From d4adb7953976c47b859f572ba5363c6d08377cff Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 27 Sep 2023 14:02:25 -0400
Subject: [PATCH] docs: Add authenticated-repos.md

Document options for accessing repositories that require authentication.
---
 docs/authenticated-repos.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 docs/authenticated-repos.md

diff --git a/docs/authenticated-repos.md b/docs/authenticated-repos.md
new file mode 100644
index 0000000000..7c872dc31e
--- /dev/null
+++ b/docs/authenticated-repos.md
@@ -0,0 +1,28 @@
+---
+nav_order: 9
+---
+
+# Handling access to authenticated remote repositories
+{: .no_toc }
+
+1. TOC
+{:toc}
+
+
+There is no default concept of an "ostree server"; ostree expects to talk to a generic webserver, so any tool and technique applicable for generic HTTP can also apply to fetching content via OSTree's builtin HTTP client.
+
+## Using mutual TLS
+
+The `tls-client-cert-path` and `tls-client-key-path` expose the underlying HTTP code for [mutual TLS](https://en.wikipedia.org/wiki/Mutual_authentication).
+
+Each device can be provisioned with a secret key which grants it access to the webserver.
+
+## Using basic authentication
+
+The client supports HTTP `basic` authentication, but this has well-known management drawbacks.
+
+## Using cookies
+
+Since [this pull request](https://github.com/ostreedev/ostree/pull/531) ostree supports adding cookies to a remote configuration.  This can be used with e.g. [Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html).
+
+