1 files changed, 29 insertions, 0 deletions

diff --git a/doc/disfluid.texi b/doc/disfluid.texi
index 17a985c..de04b9b 100644
--- a/doc/disfluid.texi
+++ b/doc/disfluid.texi
@@ -1546,6 +1546,7 @@ the user.
 @menu
 * Error signalling::
 * Router endpoint::
+* Request authentication::
 * Reverse proxy::
 @end menu
 
@@ -1633,6 +1634,34 @@ turn, or return a 404 Not Found response if no endpoint is relevant.
 Return the list of endpoints for @var{router}.
 @end deffn
 
+@node Request authentication
+@section Request authentication
+The @emph{(webid-oidc server endpoint authentication)} defines an
+endpoint that authentifies the user and passes the annotated request
+to a backend endpoint.
+
+@deftp {Class} <authenticator> (<endpoint>) @var{backend} @var{server-uri}
+The authenticator calls the @var{backend} endpoint once it has
+authentified the user. If the authentication is successful, the
+request is annotated with a @code{'user} entry in the alist table
+containing the URI of the user. Otherwise, it is passed as is.
+
+To check the validity of the DPoP proof, the endpoint must know the
+public name of the server that is running, @var{server-uri}.
+
+It can be constructed with the @code{#:@var{backend}} and
+@code{#:@var{server-uri}} keyword arguments, respectively an endpoint
+and an URI.
+@end deftp
+
+@deffn {Generic} backend @var{authenticator}
+Return the backend endpoint of @var{authenticator}.
+@end deffn
+
+@deffn {Generic} server-uri @var{authenticator}
+Return the public server URI of @var{authenticator}.
+@end deffn
+
 @node Reverse proxy
 @section Reverse proxy
 The @emph{(webid-oidc server endpoint reverse-proxy)} module defines a