fixed the summury section

ShazaAldawamneh · ShazaAldawamneh · commit dfcbc0c67d8b · 2025-03-04T10:32:14.000+01:00
diff --git a/enhancements/authentication/AuthConfig-missing-fields.md b/enhancements/authentication/AuthConfig-missing-fields.md
@@ -1,53 +1,62 @@
 ---
 title: Add Missing Authentication Configuration Fields to OpenShift API
 authors:
-  - @ShazaAldawamneh
+  - "ß@ShazaAldawamneh"
 reviewers: # Include a comment about what domain expertise a reviewer is expected to bring and what area of the enhancement you expect them to focus on. For example: - "@networkguru, for networking aspects, please look at IP bootstrapping aspect"
-  - TBD
+  - "@everettraven" 
+  - "@ibihim"
+  - "@liouk"
 approvers: # A single approver is preferred, the role of the approver is to raise important questions, help ensure the enhancement receives reviews from all applicable areas/SMEs, and determine when consensus is achieved such that the EP can move forward to implementation.  Having multiple approvers makes it difficult to determine who is responsible for the actual approval.
-  - TBD
+  - "@sjenning"
 api-approvers: # In case of new or modified APIs or API extensions (CRDs, aggregated apiservers, webhooks, finalizers). If there is no API change, use "None"
-  - TBD
+  - "@JoelSpeed"
+  - "@everettraven"
 creation-date: 2025-03-03
 last-updated: 2025-03-03
 tracking-link: # link to the tracking ticket (for example: Jira Feature or Epic ticket) that corresponds to this enhancement
-  - https://issues.redhat.com/browse/CNTRLPLANE-127
+  - "https://issues.redhat.com/browse/CNTRLPLANE-127"
 see-also:
-  - "/enhancements/this-other-neat-thing.md"
+  - "https://issues.redhat.com/browse/OCPSTRAT-306"
 replaces:
-  - "/enhancements/that-less-than-great-idea.md"
+  - ""
 superseded-by:
-  - "/enhancements/our-past-effort.md"
+  - ""
 ---
-# Neat Enhancement Idea
-
-Add Missing Authentication Configuration Fields to OpenShift API
+# Add Missing Authentication Configuration Fields to OpenShift API
 
 ## Summary
 
-This enhancement proposal adds several missing authentication fields to the OpenShift API to improve flexibility, security, and interoperability with different identity providers. The key additions include Issuer fields (DiscoveryURL, AudienceMatchPolicy) for better OIDC configuration, ClaimMappings (UID, Extra) for customizable user identity resolution, ClaimValidationRules to enable advanced token validation through CEL expressions, and UserValidationRules to enforce security policies on usernames and groups. These enhancements ensure stronger identity validation, support for complex authentication setups, better multi-tenancy management, and improved RBAC enforcement, making OpenShift authentication more robust and adaptable to various enterprise use cases.
+This enhancement proposal adds missing authentication fields to the structured authentication configuration in the OpenShift API, improving flexibility, security, and interoperability with identity providers.  
+
+Key additions include:  
+- **Issuer fields** (`DiscoveryURL`, `AudienceMatchPolicy`) for advanced OIDC configuration.  
+- **ClaimMappings** (`UID`, `Extra`) for customizable user identity resolution.  
+- **ClaimValidationRules** to enable advanced token validation via CEL expressions.  
+- **UserValidationRules** to enforce security policies on usernames and groups.  
+
+These changes enhance identity validation, support complex authentication setups, strengthen multi-tenancy, and improve RBAC enforcement. For reference, these updates align with Kubernetes' authentication configuration model: [Kubernetes Authentication Configuration](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration).  
 
-## Motivation
-The current OpenShift authentication API lacks key fields that are essential for organizations needing advanced OIDC configurations, fine-grained identity control, and enhanced security enforcement. By adding missing fields such as Issuer configurations (DiscoveryURL, AudienceMatchPolicy), ClaimMappings (UID, Extra), ClaimValidationRules, and UserValidationRules, we address critical gaps in authentication flexibility, security, and multi-tenancy support.
+## Motivation  
 
+The current OpenShift authentication API lacks key fields necessary for organizations that require advanced OIDC configurations, fine-grained identity control, and stronger security enforcement. By adding missing fields such as **Issuer configurations** (`DiscoveryURL`, `AudienceMatchPolicy`), **ClaimMappings** (`UID`, `Extra`), **ClaimValidationRules**, and **UserValidationRules**, this enhancement addresses critical gaps in authentication flexibility, security, and multi-tenancy support.  
 
-### User Stories
-- As a customer, I want to configure the DiscoveryURL and AudienceMatchPolicy in OpenShift so that I can ensure my OIDC provider’s metadata is correctly accessed and that tokens are validated for the correct audience, even in complex networking setups or multi-cluster environments.
+## User Stories  
 
-- As an enterprise administrator, I want to define UID mappings and store extra claim data for my users, allowing me to customize OIDC claims and uniquely identify users across multiple tenants, while also supporting flexible roles and permissions. This will help me integrate with external identity providers and enforce role-based access control (RBAC) based on custom claims.
+- **As a customer**, I want to configure the `DiscoveryURL` and `AudienceMatchPolicy` in OpenShift so that my OIDC provider’s metadata is correctly accessed, and tokens are validated for the correct audience—even in complex networking setups or multi-cluster environments.  
 
-- As a security engineer, I want to use ClaimValidationRules with CEL expressions to enforce advanced token validation logic (e.g., checking token expiration or validating multiple claims) and implement UserValidationRules to prevent the use of reserved system usernames and groups. This ensures that only valid, authorized users are allowed access, reducing security risks and preventing privilege escalation.
+- **As an enterprise administrator**, I want to define `UID` mappings and store extra claim data, allowing me to customize OIDC claims and uniquely identify users across multiple tenants. This ensures seamless integration with external identity providers and supports **role-based access control (RBAC)** based on custom claims.  
 
-### Goals
+- **As a security engineer**, I want to use **ClaimValidationRules** with **CEL expressions** to enforce advanced token validation logic (e.g., checking token expiration or validating multiple claims). Additionally, I want to implement **UserValidationRules** to prevent the use of reserved system usernames and groups, reducing security risks and preventing privilege escalation.  
 
-1. Allow administrators to configure and validate advanced authentication settings, including DiscoveryURL, AudienceMatchPolicy, UID, Extra claims, ClaimValidationRules, and UserValidationRules.
-2. Enable flexible claim mapping, multi-cluster support, and integration with external identity providers.
-3. Enhance security by enforcing advanced validation and user identity rules for proper access control.
+## Goals  
 
-### Non-Goals
+1. Enable administrators to configure and validate advanced authentication settings, including `DiscoveryURL`, `AudienceMatchPolicy`, `UID`, `Extra` claims, `ClaimValidationRules`, and `UserValidationRules`.  
+2. Support flexible claim mapping, multi-cluster authentication, and integration with external identity providers.  
+3. Strengthen security by enforcing advanced validation rules and identity policies to ensure proper access control.  
 
-1. Does not include new authentication mechanisms outside of OIDC.
+## Non-Goals  
 
+- This enhancement does **not** introduce new authentication mechanisms beyond OIDC.  
 
 ## Proposal
 
