From 1111c45bc1af19e19553e4ef405c13b3f32864d8 Mon Sep 17 00:00:00 2001
From: jjeroch <94133633+jjeroch@users.noreply.github.com>
Date: Sun, 7 Jan 2024 18:06:34 +0100
Subject: [PATCH 1/4] docs[security]: generic security.md enhanced by intro and
 user login session limitation docu

---
 .../10. Generic Security.md                   | 38 ++++++++++++++++++-
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/docs/technical documentation/10. Generic Security.md b/docs/technical documentation/10. Generic Security.md
index 6b01dda2..c526ecfa 100644
--- a/docs/technical documentation/10. Generic Security.md	
+++ b/docs/technical documentation/10. Generic Security.md	
@@ -1,5 +1,24 @@
 ## Security Generic
 
+This document serves as a introduce the security config of the catena-x refernce implementation with Keycloak. The settings outlined are designed to provide a robust security framework for test environments - ensuring the integrity, confidentiality, and availability of our system and data.
+
+Disclaimer:
+The configurations suggested in this file are starting points and should be adapted to meet the specific security requirements of your environment. It's important to regularly review and update these settings to adapt to new threats and changing organizational needs.
+
+Please proceed with caution and consult security experts as needed when implementing these configurations.
+
+- [Host](#host)
+- [Bruce Force Detection](#bruce-force-detection)
+- [Clickjacking](#clickjacking)
+- [Open Redirections](#open-redirections)
+- [Compromised Authorization code](#compromised-authorization-code)
+- [Compromised access and refresh tokens](#compromised-access-and-refresh-tokens)
+- [CSRF attack](#csrf-attack)
+- [Limiting Scope - Client Token](#limiting-scope---client-token)
+- [Client Policies](#client-policies)
+- [Limiting User Sessions](#limiting-user-sessions)
+
+
 ### Host
 
 Keycloak uses the public hostname in several ways, such as within token issuer fields and URLs in password reset emails.
@@ -44,14 +63,15 @@ Common Parameters
 
 - Lock after 10 subsequent login failures
 - 1 second between failures (too quick for a human)
-- Lock remains active for ~5 min
+- Lock remains active for ~15 min
 
 ##### Preventing manual attacks
 
 - Lock after 10 subsequent login failures
 - Sliding window of 12 hours
-- Lock remains active for ~ 45 min
+- Lock remains active for ~ 15 min
 
+Brute force detectation activation is highly recommended and cinfigures as part of the refernce solution.
 
 ### Clickjacking
 
@@ -123,6 +143,20 @@ For any clients in CX, the scope is limited to the client scope.
 tbd
 
 
+### Limiting User Sessions
+
+With the possibility "Limiting User Session" the number of sessions a user can run at once can get limited. When a user reaches the user session limit, they must end their current user sessions before they begin a new session.
+
+As part of the reference solution - the limit is not configured - it is up to the respective operator and env. owner to decide if the session limit is used/configured.
+If a configuration is planned, the limit needs to get configured as part of the realm authnetication flow setup.
+
+![Tokens](/docs/static/authenticationflow.png)
+
+The flow that you must configure depends on how you authenticate users:
+- Configure a browser flow if you use local or LDAP/AD authentication
+- Configure a post-sign in client flow if you use SSO
+
+
 ## NOTICE
 
 This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).

From 76c1c64127d34eab8bf5aa354c3cf3b13da13d99 Mon Sep 17 00:00:00 2001
From: jjeroch <94133633+jjeroch@users.noreply.github.com>
Date: Sun, 7 Jan 2024 18:10:44 +0100
Subject: [PATCH 2/4] doc[image]: added authentication flow image

---
 docs/static/authenticationflow.png | Bin 0 -> 14468 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 docs/static/authenticationflow.png

diff --git a/docs/static/authenticationflow.png b/docs/static/authenticationflow.png
new file mode 100644
index 0000000000000000000000000000000000000000..1c8119eea519157785d066b074ca370506b9fe75
GIT binary patch
literal 14468
zcmd73byOWq^eqU41Pj3uNN|UsL4&(%aJOK=_2MqUf?hPZy9al7cXxMpczyYP@6D|F
zch;IU&`H->RCm=m)m>G4pWQ(}WJHk>u@Rx5ppeDIgyf;1pi_WyE&My+|B2_|2;c;5
zCod`hRWgjb2N-^as^Uh{(oj@D86N5_G&<B9NEP503K|>g?Q0ndN&*_^|CHsSDgUPq
z3=~v=2^8%A)KLe{ke}Bk{?GYM8ub5l$26G#T^l+j?alu#L)Ahqvu$lF1x^UoVrq6!
zP?%(pf6(Icq^D3&-xI`z_!XU?kCNe%q;_t)M=Dg6)spkZT(M|{CYh5z67vfMGJo|D
zKt-b!ra}{<M|)uwkA~&{x7!r5oLQqZ{XAkfjaRAfsCGEm%XQN8H^Ft~zUjg_)pgi)
znUh$Gln(}StO~>MJD-30bNSQNJQ!BY3s#J<6@e7-^vv$|zZ%-)d~0Wn)~uqC>fSP5
z?HIc&P+_T%s*O@!?Hh)x=3x*6CK<|~VzdPsmlq)d3c)D>%D-ozbq*I|z;Zw%%BFd~
zVe>#IghoGQghmXH^R8rv81VKmA5-{V-dR7scE%9qBR>5bV>^g}x(iFm<^7DjdMgg}
zs&xRcwBHSHzjkpH;fE8<6He<H7z!c6D-N(4-zN=40tR0iM%pRt{dcbo3TU7Kdcbn}
z!j?z^7~Xsod}|1oR!}{%5MTZuj<s6(Q!p~hmuS|lPaODO(`z<T_C=9_S66jaJl&S)
zQw8)kAic6qgng87`j(!`<1QkT#71P&-cD+@%w>CL>zBmkEKf|_NG*Vdh9+Nc|Md&I
zTizc$CV6t%zm#tgKSnSa4@-<?2ybQ}qGLe962bR~0Nc|d)*jOv$rSMZ{*fth7K5xl
zCkXBXZuCxy6-DBAEAiTHZqwl;_DZ+wKEA$4l7?VyKT??_)%Nk680BL1elHJq!<*wJ
z`73X1BLwG<TcVJl5_+@2YbGvj^hS^7j%SIJ(6?M>3_jS!ex%oyDh_6<__-yaR%aU1
zH1d}vMCu6?-1t0S7)7U5?{^$Fl}aS|4kLM^M^<bpfB?+6Mb(=j96~Dh<6{M(yL2)~
zmCAj)2xJIWTZCG7Fi~g{YnI)#Qe4gvHtuD@9SxTkooxk{%=r2F(Q`5s^W}y2R!YO|
z4`=yhl6h!5TE0Z4%|IPU<}2h@ur|LuyQ;N#G?B`tXh!XFjL^3{8)Y~>FFIogI}XtB
zb9VJZ#(kAnpf$JMmnE54IJj0QS2;Pra3W`@K0bBQA8UH#76HR>YJY0{=!kA6=z|c9
zr|M$>yzbFkAAjDPO<34fwsR8tey8mo_S)$v3Z(LN(Qv$pnLI`|>*GcCxeCL=<cp7Z
zx%A>uq+?b21Jhv>DXytW%}%kR*(p0o9LX-D#<fpCTnyZ;`&YSq2-`b4j+~@G4Tz`6
zkny{X@RIe1Qy#imaX0HYS+0yTU#yiA5Xc~Rb0ilBle6%fUJKbFAWN@t_=~e@RGXh4
zGRaEjNF|U72X9swk7y^bxK<A;6@FDJpe%d~wjapVh(9pjpWFkU!7qKuoHbc0HA~Cx
z4}-yKl@7_IN^N;sg*nk*71V7FM)ZypOP{@_!RqpPT}-BjY~lqNo|z)Zo4qYB{bhP9
z@b|xAy^G}QDkck*1S^b&sCvQ);yfJ=Bf3IfVvRMbqjfwUq+{uI^zJljJd_0#Nkzi2
zNpfY9E6#6G*3T?Qjw`HIJnmd}zhRX8M&6eM-h<5raq!kNRZO;Oc}5hEyNk)46t#D2
z^5i)l=f9b=&GECX2(1Q(f#1kD28Xq0_HXNZ&w&_u@uI=^gG+U@=sEm2AO3t{>W}I|
zGFW+jl5gSH4>4+(Yi`ZRQ#oO{v*zQq^R0{X9sPsPr0mjk(=2^iChzfdW&Bm4AR3p)
zO%;`GHO0D_Ka-r*<mPBX<1ed;d9I!X-}|J=G#iCFQQ<8~WUtvq!;r~5H4Xo7igc!~
zR`xE^+J~n;l7UH#fNQKZS|>d2hMT=(<i8cF=v8M-^RA9&%P0Cwm1n1ia10)<kK~J8
zq$?Y{!*Qrt%oO8_7pf(n-JG?YD~$%o@+Y!l`&MMiKnyn?87q>pG%+I51aX@T@O6dg
z%|wuih5+?c%^G@94RkPBO=PuLHm0e1_Qf;oa4x%tb4kkH<ME8*t3q=|USL0#@4H0R
ze<n*3rc*^W#S$?pQp2i+&gB~eQ9SyXb)^D^RTZrH+0g>^jt5jbBdKvJoJ~Xt6-IHG
zvb_3t4_5?)CgX-tf7B`l3StUL*%<zGQr@H}I2&sDx`@xD>Uv8(Iz%ZJ$V*cxmr!Mj
zgx77e+V^qxn<C%JYB@2G4Xtq;?&1p>w|81)({v}aL?CM0?p^K=$Y%)I%w?lFNGEce
z=$kI(6yqwG6$<!2Y+lKfYFqRu;jKU>EUyuSTPdd!&7f#E=gi|(y)(^P>$M!cR&~?S
zvgZ03#{R*C%FV7g?Z}O4Op@_jS>C<rrT{e*yvetpSlUFDLT?CA9u++jIi%a|Q%BcG
zL^p$S)o1%mrwac1Lu0AtA<FemvEUcwW+@hug9@Unt6|1$WKl=M=pD+gGM)+CC`((;
zVsW{getf{=AWeR`seXUwlIMD@;Smlhc>(QF^@QOCnC72mMJtc+=wGpz&kAAEXi|Pv
z$cZ+YFz!{5<;DXwdT>`3S=Py6l0v3QSi)7NHSr|2$an9H%89myz&jj{YMT08M&s%%
zX6mu577GboK3(>z%+~IqIN$k)5AH|Yw+4hU@ZqQDDve7K181qHjh?5jux|`3slV%Y
zmUAp#u${>5JSkC$`_(_cL&0C)N4odz@+e|o3c9>mksJ(-qm)xz6)Hm{p6+0^TBh+w
z!csmc593m8s^?OyDG8!l3~)Z*ta@Gyx>kdOOfrjKVR(?}yvWWT2s~%mf<I9kfeSDq
zL78pBBHD6hU&9UUbQY}p^~P7K?BYIBDUPy#+%a?FDk_erl8B}(Kb)^zC@P8{?(v|h
zzxwFfylbp$_=#S7@x!_aA_m2u&=h`Ny<{ZfuHEW`(No9(heHOK@N>WiylF2VuuDLS
zh_?F{nRCMdXZdn^M@1|4dm8L$VP^F;0sleafT~Z9ao8{@6;80Ion3Q7wL#PxNjt08
z4fcEI(p-If8XdfNZv--}$oQqIe_6j7*YO;RD_N@V`HUQR0iUBw40&%niC39aa0qq5
zMoR(s4EU<0tsF??27!V4NNhens5@UKJSw|fR3$IApA5H_52hwy`*?Oe;~xj&=u5+E
z5WvM6HEQm|b$(95p5K32!}?(2d*mI19?S%yL{U%z3Q?xv+so`sZ!4L28oNJA;47q#
zZL@#Ui-u<MbFg~ZA($(-%Y9no_WQE7h^j{pSvyZDV0b>^OQp@G-Q8j7V1vamdKNGc
z_kaD<5LqgWQcew3&UK*Oo6Br)<8_WYGR{{iO{ohfe_27PcFbA2u-K|&EgmZN>#LPX
zRzE*dnwf}GAz4I6XDf>JPIWVtevfk<WAWSn?eC3H9G1!6N|g+jaF*;1Y(l6t{+6>@
zyu+<Fo+Pw;zVSq9)UvY;3UvoRW5IY?vn760WEPV}v3DMi={%FnEt0dA)!N&yn;JiI
zYqRDQ&ROckD$nb?I3t$#ccu|X=_YAos<-Sg$t)J$_!#WtNJl!+36(GZZWgL7Ds7kQ
z9m=KSteVIA$kqHrNO)Nz*Uwl{YZk=6D|lQdv7b+jD8MFim!srq)YKIBDPkLLtKrAW
zEjSz*c2%^{ZaP0V@?PyB#7+9g6I&j1>VLN8CJru{f1`Bubs5`~+wzaP#~OL7wP-ul
zVx@8TCBf+$$h{U1pGFe0?W&P%-D%%=uUqgNI*v*~+vUbZrNXd9blkL-33jtc#P~>|
zW=tb_C6)yH`7jWbTv?SFiRI7j)6L3+_0FUV-R$*0smE*1JN1ruJq9AZGtUEM_rXxa
zFN^ZW2<>IsT873WDNK_6>~PeuB?a8B*Y#l}^wU|Vw<*c>XH1dT(Bd0|o9v+_8vlNk
zb3HpTA@ztj-JXA<HYnynTLXI&)Kwqqy1$cU$t!Yo=XtVE<MAg<)>OV(?N@rpQaWH|
zJP2Pg9GIppVSTwX4lo!GtuBk=!kBK9h^8TVbAJO4{&b>XWWw_Ir12;Sn|YV|&bgo7
z&BdF7*@GN-wAi6jx$6jXB0KKe{6e{T5}1s~L15Ix-LqeKhowPZ1(49R%fcA<C$i9*
z8+C4A`J-{YZRdjuZi4G-t(Uop{(iuOEh3{(YnsQZ?ObKGLl4`yv)o0R2MYQ}A^~X+
zCIS}c0pE0y5g*(*4)BvsT3*`vERWJ<zc3j@pCYZ@a|-2JB*W{C<}Ik5@N2|X9UIJ}
zjCgRyq~m85-5A77+-JcCl6RjhTT#&KyzaSYAbVXm<PGJ8fM0qes6{zf_esp6g!Ed?
zq-H9`lhR4~*+X_m2FH!gHS@3oknMM?=kL}kjk}k@h(=yiRm>*Wn<$vO3yr|r#=DEH
zU=i@tm~=8~vUDPA{(wdC4QDszYda_iqw95Vu-?k*)rzJ@EtMSEojX<LjA?2L27HKH
zBN3UukJd+6@+Mb%`#L370Z_p4bX+f#!Zew}6bs!4jcX?GSl6!T6~G)zz}QzUwGI4!
z>pqh9n^Tp$5HittzraGLS`t3VqHYpG_OD*B>%st*q1POgdc{H34ZuxnBqO#U9s2*t
zAAQaWQ~wW6qlIZpU^F~e)-Vr%bPzaB6Ad2?VLed(vl>MSomQINm(4<HAp-%RE-r7~
zXI#5hPdND3>Wva!au(WML*4(?r{sG409n%ktQG@cwZhuD&k!R5%0FNQGBE>3DLMe2
zK7Gf5%rnqH`IPg2FryLx(@NKk^dW$V4=8)U{ZAhx06?g;X#VHF9=3O!yfzTwr2;`{
z!HJ>&_3Ve!E#7Mb=%-Ww7F4mRWcaT^M3j~{|J_rY3_zV!maHPLgTuGB=J@J^SZg6L
zOg5`wfBr-V22$T+p^28X^1Ky!jS?yWOxsys5~?%3W-Z~`+L}6O6f_05NAxIQ8bvBj
zs#akzlPuf&CjN&)t_&^6bSBDxsBg33<XM(Zr#UG?dKm=LX>^j4&yo5{A(Ip_I{G6W
zehCy8fkzIVih7#g<r`G^gmh#u6J}B2yfJ_9%vz*DtKjj>KVNO353?yPpi-h4nInxY
z`QqW8WwOy7#cU#P#p<c@kHxn0+gz<j=%w=uH@oBUqSlzPLlgjLZ(!Z1xZ)S>HhV1{
z2lgg%u|`^e9kPV~!!g*=)jqBTYbcJ<Z~(ruUjt!UIpVKYS>v-A!UmOmZJA<`Dv`1Z
zac8wyWV-|Ms;#{&rB0!dH0NX)zk8kiUetq0GX(s4t0LSkPQ5$hpKo?=XnZy@MnFKY
z0bznQjy3Bp!|H3YB;#b7zi<fQdsft$FVzpl1Xx*yLM_IXk+-qgO&@MEUKHj3^hZ3u
zGk&9VNG~2FZ%AshZZ`AIvMS}InIaUMH6r|-2k}?=tW%od5y-Hil0c^-g-;Y#8jtix
zkx7;&wpyD{Y!5M74pM5^)xA7ZeZ+^Gw`dfwKE+azK>OPcy9eNv?s$vASsO;%$zKQ`
zK2*1SW;!E$eJFvD7Y=38GkA1vvUxtksMUD*CezC`)-F3!gvDaDA>_)WvKCU7%lH@%
zCn?Ry4thfc{_yS9lP0!MjW-yKZ}Y(!PUa;j9-ifC72wR=8hhu1{6p3ce<1oRxGG2&
zfm9WCr%DI7wwyJBg6DvcGTbAhMXk~xGS4O%E%!P8K7b(&xt6l+=yH!~rfzJtpws4Z
zKs+}Fk7t9e8!qJ**8`uQfFqVV(pH^!<8$}1YJMJ)^U_l4F2R1s*+3l0p?jXXV7`3z
z__^F*k^{F+GDGGESckNfi(TJ}G9J@~<DUquY#-uuF%9kcAM7$&xfV8!ftTO};}j=^
zq9nb8c2g>PZ#*ZI^-kC4V5u;7a`Nh(kg~9lW-JDUY`+&YLI0nXm%#1%4nH+b|AXWb
zE6MA_8`Ugaaz?2n$yhot)_lt^Q0G*f>q(Q!JNL5$Qi&w7de8w;Y14J^=1^h}d5d-O
zZ2&R>Q5mf6+xNS3f(6_^l;llY2<6RYO2EeIRgs&0;GQWVMYq%v`cNFs`Ds-F<_wf$
zx<6MtUllex!g<D;b&wod{X*?Jnx7>kVkz~MNxJR#C%^99j#F1S4`3b;oL5<16*bPL
zyZ?i4lE#^qK+S;j1^0r7G<q*AQo+EsUjp%n;?|%yLVLPc&E#Yxj}7FqAzjG<cX>b!
zI+%_e)9>!jO?9{Y4x7B<BA8-1rb+Jk;wzQPBlzy}gj&y}{a?}Nof?i7TDzU05C<)&
zH*Vv*p{-d#8)RnFG!7Po9G*j|^h@<O(MKBJ`%;=7vW$-Er|C5Z+Wisxdk8!!_ok3T
zPT>8X|Ap0AwV)VGAI^1u(KiBCi&J_S534g>AMpgnn2%JdqrDc3wSC9y4Cz@CG4ioA
z+LRXa|6<MOj?07SnVGXc(){2PabuFw{&mxMaEyBwf=Nr&vRg0WkGMrfLsOjGVWUco
zygviB;HV=?BP@wlq+t8!UqvAVQYukppjy;8sjoB~AV0Z2q>G_asz9hQ9KehcIa&1e
zK^Na1OvqL){>$h*-pRHkzbi}psrX2Pb${I*IZ=_}>qZHW@i6ZBJ~jQouxGU@RwNbz
z=5S+O<yN^UL8R+(Ux7Znd<ap@M;cW=qh|)K`G1yM6>dLJicrez<O>w@$zm8~@_WV$
z%1G?-QUwJvV8{0bzaS@nK$6@*mw`v8>HcTZ5p9^I=4>*N!!%H7zBhipaRVl6V3Y%Q
z(R@Bl_~!A4*>ZB!Wd7=2_iDewrAz)RFp-8qe}7A4+GP-nIg}dpNfJvVRZb<#gP=7N
zn3xzX_DeAd(F&gG^V*Pib<zd=4F-47&ON~tb(YGSp%7ZdO9vJ51_&%M&Z4XfiR#G<
z^R>Bipfx?pi&p)pnA@z=9V4#G*!kxD;m))ys5OP#b<;Qe9ik8d80ENqq2;vka(7ue
zmR5t#Y`TO+ZobYg_wjx~5um%OinJ<~9d?Z;6*k)TeK<i<y+@apo~IF|R!%nG*!7Px
z?cz!*ESFqB3)zuz9L<!V{mIxfeNnYLlqy-zM}`UVu3Qj|u&PrGRgARIOtB7uK8`h$
z`}H0lXU(s%pI<m0aS93CsdL)rGP=OF>$eDrZhA_|iU*eCH5jBi%Z=xy*E>g+ONIbO
zH8sqN>>;osANtE0nZmssIh0tFr&OcZ{IVvR(4w0jY*-e28a^%a^gDD?0+A)esE3zx
zbHh9J@0K!vC+a~*#649_<U=XU%4i&WCrdT--OUXIG%6)UkCzu8zi?VM9xgZaSiVEe
z^D?{dK1d$K2C;7Eh(&5P<1_Zouhf~vxn(W>Aa}pFcLD!sE6H|UD%%!$Phb=v@&}g;
zSQ+Cy?FZ)+%lcz!N$}=tz$=#=8}p37x_wIk-GY`PpDo!Jq%WF*=936_z&`wU7=`zl
z6d*P$IBjdAsg!F+ielrmJ*1~gG>kE@s8p+5s$@9C4`n?61oJh!y(J5k>D-z6G`)BA
zT}wG);xl=vdX;JKo2dfvoWX>_eH(INitrt3*bLDTZAQmqF3u{?7mtvBjjEps>dZlg
z<C}f^9`^#pzYQFk4>-BA#K9s)a)f*^?ta!z<f=~WcAI4#sDbQu+v=WSc%0-7_VOt_
z`oGmMDMJuykL)b6l4PpIrpzX*S@5j|)$`hwR0VTFu&Al<IR1e@QLFrYK&E4JR9OO^
zolM~>Jb-gLjicAmF5Iao$u^gBOm^)|PY&GRh4%;uqfgX$KetV<nuZocYp{JXLF#y{
zN!M+i?(yBkM@yl|WJ#y0zR9s5CDTm~vyDtfB9+KDs2@Q3hJWiXluOhNa|zpVSS_Qi
zDBO*|f3t33c#W=i?URJ|Aw9XK6qhl`2G>)S)KSQIrTOXn7DIN=rK^zjt__>2=s_~V
z;ds$77Kw(qw)HfiiQjYI5BW?iGgd$Zl+AAWwaA}zCc>h&cr~g+i}CnRjpc&nmEq9e
zDNW;RqOh0MW1H#ZB=fRqT`eL!P6y4Gmg?pR)fqpd7k0SZEQ3CDx|ujU>j#vQW_PNe
zV#wH&;J+;R(HX+QyBw155~YYz!YDJi{g_BXr$J;zpjx}$%mX?1`|HXJ!vR9vd2ULQ
z<3Ltwdz_axTmBzj;L&T-PZ|_!L2$L?pONl=Um9G*I?yI@Ir#@#t~`f75V1R*rWHH$
zb0xBv6+HauFBIEmI_tc8O9H{+FJ#tFv^C-P_0km2)koSt<O0=IyhfUJQkUzs<;TdQ
zXf>+m>;0J2^q$@z2r%i-m(rQ_?D5dR7-#qoz|+x3yO&6txf1i|NPV$D!(T6dX@#~M
zOD`h%A;VqXyzjTm4$3?%*B31o`x#zE43AhuOgducaJuh_+IGyn90SKpna=n8$mljZ
zL)E*p*&9j1x<;qb+>UuZhS`ZN;5(V7&7EHueiM}9!@N$n&u$mLizi9xlHzywaY9{f
zy|c~1&YKWbli;$&E0`A@_DxB9{Qa&PmJhye-Otb?8xYz0No~Ce3IPWx+?Cb&=80iH
zearGBvQYb<l&UBwgihgBE5Ds~e{1hsHXJmDuU9T7?g=FsFmbXrRp{F<EGwGKpMO+j
z$<fg)G6WPZ4A|KU{5qOjYLFJY-gSX4dQ+QSb{j5^bDYENdLv<46<FrGf-~YXVMMD{
z`6h#>;U(Ngx46(Lh_TveGUE<hpGIH=lSr*1<2ue~@hN^DL{R-R2whl>A#l4RUSFai
z`VE_~h=}JspOiDkWBi*nQ^EAFf=77mL)`vc)y=K`zk6%Px2VKgZdNK2F#_eZt6UIG
zQ4uwB?hrS@;XJszF$dThyv|8LUdaf?gM=$(sROpr{?4`yhO;Q8O~)e#ERKdG-Cf7K
zGdKpHS5finY~_5kBU~b0M8D3tIztJo0EdW(6%{YbyWVNpu@%n9d6n(@&wHHvn0H^e
zJ{Kp^^R5oR=(`j1wLHHe4N~Xd0+r+QqXG~24=g<olkwX0Klt3!MTC9?DA-&=&9}A@
z4(!`|8ikdsK^oW!ni9^EpF}>jgEZ@YX1lj)6PT-pekF<;V)7ml|Fo-YF>jhC?Dvi~
z>yv6V{IQdOFO|0Io#7YeUx9?5iOH$^D|udFJw9}c+D4E`FTAkFRn^SV$97kplgk2&
zv`)XO>wR^Jssg2KkEeT|AS9yBVV(0$qI&I!P9FVrZ!=^B9Lb(vS)VeRQNO+$LqKWK
z4H=JZLwOb)g<>^tKl=TwCynUp#dCLQm%zA%b+Gnk3cpN6XpacwnOpdlj!<e|&r1dN
zJK-#}ekg5Q{hzPw=<htN!DK=Ld3V}NslLp&1N4(im|F$*^X=;Df!dNce$TpisAlYC
z5ffSB7MOU`qxaW1x^$eI^g1Pf@WY+WkFU<SfhE`x;kN2j*Qd>BbR|cIiK;loy}K&F
zpsQc0LUV=_74xy~HvvFnE|QxR5$IZp2VB$l#><h=^6t-7nT1bzKf;gsH@pL5YhP^E
zso=X2niAj8Js)TYrq(wv34b_Vpq(n@)g5zEE%dP_oG*4L&I2XYU2G#>m%3fwVQn*Z
zex51Ow$z(KC9rNaTEJggiCi)M_3I3Tradzl|Ii=zU1m1Umzz_@#}z%p?|y$e-_UvW
z+HQI{$*txhxIU5DwY`8cEp~Bo#Uu9peXHsptn?Y{#G#Zs*MH=zteTCwDR`ov*}H>z
zh#u>m&VFJBdczFF7Ef+?JbemhrSkxighUbFYRb>j0uY!={C;R3a<`qV14K{M6~61_
zbpRnuNdQllZEbxos_wU~Tml0i8HI@qN7M!zq<HoGpj4Z)zZosSbAOBBd=V<csCe^-
zPznpph7t)&dNIAd{Oas}V<rGs6DOHzy7u>bYPhwLvVD<#@>w9;&^JxHu$f}6maW(q
zrTk?v{MMcDl09GDQntoznl<Mq35}3Z6OT6hfwn&)rZsmEG#zCRhXC2^X;9C5z0iZ)
z)Mr_e;py3&+3Edy^}>g!Z;>R7$RW@1vv40C#aPW}b!Ca11PQk5Z6?V5lC*FZryLn@
zgHw7)-o)c_yC~j!o~GOHJ;o~LYtFHDtn-(Z$up1_^|YM}`j~wjb3rA;O=P{oQp<F$
zKt)g$5T*ctQ!I*W-f#-Ho$rCE+8qJ#*u){+K02UU(vhm-&m6av%C%0i>UW>muD0@D
zOm%poU}2MYht?Zs8XX0gue_7^I4+t8WV7al;O+>Vi@XPuSO)gH{hqHz_3Dkzy_K||
zyiLdV=VDFyC;tV2*BQQx)pqo3VqWnOo4WH+h%OqEv=JkGkjV&-LvRrOGZ$3&!cQ5=
zrKJ$B%Me789yW_U-&6k<f5q4B4%GG-DT;3!G+b+gktMz0Fh;IeTL8(9AYsx~m;#&i
z45I#Q>2Dv*m^G{RS?mQ3qo;QNA(`b2EG!+8;KwMGn5$KOJl%w&&=WjvmF1}npN$Vm
z&8xjxUZk7BnwE{A+bi4)dJYhMAnall*}>){{?oY1ZNF=6GMkqlJZORhPnolhG?u_&
zQO~8^f>xm>zz+Yj?ty9!8><;ETQaU9mzB@H^(0$GyV4BrX2?&01j4;FN)uAbHv0@~
zt{zoe$Ook2d%~A?;T19MH8{Ql5A}g_?d5~Y+~AQNWGOw57oC%nB*o_K_3CZTt?Dvh
zyxhug7cp2pQdG*R^BsGvFK8xLVg0_75ES`kiAVhf`7y?-9CW|oP|y=l{?ys&picXi
zRBBw6*G3lJy&D^OTDk0b^-m8P{-LZy0h)7J>$*gIE!uvvVrs+>aZje5r0E9D?_L6@
zKV7GBium9SzPM{5PYcKHgPVvDtu^XoFJ&6!h|#{zHip=gPJps5)^?=xlDTxDSW#h$
zD)lny?)`Dz{&~AIM)0UtREvqK%5~n2uy4IDK!92v0MA-f?yQY-i3iGT0a7gA2dKYl
zW^z31OlEYE&l7h^)XmO0iZ1jQC3-MyTP#!`tgtp5?-Bs%bT3cz)BMv#6Vk9MpN3VO
z?7YS@sSKov(Ehu1E^-5@`4kM0xqA=_+$35RROv{df_IR3T0~DiQwdkEV<E!N&_p;`
zf5LxwN9nYI$oR4MyCf(F$X&!H*S88|Mcn`3+5|mdscK8*mP~b20l5RA9>VQQ5l;A-
zen$P5G5#1i=aaBCeW~4(p`2T5zGPILe`txjgy9Otn$8g?${6_XTy|Tv-RV|BOr_r<
zrSv9?JzVY=(kJewEeByxsQs!l#@SW)n0YXh#C37b1UPeoaLZNOdILZEMhC;|7a=yX
z<-m)H7xeR~2H&yXq>~X|d-jIQzHezy+cog8ScbKF_D?z32^!IPl6qa$(%es=C37@o
zw0u<@_W;8|qc&XSBe{bxj#fPBt5~xADrz4i5gvqKUH~31<z+vnNwUYEQnbi~J^aQy
z1ZB+R%!Xw-ThO>hoKP2jbPDrZ-2L(AybC6DM^UReNq|?<AhN!op01JS9QcnwjPQa3
zXgoMn4@goC8eL2kxUJvT!2EwyDi{0@CoZp3l2>+-uN~kKNojPZWnPKBRepdlg!Uu&
zuO@mdAR*Dat8n;_4MYK$MHIqEvDcarWdQMqFc4P-QG5WLB`QEoLaqIe+`$iE3&mBN
zi;`b?$5vl}&wK;V3v8u;nxr&<_@w>Z@aR8c5g*ovKADq@zfGKslEE``*%$eL*Mss-
zqeCJgK^eg(p-`3%y~qv6NV8BDe{CJr3vyWtC0ZO^Zw$2xjP)%p<EuYjH3-(BJqw+4
z_z)A84QR{D6PnEp;=w5^5S5ysN^Xb&Zw&+m>IJwG(vMXOz&9%lW7k*OY!z?~`uXkZ
zDI^T73xKsuK70+KQ~@mxAar>|YF&F3y3{~uROzH62#w0;1rfU3VtIAE3SF!qLYG9g
zh1Z-A6h!E9N)HwADs)+fD0o<Hs$Ug6&=3XBst(kL{}epZK>RJ%&BGyqgGmCy-`WC&
z%kvuHL?DX)H^*8&rT|Gdq-SD4;^N`#Ln=0&ElB~qqF?}rIW;{kSbSq-951M~y}EKZ
zXi(Vl_35OTxsbU^y#nI0$PUxySW>{Lpa95GvY(JfB%@Y!=PE#nQi*2`r0qpp*}zI5
zvNv57;^&_odE;^uW3f=<n!mMR^^R9(IbD#m?=M*)u#r=)e!2)JmDzl74e1QRpq_Z?
z%MOXll5K&G>P5M?fB2{N2FO4Zqn|z%ZBE-sC4o$*qB*L}#6z)B{z3`oZEXyFjN%ev
zG!UZ?!hl;*!XTx=3%nKt?ThuHcWrfjpzrlRwYJI#DKD0cqw6C<nTZ+CmgsZ8iHQS5
z5J+JVm<CG+-GZK?TV)&kiJpqz5>v+a{%Ui*E5z{-F}-A4mYZnBom1Piuy@HK-+E1e
z(R9=L&h!+^_WF=r<)-bu{zAP)LlT>ffJY*$Rut)3SRrbLN|ouSFHA0emmVit2rbra
zQ}mh>cSx9hW0|6cFV9bmC#5a0J@JsyiSyDKg4!F;j;Y8Vn4P*^>q*VB$^3oZi7~X<
z(6_R%^q5>LrOHXAQvFA|f7qorId4V-l!c50X3kg8`LvODg_~<pTjp|kNcL6XcmG<4
zXd^k-FJ80hq9`iEeoE@GVhz;Jjh^s<#N>uu?2%9GKpI-hP@Kd3P67};?ZDrLcKP!8
z0Ant09i_{De$v8dHl2#8i~5(?U$InM>8CnPfHj*Z1JN1Rj@xfZl)k&e#%^V}Fiyw4
zUK|zM{r38I<V&^ZoX&EoV3eb@w>y;+vEZ4tRW}FiWH*S)fkgB<6lCjo-VjcaL&Sdf
zgZ^A#axt9!h`oonRLEwGI^(WHGw$a048wMRGN0{X>z}{MB#wsdy#2X1lT!mhcri^l
z@QU1~c&(^%t<~e7X(mpK7>uqGRlKb7&(+z*Z4Sh#^vBUs07Dxtf&?D&ohp><{<CLz
z^|z|RWMcalT|J;y5-<LXGOzVAqTmrTkt-`%XspqHcd-`5YN1|O=yqod5x!76-k$0u
zu$xtD;6zqq$`u+R1L~McgMnD-YXUaH2FIh=InQAmgh&nOx-`0+f*X}cTy{ILk|cIe
z2Db%Wj&KOp0Ki#gsuA`H3S@bgIO^i+_k`AfifPm;RGF8W-5(5ZQn;y_D~HBAvVvWh
z4EsshZ4GM31r_`x267Y4lEt?c>+H^Z2GwAGhjU*C`eh@4zqGuhE05^S2%+c&I8C}9
z%8AEt#B5GK<FPsQF50fv*ldU(jPVd@!M6}*OT<M3?5DWtR^VBx;uxFDWqgrpo&1Gm
zMR{wCN`o>oAXoa@74oU7B7xB$0$}hMc>ux+%x<?c_c@W-(%>i@o16UaRq#~`Gj^{x
zsHu$Egj8~yrr$I?i47#5Bb})Co#40)-h_EXKb+_1j2!@M=N|^KQKMu^H=dv1436fj
zD(vTMXH<(69)UThwG{r=|FreVAAu)<E-XL?KJMz^`!Co@VYLR!WCYncTSF<DGKV$N
zMSot!n(B{~5i7^`-_2)#IW`U7P40)8PX7x6)MJa&pLO4^R=O6Xg)H3)a-<0a^v!cu
zd8QX{j->MbO<Qxjf-4Y@D>)HEtm;mJmCV#xxv|h&anI<y`;B}c`2tNaw|TrNn?hX2
zb>^h-5HGNz&j^w&>$f!;p~GlSHrOc8s0jmD;MN#2W@dk`iF1<&x9vkUwF>+E;C*L}
z#*sAeX@5-N=4iU013ri!-t~Gn#~b5|CWy_7uzQ1Csw@a!xr1}5UQ7)nN-h~Y*thOt
z0pQY0oYV9o^(ytZq(RK4vxMr&Uzm)T`Guh2+W>u0e+)HRN%;r7=TJ!}>m_QXB0>mn
z-&z5Z2T0|i{X&i0>PvtXz~D*}TtT&%{U=U>arscFIDG&f`D#>(yw6LngMvp_Y4qZ}
z1PY0bBmm|QH<4C)KRCw?S?)VO{&=1z$AuGUy@cB%N7nM}8Fv;nM&pVq7*%+g`be|4
zmR~pd6E?AnuiHckkTNy_;+PCbR>!Wq#G5$wvU#44M*dQMFGQx(>{emD_A`OgDn)ae
zr+PHauhIG9ujFZD00AQs!c%AG^Kt_>vu$CPIyaVKTZVAO<_Vcm`eccgf^DAHrF%;p
zv**29rHuJ|%aklpC3}GE&b=C{;1*I{=uhU1W44%AHF~<s#Z??IIGnX{p({qvdvXcy
zQ>(J&c{;R1kh6hTLE4H}ClRx@6K<Lhd4i)(cfBbgM@7y3L?uzEQW~jQXDg0?ybbU-
z0smaKza$icuK+is{fLYTnMZv5kqi%FkK~I~(Y$wCsay}PWX2oGx^1=Jq1*wox>}V2
zRk?yZRKC`s0y#5y%oVj_xI=x3GNTo@OfbSCQPuGCy_vUvX&kM>JS@WE{nZ}r(Y#}$
z@*~xE)q>jm`11iPfWp-Ls{Sv}U1dB689ZH_5+fY)!b;Sv9B~4S$D_ZO4!mq+yFabp
z7x05il_qX^s{k{3FOWD>{RL|HKtD(7NPS9(8b3R{*SSz+qJV*4yR$v`G*I9hvu>F$
zlot<V3uT^99tbpJCjnj1)>6t+cJwuzUfV>@$hY$TQVh!J+|iRZ!QZp@ANPIIWKtOf
zT^c8(DULJ7rD=m^bUdm5X8Uymy0=n{N8&;x;%e)$pCPCnejg-_XUnW6?=`Hhbn5NZ
zq@3&pQd!Kx>g(j=%i8g<6nv-;_Aq6|$*Y7SI2`xL7eH3%=b4^gSqRg*eW!+s5uo2t
zz}gMQp9R!Etm6MsUzuw%u94XeF<gw7ixODy)A&%*WH_K4e@a{n)ouq2EJ%2mh2O8W
zdz${w#UAF6w0#&pCzVy>9dAQ9-!s7GO0@aB-SYKtpN#n{mtwUb(u{i<Ga%p2_T%}e
zWC>I{qs-YXSGpCIJzx+h@<3DzbKK_nJjY)MR~9eUIsy;uqoKecxu(SKr2{!+D%EB;
zf9W!p*)aF}ySU%)9d}fD`JOeT;}v~Do?*iQvFLlG#yyv{4ZEwP)9kDk%jRHgazSGl
ztpYF(`l3`&74AKl)6r7ng0J@5G+EiT_v5U}oAl3|9zHQ&71O-%8<ySuL8!G=Ki(PY
z#SEr!_w;|HR_}y`*%?*2WT$$&x09zYvr>{0cn!1Gc8@ULuwOl2WfoWEUq4Dd+|gAF
zWX)9A{R~N3-^3#B|Mt?Qfk(Z)S;>qojra}H8KY#$)#0c5C)SJ9oyS|^;f+IslQo>&
zF#i{Mp6`nrmcz+1ZK}t!e{yNQrRwDbck(z(Luevv0@V7v9u24CG4l=nc?`A2^mM@D
zz$t|0@kBkX>+<c(iM7NOZm*ZRajf6p+}KU$Y2E&7EUmpi%kOf%Z-D_;Id%SpORjV%
z$8a`r<3!~pomP+U6U}HywKvfa7wkLnlBeCyVU2lH4&TC$b-p1H??wb0&V64dy=t=+
zdVqWXyXS??<Y*pb6AXQx{=P)~D+nicrVr=%n^3{ga+Bz@^3B@TfE)~J(MHdihWM`z
zH8Y<n`yVqIqdCSL_P2p=&As3jz2TJusrkLGj~A$K7Qspfk{S9z)Za%S#Cb48go}ad
zb``G}VVxTSikg-8_IW#aWeZFvztkEzT55-krb|2=7FA8gvtn(x`h^cPCIiGk$in+s
zczSdhpBXhB;Y+d>r1MCOOOlk4r`5lCujFaNL%}wyPd#W23F4kFx|Y6GTK!A3^ug|u
z$o1M>c_av<{Nw;gwP$GlI6(4-O8|wUB>u39ZcPXR7PS_HTSceg1HbG30Xd|e)3KJ>
zvzX8Ax+K|7XY2J&D@*Mb198;Up8MEdU|s*!I?HB>Uj%Di&KKL|5!)V5yn%Y}XIuh;
z@C+@ZEt57xSOO7-u(e185s{HukZ9{W_U}2)O-^Bj;MTt>W_FZ05k!ln2B(#j%<rGO
zY+TJ){$kP6F}ox|<x|xWO90W5v*z=8!3n{+x2X>gS%)m6^Fo3~;=Rj5M1PIyI9&D-
z5sT_qu?N%7tk$3K2;$pkSj0H2=4B09Qe3LD0g`VIP_gJlxc|PD({L*I=jtO#Sq*2v
zfuVYdew=Of%za;B`Q$?VBinYXP_|0O)a-+*qxH1qDETs{#flpe!;YUr-4`7O<MGVE
z!;WX-EFifuOD^+ZeZ{K@2dhc=@5>33QNONn8Qib+tiC9zQn*gWY(%VUc0DU4sjnOZ
zvss(!;<fmZKR%fKP@S=r-DMIeCX&aRI%m(1MFT*8tEaEmh#y=?7p(^C_u%-=4+I>z
zJ6VV3$3@D;1u`N*<{3h4^ytT<9n6!T!4%J{!DbJd2cKzCq-L#G2=(yZJX!b8wQ1a<
z95BE;cY7oaTQ!-0$$Suh&=YqZQ|rj2IOq7gH~a5rV$~I}_6bHEH0P2kQxrwcqO%rU
zzntoGhN7N+I9gC+#=igEhqpGXFA`cN#vZtC6DlEyh=f!b$lg=+P6o*0gBMk_9Ao>A
zcqs^IJ_a)Qy*2zP*~|2^lah0(SxckMNc$4*soiLWyj}$^(pT*1-rZV@G%b166F`TK
zWYDR1d8Y>6?bwVV|9+jJ^GC~@PeTzmkxM0!j_^#3p95Q?5`T72&OOcrsNkyfF_PbX
zvb--pEx(wHNEbI;B)@g1w!h+)a^iG2tkAksqEd;vVfn0klG4Pw=FVgr?K+*eaJDP@
z^U-f8e^z*<eu~M5^4|%0Xq@xKbJRrcuvkJxHmPfMUM}+CVx7kJh>o=#^qVnhc$J1(
z3O~PyHGUlrBcjeamh}^`EN@K{w~Pop4SKxgC~{p0NJmn*iV)Ch7s<Lg@x{{W<eQnz
z!KNRIg?~3QO{5Fovzt0SmGc8KA*@30Jg=%WCs|KgT7rWoGGnn`oVBTU$O+>RCqxOZ
z<3I<jc|WpaN&}D`V{ANq&pl~XDW|IFozEAkn_RD=S<I&U!?ZZFrS`_FZxHUv3E*Uv
z`J$78G-x!F>aDEj`?^&C3{HT4n$V??C8nqH1DZSuhfIo#>8kvjn1wp8SqbZ-Hj2X-
z=a>vK&g2AK2<tbMrBf@B+08(N4?j0ZYeTzDoGzf<ACb{D9i0ZHrV0<R;};1H%Cxzb
z9NFMzQ1(0j27w9x@IG@1FP}{4q<(0U)^ZC1*_P5>fv~uR;4Ir1^m`8U-C5O~qwP{_
z@yy!tQA**JMA|t59`3HN(Q3B$@8Jao&zRpG5=msEd5aPCWw4rQht-;=o)ORl(Z55E
zjm+$xWq`GxELIpG<G4_QT0VT_9SCURB*^pk8{KoYw;FypX`&{0ziXD^JJd8hK~lEU
z|K*J~8hW#&U|Qs9Ub0dB-KU4r4E&A_ayS)Q)=j}OJ{>KLhpm~FQ#py<5q9Q0l@T(I
z%<exd{9RQyQt(#}h5aCGUSqw!V(}Sqh|2vG35MTlupag9q;bsF_J~0H2$h`Lc)eaO
zD`uj+wtqE$D1Nt$nxKSrat~fc>S_b`c=+snwb)RDTNk2TNP2N?f7cXTbeA){a34CE
z`H*S3KcP<b^J=4OeX_%;dBsnvWz=@V`Wpn4RiOo&si5jexDla3#r%vS%_j8^_-wzl
zY_Y!M@^PzjQp+{Qw<5N`Qy$!+4F8CskOcSw?Y{nIc_YEZDGYZ!^xmJV%uV7KVV{oa
zr}dy|hANxP`cb;)Z}=k&=`;|w5Fps3oQ^L?8Ttq{za&yIoGnVVcWz5rGAt>rNa2-l
zc_*T{*H2t=9Hm>{uv$6{QWA9SR|Lh9z{@lpm&VHWc<Xriw=PN9#uGOZ-WGtIn6@I|
z49mOUATjc6)Xm)|K)?+zyyi*AX}CvM16F+AsZ-o7sZ_m<bmLk60Mp5k%w)=z<uy~c
zYheav*M2uIy7AplYrC$go&~+&3TuBz#{IDdK~v-L)+!vF`JV#s6a!$5c<WFP-@TGe
zh>)+UG)=<55c1~H51?yg>0lf9A%vB;0KoE4s{Gw}W#o8?00Ib%)Mg1#F~A2>0Cfi2
zAG6K&$~MUY?A+s~KpD;}6GaJdPu{lK>@u(X)&J+swTVYj#B_>-=jd(Lu_zJ%w;%^0
z5d!R|QdJU0;>SOlbxu4)3wleC-U5d%tk1}ELpbIC)ND0_t?k}mnKTc4y$}lU<`Ey_
m^#6O2<Nq`Wd^SdQ`VwSD+sD#GiV69GPh40=s6;^5=YIiL0XT*L

literal 0
HcmV?d00001


From 49505978cf34a07771cd60a84fd577b7ad30fefe Mon Sep 17 00:00:00 2001
From: jjeroch <94133633+jjeroch@users.noreply.github.com>
Date: Sun, 7 Jan 2024 18:12:37 +0100
Subject: [PATCH 3/4] docs[image]: license file added

---
 docs/static/authenticationflow.png.license | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 docs/static/authenticationflow.png.license

diff --git a/docs/static/authenticationflow.png.license b/docs/static/authenticationflow.png.license
new file mode 100644
index 00000000..7eb90696
--- /dev/null
+++ b/docs/static/authenticationflow.png.license
@@ -0,0 +1,5 @@
+This work is licensed under the [CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/legalcode).
+
+- SPDX-License-Identifier: CC-BY-4.0
+- SPDX-FileCopyrightText: Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
+- Source URL: https://github.com/eclipse-tractusx/portal-assets

From 8578cf110cebd10be61a47bc829c5120279d30cc Mon Sep 17 00:00:00 2001
From: Phil Schneider <info@philschneider.de>
Date: Mon, 8 Jan 2024 11:22:01 +0100
Subject: [PATCH 4/4] chore: fix typos

---
 .../10. Generic Security.md                   | 24 +++++--------------
 1 file changed, 6 insertions(+), 18 deletions(-)

diff --git a/docs/technical documentation/10. Generic Security.md b/docs/technical documentation/10. Generic Security.md
index c526ecfa..6449de03 100644
--- a/docs/technical documentation/10. Generic Security.md	
+++ b/docs/technical documentation/10. Generic Security.md	
@@ -1,6 +1,6 @@
 ## Security Generic
 
-This document serves as a introduce the security config of the catena-x refernce implementation with Keycloak. The settings outlined are designed to provide a robust security framework for test environments - ensuring the integrity, confidentiality, and availability of our system and data.
+This document serves as a introduction for the security config of the catena-x reference implementation with Keycloak. The settings outlined are designed to provide a robust security framework for test environments - ensuring the integrity, confidentiality, and availability of our system and data.
 
 Disclaimer:
 The configurations suggested in this file are starting points and should be adapted to meet the specific security requirements of your environment. It's important to regularly review and update these settings to adapt to new threats and changing organizational needs.
@@ -10,7 +10,7 @@ Please proceed with caution and consult security experts as needed when implemen
 - [Host](#host)
 - [Bruce Force Detection](#bruce-force-detection)
 - [Clickjacking](#clickjacking)
-- [Open Redirections](#open-redirections)
+- [Open Redirects](#open-redirects)
 - [Compromised Authorization code](#compromised-authorization-code)
 - [Compromised access and refresh tokens](#compromised-access-and-refresh-tokens)
 - [CSRF attack](#csrf-attack)
@@ -18,7 +18,6 @@ Please proceed with caution and consult security experts as needed when implemen
 - [Client Policies](#client-policies)
 - [Limiting User Sessions](#limiting-user-sessions)
 
-
 ### Host
 
 Keycloak uses the public hostname in several ways, such as within token issuer fields and URLs in password reset emails.
@@ -27,7 +26,6 @@ By default, the hostname derives from the request header. No validation exists t
 
 The hostname’s Service Provider Interface (SPI) provides a way to configure the hostname for requests. You can use this built-in provider to set a fixed URL for frontend requests while allowing backend requests based on the request URI. If the built-in provider does not have the required capability, you can develop a customized provider.
 
-
 ### Bruce Force Detection
 
 A brute force attack happens when an attacker is trying to guess a user’s password multiple times. Keycloak has some limited brute force detection capabilities. If turned on, a user account will be temporarily disabled if a threshold of login failures is reached. To enable this feature go to the Realm Settings left menu item, click on the Security Defenses tab, then additional go to the Brute Force Detection sub-tab.
@@ -40,7 +38,6 @@ When a user is temporarily locked and attempts to log in, {project_name} display
 
 Details: https://www.keycloak.org/docs/latest/server_admin/index.html#password-guess-brute-force-attacks
 
-
 Config:
 
 1. Click Realm Settings in the menu
@@ -51,12 +48,10 @@ Brute force detection
 
 ![BruteForce](/docs/static/brute-force.png)
 
-
 Common Parameters
 
 ![CommonParameters](/docs/static/common-parameters.png)
 
-
 #### Catena-X configuration
 
 ##### Preventing automated attacks
@@ -71,7 +66,7 @@ Common Parameters
 - Sliding window of 12 hours
 - Lock remains active for ~ 15 min
 
-Brute force detectation activation is highly recommended and cinfigures as part of the refernce solution.
+Brute force detection activation is highly recommended and configures as part of the reference solution.
 
 ### Clickjacking
 
@@ -88,14 +83,12 @@ In the Admin Console, you can specify the values of the X-FRAME_OPTIONS and Cont
 
 By default, Keycloak sets up a same-origin policy for iframes.
 
-
-### Open redirections
+### Open redirects
 
 An open redirector is an endpoint using a parameter to automatically redirect a user agent to the location specified by the parameter value without validation. An attacker can use the end-user authorization endpoint and the redirect URI parameter to use the authorization server as an open redirector, using a user’s trust in an authorization server to launch a phishing attack.
 
 Keycloak requires that all registered applications and clients register at least one redirection URI pattern. When a client requests that Keycloak performs a redirect, Keycloak checks the redirect URI against the list of valid registered URI patterns. Clients and applications must register as specific a URI pattern as possible to mitigate open redirector attacks.
 
-
 ### Compromised Authorization code
 
 For the OIDC Auth Code Flow, Keycloak generates a cryptographically strong random value for its authorization codes. An authorization code is used only once to obtain an access token.
@@ -106,7 +99,6 @@ You can also defend against leaked authorization codes by applying Proof Key for
 
 -- not yet considered in CX --
 
-
 ### Compromised access and refresh tokens
 
 Keycloak includes several actions to prevent malicious actors from stealing access tokens and refresh tokens. The crucial action is to enforce SSL/HTTPS communication between {project_name} and its clients and applications. {project_name} does not enable SSL by default.
@@ -117,7 +109,6 @@ In the current project phase, we will proceed with the default values for the to
 
 ![Tokens](/docs/static/tokens.png)
 
-
 ### CSRF attack
 
 A Cross-site request forgery (CSRF) attack uses HTTP requests from users that websites have already authenticated. Any site using cookie-based authentication is vulnerable to CSRF attacks. You can mitigate these attacks by matching a state cookie against a posted form or query parameter.
@@ -128,7 +119,6 @@ The {project_name} Admin Console is a JavaScript/HTML5 application that makes RE
 
 The user account management section in {project_name} can be vulnerable to CSRF. To prevent CSRF attacks, {project_name} sets a state cookie and embeds the value of this cookie in hidden form fields or query parameters within action links. {project_name} checks the query/form parameter against the state cookie to verify that the user makes the call.
 
-
 ### Limiting Scope - Client Token
 
 By default, new client applications have unlimited role scope mappings. Every access token for that client contains all permissions that the user has. If an attacker compromises the client and obtains the client’s access tokens, each system that the user can access is compromised.
@@ -137,26 +127,24 @@ Limit the roles of an access token by using the Scope menu for each client. Alte
 
 For any clients in CX, the scope is limited to the client scope.
 
-
 ### Client Policies
 
 tbd
 
-
 ### Limiting User Sessions
 
 With the possibility "Limiting User Session" the number of sessions a user can run at once can get limited. When a user reaches the user session limit, they must end their current user sessions before they begin a new session.
 
 As part of the reference solution - the limit is not configured - it is up to the respective operator and env. owner to decide if the session limit is used/configured.
-If a configuration is planned, the limit needs to get configured as part of the realm authnetication flow setup.
+If a configuration is planned, the limit needs to get configured as part of the realm authentication flow setup.
 
 ![Tokens](/docs/static/authenticationflow.png)
 
 The flow that you must configure depends on how you authenticate users:
+
 - Configure a browser flow if you use local or LDAP/AD authentication
 - Configure a post-sign in client flow if you use SSO
 
-
 ## NOTICE
 
 This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).