Update idp-initiated logon

MarcialRosales · MarcialRosales · commit f5431190ba78 · 2023-03-29T12:39:41.000+02:00
diff --git a/README.md b/README.md
@@ -135,21 +135,29 @@ To configure RabbitMQ Management UI with OAuth 2.0 you need the following config
 
 ### Identity-Provider initiated logon
 
-**Note**: **This feature has not been released yet. It is only available in the development docker image
-pivotalrabbitmq/rabbitmq:oidc_idp_initiated_login-otp-max-bazel **
+Alike Service-Provider initiated logon, with Idp-initiated logon users land to RabbitMQ management ui with a valid token.
+These two scenarios below are examples of Idp-initiated logon:
 
-When RabbitMQ is offered as a service from a web portal, it is more convenient to navigate to RabbitMQ Management UI with a single click. The web portal is responsible for getting a token before taking the user to the RabbitMQ Management UI web page.
+* RabbitMQ is behind a web portal which conveniently allow users to navigate directly to RabbitMQ fully authenticated
+* There is an OAuth2 proxy in between users and RabbitMQ which intercepts their requests and forwards them to RabbitMQ injecting the token into the HTTP `Authorization` header  
+
+The latter scenario is demonstrated [here](oauth2-examples-proxy.html). The former scenario is covered in the following section.
+
+#### Idp-initiated logon via the login endpoint
+
+A web portal offers their authenticated users, the option to navigate to RabbitMQ by submitting a form with their OAuth  token in `access_token` form field as it is illustrated below:
 
 ```
-    [ Idp | WebPortal ] ----> 2. /login (access_token=<TOKEN>)----    [ RabbitMQ Cluster ]            
+    [ Idp | WebPortal ] ----&gt; 2. /login [access_token: TOKEN]----   [ RabbitMQ Cluster ]            
               /|\                                                        |       /|\
                |                                                         +--------+
       1. rabbit_admin from a browser                                   3. validate token        
 ```
 
-At step 1, `rabbit_admin` user navigates to the web portal and clicks on the hyperlink associated to a RabbitMQ cluster. At step 2, the web portal obtains a token and redirects the user to RabbitMQ's `/login` url with the token within the form field `access_token`. And at step 3, RabbitMQ validates the token in the http request and if it is valid, it redirects the user to the overview page.
+If the access token is valid, RabbitMQ redirects the user to the overview page.
 
-By default, RabbitMQ Management UI is configured with service-provider initiated logon. You have to configure the Management plugin by adding just one entry to the configuration as shown below:
+By default, the RabbitMQ Management UI is configured with **service-provider initiated logon**, to configure **Identity-Provider initiated logon**,
+add one entry to `advanced.config`. For example:
 
 ```
  ...
@@ -161,7 +169,10 @@ By default, RabbitMQ Management UI is configured with service-provider initiated
   ]},
 ```
 
-**NOTE**: When the user logs out, or its RabbitMQ session expired, or the token expired, the user is directed to the Management landing page which presents the user with a button labeled `Click here to login`. The user is never redirected automatically back to the url configured in `oauth_provider_url`. Only when the user clicks on the `logout` button, it is redirected to the configured in `oauth_provider_url`.
+**Important**: when the user logs out, or its RabbitMQ session expired, or the token expired, the user is directed to the
+RabbitMQ Management landing page which has a **Click here to login** button.
+The user is never automatically redirected back to the url configured in the `oauth_provider_url`.
+It is only when the user clicks **Click here to login** , the user is redirected to the configured url in `oauth_provider_url`.
 
 ## Access other protocols using OAuth 2.0 tokens
 
@@ -343,7 +354,7 @@ make start-amqp1_0-publisher
 This section has been dedicated exclusively to explain what scopes you need in order to operate on **Topic Exchanges**.
 
 **NOTE**: None of the users and/or clients declared in any of Authorization servers provided by this tutorial have the
-appropriate scopes to operate on **Topic Exchanges**. In the [MQTT Protocol](#mqtt-protocol) section, the application used a hand-crafted token with the scopes to operate on **Topic Exchanges**. 
+appropriate scopes to operate on **Topic Exchanges**. In the [MQTT Protocol](#mqtt-protocol) section, the application used a hand-crafted token with the scopes to operate on **Topic Exchanges**.
 
 To bind and/or unbind a queue to/from a **Topic Exchange**, you need to have the following scopes:
 
