From eb1210c7da94a2e42c8bf9db4270b4d7529de636 Mon Sep 17 00:00:00 2001
From: Prithvi Prabhu <prithvi@h2o.ai>
Date: Tue, 20 Oct 2020 16:41:29 -0700
Subject: [PATCH] docs: Add security, HTTPS, OIDC page

---
 website/docs/security.md | 49 ++++++++++++++++++++++++++++++++++++++++
 website/sidebars.js      |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 website/docs/security.md

diff --git a/website/docs/security.md b/website/docs/security.md
new file mode 100644
index 0000000000..41d7bc724e
--- /dev/null
+++ b/website/docs/security.md
@@ -0,0 +1,49 @@
+---
+title: Security
+---
+
+## HTTPS
+
+To enable HTTP over TLS to secure your Wave server, pass the following flags when starting the Wave server:
+
+- `-tls-cert-file`: path to certificate file.
+- `-tls-key-file`: path to private key file.
+
+### Self Signed Certificate
+
+To enable TLS during development, use a self-signed certificate.
+
+To create a private key and a self-signed certificate from scratch, use `openssl`:
+
+```
+openssl req \
+   -newkey rsa:2048 -nodes -keyout domain.key \
+   -x509 -days 365 -out domain.crt
+```
+
+The above command creates a 2048-bit private key (`domain.key`) and a self-signed x509 certificate (`domain.crt`) valid for 365 days.
+
+## Single Sign On
+
+Wave has built-in support for [OpenID Connect](https://openid.net/connect/).
+
+To enable OpenID Connect, pass the following flags when starting the Wave server:
+
+- `-oidc-provider-url`: URL for authentication (the identity provider's URL).
+- `-oidc-redirect-url`: URL to redirect to after authentication.
+- `-oidc-end-session-url`: URL to log out (or sign out).
+- `-oidc-client-id`: Client ID (refer to your identity provider's documentation).
+- `-oidc-client-secret`:  Client secret (refer to your identity provider's documentation).
+
+Once authenticated, you can access user's authentication and authorization information from your app using `q.auth` (see the [Auth](api/server#auth) class for details):
+
+
+```py
+from h2o_wave import Q, listen
+
+async def serve(q: Q):
+    print(q.auth.username)
+    print(q.auth.subject)
+
+listen('/example', serve)
+```
\ No newline at end of file
diff --git a/website/sidebars.js b/website/sidebars.js
index 9bcc96d426..4720d44999 100644
--- a/website/sidebars.js
+++ b/website/sidebars.js
@@ -35,6 +35,7 @@ module.exports = {
       'files',
       'plotting',
       'graphics',
+      'security',
       'logging',
       'development',
       'browser-testing',