
	1. Enter the **Name** of the connection.
	1. Enter the **Key** of the provider. This is the provider's unique identifier which cannot be changed after creation.
	1. Enter the **Specific Domain**. This is the domain of the users you want to allow to sign in to your app.
	1. Select **Add connection**. You'll be redirected to the connection's configuration page. Keep this page open.

[victoriaxyz]

@Nikpolik where do users get the oauth_custom_ key? What's an example?

[Nikpolik]

It's up to them to set something so they can know from which connection each user was created!

[victoriaxyz]

@Nikpolik, the docs are looking good. I'd love to see an example connection setup.

[Nikpolik]

@victoriaxyz I dm'd you the credentials for a dummy microsoft provider I have setup if you want to test this! Ping me if you want to look at this together!

[alexisintech]

LGTM! Thank you so much 😸💖

[victoriaxyz]

Thanks for pairing with me to test this, @Nikpolik! :)

Please feel free to change or edit the updates I added:

• add sentence about different protocols
• fix terms and add link to OIDC
• use IdP abbreviation
• update instructions to allow additional identifiers
• add Allow additional identifiers (optional) section and refactor sections
• open Dashboard PR to update copy

We should also update the SSO connection custom provider doc to match the following update in this doc:

Most IdPs provide a Discovery Endpoint to retrieve metadata about an OIDC provider. If your IdP doesn't offer this endpoint or if you need greater control over the setup process, select Use Manual Configuration in the Identity Provider Configuration section to manually configure the connection.

cc: @alexisintech

[alexisintech]

they should already be there according to the last step in the previous step. so the copy before was correct

[Nikpolik]

Adjusted steps 1 and 2 to make this a bit more clear 8f754cb.

Also moved the discovery endpoint explanation to a Note so we can have all the required steps uninterrupted.

WDYT?

[alexisintech]

You wouldn't get the client ID and client secret in the clerk dashboard. you would get those from your IdP and then paste them in the clerk dashboard. so i believe the copy before was correct

[alexisintech]

Suggested change

Attribute mapping allows you to map the IdP's claims with Clerk's user properties such as the `email_verified`. OIDC Enterprise connections require the [`email_verified` claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims:~:text=Section%C2%A05.7.-,email_verified,-boolean) to verify email ownership. However, some IdPs, such as Microsoft Azure Active Directory, might not return this claim or use a non-standard format.

Attribute mapping allows you to map the IdP's claims with Clerk's user properties. OIDC enterprise connections require the [`email_verified` claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims:~:text=Section%C2%A05.7.-,email_verified,-boolean) to verify email ownership. However, some IdPs, such as Microsoft Azure Active Directory, might not return this claim or use a non-standard format.

[Nikpolik]

Changed this section to be more similar to it's previous form 07e1f1a

It's not required for most users so I think keeping it brief is better to avoid confusion 🙂

[alexisintech]

Suggested change

	- If the IdPs that provide the value, enter `email_verified`.
	- If the IdP provides the value, enter `email_verified`.

[alexisintech]

Suggested change

	1. In the Clerk Dashboard, navigate to the **Connection** tab of the connection's settings page.
	1. In the **Attribute Mapping** section, under the **Email address verified** field:
	1. In the connection's settings page in the Clerk Dashboard, under **Attribute Mapping**, for the **Email address verified* field:

[alexisintech]

let's use the same syntax as the sentence before, and use a contraction!

Suggested change

	- For IdPs that do not provide the value, enter `xms_edov`.
	- If the IdP doesn't provide the value, enter `xms_edov`.

[Nikpolik]

If it's ok, I removed this part as it is to specific to Microsoft!

[alexisintech]

this step mentions that the user should set the default value to true whether the idp returns the claim or not. but then this callout says the user should only do it if the idp doesn't return the claim. which is the correct case so we can update accordingly?

Suggested change

	> If the IdP doesn't return this claim, you can either leave the **Email address verified** field blank or set the **Default value** to `True`. This should only be done if you fully trust the IdP, as it can expose your app to [OAuth attacks](https://www.descope.com/blog/post/noauth).
	> If the IdP doesn't return this claim, you can either leave the **Email address verified** field blank or set the **Default value** to **True**. This should only be done if you fully trust the IdP, as it can expose your app to [OAuth attacks](https://www.descope.com/blog/post/noauth).

[Nikpolik]

Fixed!

[alexisintech]

yes, the way you've rewritten it makes a lot more sense!

[alexisintech]

looks awesome!! 😸💖