From 1b7c99ec0be112afd887bb40b9ea07f9fd0d31fb Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Mon, 22 May 2023 18:44:40 +1000
Subject: [PATCH] docs(oidc): authz policy (#5468)

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
---
 .../configuration/security/access-control.md   |  5 +++++
 .../frequently-asked-questions.md              | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/docs/content/en/configuration/security/access-control.md b/docs/content/en/configuration/security/access-control.md
index b4d43a15d..0e6ad62d0 100644
--- a/docs/content/en/configuration/security/access-control.md
+++ b/docs/content/en/configuration/security/access-control.md
@@ -59,6 +59,11 @@ access_control:
 
 ## Options
 
+*__Important Note:__ This section does not apply to OpenID Connect 1.0. See the [Frequently Asked Questions] for more
+information.*
+
+[Frequently Asked Questions]: ../../integration/openid-connect/frequently-asked-questions.md#why-doesnt-the-access-control-configuration-work-with-openid-connect-10
+
 This section describes the individual configuration options.
 
 ### default_policy
diff --git a/docs/content/en/integration/openid-connect/frequently-asked-questions.md b/docs/content/en/integration/openid-connect/frequently-asked-questions.md
index f99227cba..76165f9f4 100644
--- a/docs/content/en/integration/openid-connect/frequently-asked-questions.md
+++ b/docs/content/en/integration/openid-connect/frequently-asked-questions.md
@@ -88,6 +88,24 @@ If you've configured Authelia alongside a proxy and are making a request directl
 request via the proxy. If you're avoiding the proxy due to a DNS limitation see
 [Solution: Configure DNS Appropriately](#configure-dns-appropriately) section.
 
+### Why doesn't the access control configuration work with OpenID Connect 1.0?
+
+The [access control](../../configuration/security/access-control.md) configuration contains several elements which are
+not very compatible with OpenID Connect 1.0. They were designed with per-request authorizations in mind. In particular
+the [resources](../../configuration/security/access-control.md#resources),
+[query](../../configuration/security/access-control.md#query),
+[methods](../../configuration/security/access-control.md#methods), and
+[networks](../../configuration/security/access-control.md#networks) criteria are very specific to each request and to
+some degree so are the [domain](../../configuration/security/access-control.md#domain) and
+[domain regex](../../configuration/security/access-control.md#domainregex) criteria as the token is issued to the client
+not a specific domain.
+
+As such we implemented the
+[authorization policy](../../configuration/identity-providers/openid-connect/clients.md#authorizationpolicy) as a direct
+option in the client. It's likely in the future that we'll expand this option to encompass the features that work well
+with OpenID Connect 1.0 such as the [subject](../../configuration/security/access-control.md#subject) criteria which
+reasonably be matched to an individual authorization policy.
+
 ## Solutions
 
 The following section details solutions for multiple of the questions above.