Add updated authn-oidc policy example

design/authenticators/authn_oidc/oidc_configuration_enhancements.md

@@ -8,9 +8,74 @@ There have been multiple instances where users of the OIDC authenticator have ex
 - Limited ability to debug OIDC-related HTTP errors
 
 ## Solution
-An existing workaround for the CA cert issue mentioned previously involves a user manually updating the OpenSSL truststore in the container to include any custom CA certs. 
+It would be more consistent with other authenticator configs if authn-oidc were to support a `ca-cert` variable in the authenticator policy. This value would be used to inform the HTTP client which CA cert(s) to use to verify the connection with an OIDC provider and/or any proxies that sit in the middle. An authenticator policy featuring this variable may look like:
+```
+	
+- !policy
+  id: conjur/authn-oidc/<service-id>
+  body:
+  - !webservice
+  - !variable token-ttl
+
+  - !variable provider-uri
+  - !variable client-id
+  - !variable client-secret
+
+  # CA Cert [Optional] - Use this to define a custom CA cert or cert chain to verify the connection with the OIDC provider
+  - !variable ca-cert
+
+  # Token TTL [Optional] - Use this to override default
+  - !variable token-ttl
+
+  # URI of Conjur instance
+  - !variable redirect-uri
+
+  # Defines the JWT claim to use as the Conjur identifier
+  - !variable claim-mapping
+
+  # Name [Optional] - Defines Name to display in Conjur-UI
+  - !variable name
+
+  # Provider-Scope [Optional] - Defines claim scope ie: openid email profile
+  - !variable provider-scope
+
+  # Status Webservice for authenticator
+  - !webservice
+    id: status
+    annotations:
+      description: Status service to check that the authenticator is configured correctly
+ 
+  - !group
+    id: operators
+    annotations:
+      description: Group of users who can check the status of the authenticator
+ 
+  - !permit
+     role: !group operators
+     privilege: [ read ]
+     resource: !webservice status
+
+  - !group
+    id: users
+    annotations:
+      description: Group of users who can authenticate using the authn-oidc/<service-id> authenticator
+
+  - !permit
+    role: !group users
+    privilege: [ read, authenticate ]
+    resource: !webservice
+
+#---
+# Need to grant user members to role
+- !grant
+  members:
+  - !user [email protected]
+  role: !group conjur/authn-oidc/<service id>/users
+```
+
 
-We can leverage this idea in Conjur to do the same thing on the fly. A simple wrapper method which creates a temporary truststore in the container and sets the OpenSSL environment variable `SSL_CERT_FILE` to point to this tempfile should be sufficient. Cleanup involves unsetting or resetting the environment variable to its original value, and ensuring that the tempfile has been cleaned up after code execution.
+## Implementation
+An existing workaround for the CA cert issue mentioned previously involves a user manually updating the OpenSSL truststore in the container to include any custom CA certs. We can leverage this idea in Conjur to do the same thing on the fly. A simple wrapper method which creates a temporary truststore in the container and sets the OpenSSL environment variable `SSL_CERT_FILE` to point to this tempfile should be sufficient. Cleanup involves unsetting or resetting the environment variable to its original value, and ensuring that the tempfile has been cleaned up after code execution.
 
 An example of what this wrapper method may look like:
 ```ruby