Add PIB information to OIDC SSO

content/en/docs/appstore/modules/oidc.md

@@ -3,7 +3,7 @@ title: "OIDC SSO"
 url: /appstore/modules/oidc/
 category: "Modules"
 description: "Describes the configuration and usage of the OIDC SSO module, which is available in the Mendix Marketplace."
-tags: ["marketplace", "marketplace component", "OIDC", "IdP", "identity provider", "platform support", "Azure"]
+tags: ["marketplace", "marketplace component", "OIDC", "IdP", "identity provider", "platform support", "Azure", "PIB"]
 #If moving or renaming this doc file, implement a temporary redirect and let the respective team know they should update the URL in the product. See Mapping to Products for more details.
 # Linked from https://marketplace.mendix.com/link/component/120371
 ---
@@ -381,6 +381,14 @@ If you want to use the information in an access token which is a JWT, you need t
         ]
         ```
 
+    * Private IAM Broker (PIB) – in this case the `scope` claim is interpreted — for example:
+
+        ```json {linenos=false}
+        {
+        "scope": "mx:app:userrole:a2275396-a31a-4f06-81c5-10fdfcb9f507 mx:app:userrole:c8de23c9-64fa-4faa-a263-6debc7e01edf mx:app:userrole:20c79248-e9f2-4131-b4a1-ee6b634b8f69"
+        }
+        ```
+
 * If you are using another IdP or want to use a different claim, you can create a custom microflow to parse the access token.
 
 To parse access tokens, you need to do the following:
@@ -391,10 +399,6 @@ To parse access tokens, you need to do the following:
 1. Check **Enable Access Token Parsing** to parse access tokens when performing [OIDC Client Configuration](#client-configuration).
 1. Select the appropriate microflow to parse the access token as described in the relevant section below. If you have added a new microflow, you will need to refresh the module containing your microflow as described in [Installing Mx Model Reflection](#mxmodelreflection).
 
-{{% alert color="info" %}}
-In version 2.0.0 and above of the OIDC SSO module you will also find a microflow for parsing PIB tokens. This feature will be released publicly in the future and documented at that time. 
-{{% /alert %}}
-
 #### 8.2.1 Parsing SAM Access Tokens
 
 {{% alert color="info" %}}
@@ -409,15 +413,23 @@ To parse of SAM access tokens you need to do the following when performing [OIDC
 1. Configure the user roles in your app to match the roles returned by SAM. End-users will be given the matching role when they sign into the app. If the role in the SAM token is not found in the Mendix app the end-user will be given the role `User`.
 1. Save the configuration.
 
-#### 8.2.2 Parsing Microsoft Azure AD Access Tokens
+#### 8.2.2 Parsing PIB Access Tokens
+
+Mendix has released a Private IAM Broker (PIB). This allows non-Mendix clients to request access tokens which authorize them to consume APIs exposed by your Mendix backend app without a dependency on any other IAM infrastructure.
+
+The OIDC SSO module provides a default access token parsing microflow for PIB. To use it, select the `OIDC.Default_PIB_TokenProcessing_CustomATP` microflow.
+
+To confirm that the authorization is working, get an access token from PIB and pass it to the API Endpoint using the authorization header.
+
+#### 8.2.3 Parsing Microsoft Azure AD Access Tokens
 
 The OIDC SSO module provides a default access token parsing microflow for Azure AD. To use it, select the appropriate access token parsing microflow:
 
 * For Azure AD, the default access token parsing microflow is `OIDC.Default_Azure_TokenProcessing_CustomATP`.
 
 To confirm that the authorization is working, get an access token from your Azure AD IdP and pass it to the API Endpoint using the authorization header.
 
-#### 8.2.3 Parsing Access Tokens Using a Custom Microflow 
+#### 8.2.4 Parsing Access Tokens Using a Custom Microflow 
 
 If you choose to implement your own microflow to parse an access token, the microflow name must contain `CustomATP`, for example `CustomATP_MyTokenParser`. This is how you can parse access tokens issued by IdPs such as Microsoft Azure AD.