Updated OpenID Connect OAuth2 (markdown)

OpenID-Connect----OAuth2.md

@@ -1,4 +1,4 @@
-EGroupware 19.1+ comes with an OpenID Connect / OAuth2 server integrated.
+### EGroupware 19.1+ comes with an OpenID Connect / OAuth2 server integrated
 
 This page describes how to authenticate and (optionally) integrate other applications using it.
 
@@ -9,3 +9,61 @@ This page describes how to authenticate and (optionally) integrate other applica
 * User information: https://example.org/egroupware/openid/endpoint.php/userinfo
 * Public key: https://example.org/egroupware/openid/endpoint.php/jwks
 > Replace example.org with the full qualified domain-name your EGroupware server uses.
+
+### Supported Grants:
+* Authorization Code: user authorized access and get auth-code, server requests access-token via backchannel
+* Refresh Token: token to refresh access-token after it's expired
+* Client Credentials: server requests access-token without further authorization
+* Implicit: user authorized access and get access-token and auth-code, server requests own access-token via backchannel
+* Password: other server checks username/password of EGroupware user (not recommended any more, as other server gets the password!)
+
+### Client configuration in EGroupware
+> Go to: Admin > Applications > OpenID / OAuth2 server > Clients
+
+### Configuration of tested clients
+
+#### Rocket.Chat custom OAuth configuration
+
+Install Rocket.Chat eg. via [docker-compose](https://rocket.chat/docs/installation/docker-containers/docker-compose/).
+
+You need to create a Client-Identifier and -Secret via Admin >> OpenID / OAuth2 server >> Clients with the following grants:
+* Authorization Code
+* Refresh Token
+* Implicit
+
+Then head in the Rocket.Chat Administration down to OAuth and click [Add custom oauth], give it a name eg. "EGroupware" and add the following values:
+```
+Enable:	        True
+URL:	        https://example.org/egroupware/openid/endpoint.php
+Token Path:     /access_token
+Token Send Via: Payload
+Identity Token Send Via:  Header
+Identity Path:  /userinfo
+Authorize Path: /authorize
+Scope:          openid email profile roles
+Param Name for access token: access_token
+Id:             <client-id-from-egroupware>
+Secret:         <client-secret-from-egroupware>
+Login Style:    Redirect
+Button Text:    EGroupware users click here
+Username field: id
+Name field:     name
+Avatar field:   picture
+Roles/Groups field name:  roles
+Merge roles from SSO:     True (currently role got lost when rocketchat/status app login to RC api!)
+Merge Users:    True
+```
+Then click on [Save changes] to activate login and user creation through EGroupware.
+
+(If Rocket.Chat runs in Docker on a Mac and EGroupware directly on the Mac, use "docker.for.mac.localhost" as hostname, as it is different from localhost!)
+
+If you only want users from EGroupware and no free registration with local passwords, go to Adminstration >> Accounts and set:
+```
+Show Default Login Form: False
+```
+
+### Troubleshooting
+* Enable request log under: Admin > Applications > OpenID / OAuth2 server > Request log
+> While the log does not record passwords, it contains the issued token and should not left running!
+* Free support via [EGroupware Forum](https://help.egroupware.org/) where users help other users and EGroupware GmbH supporters also help to a certain extend
+* [EGroupware GmbH offers payed support](https://www.egroupware.org/egroupware-support/) including our OpenID Connect and OAuth2 server