From 90b30bad255f1faf01924369f079e68e2ba27fee Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Mon, 12 Apr 2021 13:57:14 -0500
Subject: [PATCH] Use 202 for token polling endpoint instead of 204 (#1103)

---
 internal/cmd/commands/authenticate/oidc.go    |    2 +-
 .../resources/authmethods/auth_method.pb.go   |  128 +-
 .../authmethods/v1/auth_method.proto          |    8 +
 .../controller/handlers/authmethods/oidc.go   |   15 +-
 .../handlers/outgoing_interceptor.go          |   10 +
 .../docs/concepts/security/permissions.mdx    | 1122 +++++++----------
 6 files changed, 593 insertions(+), 692 deletions(-)

diff --git a/internal/cmd/commands/authenticate/oidc.go b/internal/cmd/commands/authenticate/oidc.go
index aa9f4156d1..b50469acb2 100644
--- a/internal/cmd/commands/authenticate/oidc.go
+++ b/internal/cmd/commands/authenticate/oidc.go
@@ -134,7 +134,7 @@ func (c *OidcCommand) Run(args []string) int {
 					watchCode = base.CommandCliError
 					return
 				}
-				if result.GetResponse().StatusCode() == http.StatusNoContent {
+				if result.GetResponse().StatusCode() == http.StatusAccepted {
 					// Nothing yet -- circle around.
 					continue
 				}
diff --git a/internal/gen/controller/api/resources/authmethods/auth_method.pb.go b/internal/gen/controller/api/resources/authmethods/auth_method.pb.go
index 265044bb2f..5fc9cbe5a9 100644
--- a/internal/gen/controller/api/resources/authmethods/auth_method.pb.go
+++ b/internal/gen/controller/api/resources/authmethods/auth_method.pb.go
@@ -671,6 +671,57 @@ func (x *OidcAuthMethodAuthenticateTokenRequest) GetTokenId() string {
 	return ""
 }
 
+// Internal only: the structure of a token response if it _does not_ contain a
+// token.
+type OidcAuthMethodAuthenticateTokenResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The status. This will always be "unknown". It will never be forwarded to
+	// the consumer.
+	Status string `protobuf:"bytes,10,opt,name=status,proto3" json:"status,omitempty"`
+}
+
+func (x *OidcAuthMethodAuthenticateTokenResponse) Reset() {
+	*x = OidcAuthMethodAuthenticateTokenResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_controller_api_resources_authmethods_v1_auth_method_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *OidcAuthMethodAuthenticateTokenResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OidcAuthMethodAuthenticateTokenResponse) ProtoMessage() {}
+
+func (x *OidcAuthMethodAuthenticateTokenResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_controller_api_resources_authmethods_v1_auth_method_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use OidcAuthMethodAuthenticateTokenResponse.ProtoReflect.Descriptor instead.
+func (*OidcAuthMethodAuthenticateTokenResponse) Descriptor() ([]byte, []int) {
+	return file_controller_api_resources_authmethods_v1_auth_method_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *OidcAuthMethodAuthenticateTokenResponse) GetStatus() string {
+	if x != nil {
+		return x.Status
+	}
+	return ""
+}
+
 var File_controller_api_resources_authmethods_v1_auth_method_proto protoreflect.FileDescriptor
 
 var file_controller_api_resources_authmethods_v1_auth_method_proto_rawDesc = []byte{
@@ -859,14 +910,18 @@ var file_controller_api_resources_authmethods_v1_auth_method_proto_rawDesc = []b
 	0x41, 0x75, 0x74, 0x68, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e,
 	0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65,
 	0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x0a,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x69, 0x64, 0x42, 0x5d,
-	0x5a, 0x5b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73,
-	0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x61, 0x72, 0x79, 0x2f,
-	0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x63, 0x6f, 0x6e,
-	0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f,
-	0x75, 0x72, 0x63, 0x65, 0x73, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64,
-	0x73, 0x3b, 0x61, 0x75, 0x74, 0x68, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x73, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x69, 0x64, 0x22, 0x41,
+	0x0a, 0x27, 0x4f, 0x69, 0x64, 0x63, 0x41, 0x75, 0x74, 0x68, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64,
+	0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x54, 0x6f, 0x6b, 0x65,
+	0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61,
+	0x74, 0x75, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75,
+	0x73, 0x42, 0x5d, 0x5a, 0x5b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x61,
+	0x72, 0x79, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x67, 0x65, 0x6e, 0x2f,
+	0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72,
+	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6d, 0x65, 0x74,
+	0x68, 0x6f, 0x64, 0x73, 0x3b, 0x61, 0x75, 0x74, 0x68, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x73,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -881,7 +936,7 @@ func file_controller_api_resources_authmethods_v1_auth_method_proto_rawDescGZIP(
 	return file_controller_api_resources_authmethods_v1_auth_method_proto_rawDescData
 }
 
-var file_controller_api_resources_authmethods_v1_auth_method_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
+var file_controller_api_resources_authmethods_v1_auth_method_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
 var file_controller_api_resources_authmethods_v1_auth_method_proto_goTypes = []interface{}{
 	(*AuthMethod)(nil),                                 // 0: controller.api.resources.authmethods.v1.AuthMethod
 	(*PasswordAuthMethodAttributes)(nil),               // 1: controller.api.resources.authmethods.v1.PasswordAuthMethodAttributes
@@ -890,28 +945,29 @@ var file_controller_api_resources_authmethods_v1_auth_method_proto_goTypes = []i
 	(*OidcAuthMethodAuthenticateCallbackRequest)(nil),  // 4: controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateCallbackRequest
 	(*OidcAuthMethodAuthenticateCallbackResponse)(nil), // 5: controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateCallbackResponse
 	(*OidcAuthMethodAuthenticateTokenRequest)(nil),     // 6: controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateTokenRequest
-	nil,                          // 7: controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry
-	(*scopes.ScopeInfo)(nil),     // 8: controller.api.resources.scopes.v1.ScopeInfo
-	(*wrappers.StringValue)(nil), // 9: google.protobuf.StringValue
-	(*timestamp.Timestamp)(nil),  // 10: google.protobuf.Timestamp
-	(*_struct.Struct)(nil),       // 11: google.protobuf.Struct
-	(*wrappers.UInt32Value)(nil), // 12: google.protobuf.UInt32Value
-	(*_struct.ListValue)(nil),    // 13: google.protobuf.ListValue
+	(*OidcAuthMethodAuthenticateTokenResponse)(nil),    // 7: controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateTokenResponse
+	nil,                          // 8: controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry
+	(*scopes.ScopeInfo)(nil),     // 9: controller.api.resources.scopes.v1.ScopeInfo
+	(*wrappers.StringValue)(nil), // 10: google.protobuf.StringValue
+	(*timestamp.Timestamp)(nil),  // 11: google.protobuf.Timestamp
+	(*_struct.Struct)(nil),       // 12: google.protobuf.Struct
+	(*wrappers.UInt32Value)(nil), // 13: google.protobuf.UInt32Value
+	(*_struct.ListValue)(nil),    // 14: google.protobuf.ListValue
 }
 var file_controller_api_resources_authmethods_v1_auth_method_proto_depIdxs = []int32{
-	8,  // 0: controller.api.resources.authmethods.v1.AuthMethod.scope:type_name -> controller.api.resources.scopes.v1.ScopeInfo
-	9,  // 1: controller.api.resources.authmethods.v1.AuthMethod.name:type_name -> google.protobuf.StringValue
-	9,  // 2: controller.api.resources.authmethods.v1.AuthMethod.description:type_name -> google.protobuf.StringValue
-	10, // 3: controller.api.resources.authmethods.v1.AuthMethod.created_time:type_name -> google.protobuf.Timestamp
-	10, // 4: controller.api.resources.authmethods.v1.AuthMethod.updated_time:type_name -> google.protobuf.Timestamp
-	11, // 5: controller.api.resources.authmethods.v1.AuthMethod.attributes:type_name -> google.protobuf.Struct
-	7,  // 6: controller.api.resources.authmethods.v1.AuthMethod.authorized_collection_actions:type_name -> controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry
-	9,  // 7: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.issuer:type_name -> google.protobuf.StringValue
-	9,  // 8: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.client_id:type_name -> google.protobuf.StringValue
-	9,  // 9: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.client_secret:type_name -> google.protobuf.StringValue
-	12, // 10: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.max_age:type_name -> google.protobuf.UInt32Value
-	9,  // 11: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.api_url_prefix:type_name -> google.protobuf.StringValue
-	13, // 12: controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry.value:type_name -> google.protobuf.ListValue
+	9,  // 0: controller.api.resources.authmethods.v1.AuthMethod.scope:type_name -> controller.api.resources.scopes.v1.ScopeInfo
+	10, // 1: controller.api.resources.authmethods.v1.AuthMethod.name:type_name -> google.protobuf.StringValue
+	10, // 2: controller.api.resources.authmethods.v1.AuthMethod.description:type_name -> google.protobuf.StringValue
+	11, // 3: controller.api.resources.authmethods.v1.AuthMethod.created_time:type_name -> google.protobuf.Timestamp
+	11, // 4: controller.api.resources.authmethods.v1.AuthMethod.updated_time:type_name -> google.protobuf.Timestamp
+	12, // 5: controller.api.resources.authmethods.v1.AuthMethod.attributes:type_name -> google.protobuf.Struct
+	8,  // 6: controller.api.resources.authmethods.v1.AuthMethod.authorized_collection_actions:type_name -> controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry
+	10, // 7: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.issuer:type_name -> google.protobuf.StringValue
+	10, // 8: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.client_id:type_name -> google.protobuf.StringValue
+	10, // 9: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.client_secret:type_name -> google.protobuf.StringValue
+	13, // 10: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.max_age:type_name -> google.protobuf.UInt32Value
+	10, // 11: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.api_url_prefix:type_name -> google.protobuf.StringValue
+	14, // 12: controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry.value:type_name -> google.protobuf.ListValue
 	13, // [13:13] is the sub-list for method output_type
 	13, // [13:13] is the sub-list for method input_type
 	13, // [13:13] is the sub-list for extension type_name
@@ -1009,6 +1065,18 @@ func file_controller_api_resources_authmethods_v1_auth_method_proto_init() {
 				return nil
 			}
 		}
+		file_controller_api_resources_authmethods_v1_auth_method_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*OidcAuthMethodAuthenticateTokenResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -1016,7 +1084,7 @@ func file_controller_api_resources_authmethods_v1_auth_method_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_controller_api_resources_authmethods_v1_auth_method_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   8,
+			NumMessages:   9,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/internal/proto/local/controller/api/resources/authmethods/v1/auth_method.proto b/internal/proto/local/controller/api/resources/authmethods/v1/auth_method.proto
index 59b7b49f17..3d9a9938f8 100644
--- a/internal/proto/local/controller/api/resources/authmethods/v1/auth_method.proto
+++ b/internal/proto/local/controller/api/resources/authmethods/v1/auth_method.proto
@@ -165,4 +165,12 @@ message OidcAuthMethodAuthenticateCallbackResponse {
 message OidcAuthMethodAuthenticateTokenRequest {
 	// The ID of the pending token
 	string token_id = 10 [json_name="token_id"];
+}
+
+// Internal only: the structure of a token response if it _does not_ contain a
+// token.
+message OidcAuthMethodAuthenticateTokenResponse {
+	// The status. This will always be "unknown". It will never be forwarded to
+	// the consumer.
+	string status = 10;
 }
\ No newline at end of file
diff --git a/internal/servers/controller/handlers/authmethods/oidc.go b/internal/servers/controller/handlers/authmethods/oidc.go
index 636bf5ca13..3338c449ec 100644
--- a/internal/servers/controller/handlers/authmethods/oidc.go
+++ b/internal/servers/controller/handlers/authmethods/oidc.go
@@ -16,6 +16,7 @@ import (
 	"github.com/hashicorp/boundary/internal/servers/controller/handlers"
 	"github.com/hashicorp/boundary/internal/types/action"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/protobuf/types/known/structpb"
 )
 
 const (
@@ -25,7 +26,8 @@ const (
 	tokenCommand    = "token"
 
 	// token request/response fields
-	tokenField = "token"
+	tokenField  = "token"
+	statusField = "status"
 
 	// field names
 	issuerField                            = "attributes.issuer"
@@ -269,7 +271,16 @@ func (s Service) authenticateOidcToken(ctx context.Context, req *pbs.Authenticat
 		}
 	}
 	if token == nil {
-		return nil, nil
+		attrs, err := structpb.NewStruct(map[string]interface{}{
+			statusField: "unknown",
+		})
+		if err != nil {
+			return nil, errors.New(errors.Internal, op, "Error generating response attributes.")
+		}
+		return &pbs.AuthenticateResponse{
+			Command:    req.Command,
+			Attributes: attrs,
+		}, nil
 	}
 
 	responseToken, err := s.convertInternalAuthTokenToApiAuthToken(
diff --git a/internal/servers/controller/handlers/outgoing_interceptor.go b/internal/servers/controller/handlers/outgoing_interceptor.go
index e6fd6fa531..1a9cd4e086 100644
--- a/internal/servers/controller/handlers/outgoing_interceptor.go
+++ b/internal/servers/controller/handlers/outgoing_interceptor.go
@@ -17,6 +17,7 @@ const (
 	JsVisibleCookieName   = "wt-js-token-cookie"
 	tokenTypeField        = "token_type"
 	finalRedirectUrlField = "final_redirect_url"
+	statusField           = "status"
 )
 
 func OutgoingInterceptor(ctx context.Context, w http.ResponseWriter, m proto.Message) error {
@@ -34,6 +35,15 @@ func OutgoingInterceptor(ctx context.Context, w http.ResponseWriter, m proto.Mes
 			return nil
 		}
 		fields := m.GetAttributes().GetFields()
+		if m.GetCommand() == "token" {
+			if _, ok := fields[statusField]; ok {
+				// For now at least status will never be anything useful so
+				// don't need to check on it; the mere presence is enough to
+				// know what to do
+				w.WriteHeader(http.StatusAccepted)
+				return nil
+			}
+		}
 		// It's a redirect
 		if urlField, ok := fields[finalRedirectUrlField]; ok {
 			u := urlField.GetStringValue()
diff --git a/website/content/docs/concepts/security/permissions.mdx b/website/content/docs/concepts/security/permissions.mdx
index a62a98afc9..0760cb5576 100644
--- a/website/content/docs/concepts/security/permissions.mdx
+++ b/website/content/docs/concepts/security/permissions.mdx
@@ -214,11 +214,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>account</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>account</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -226,19 +226,15 @@ wildcard or templated grant strings.
           <li>
             <code>create</code>: Create an account
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=create</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=create</code></li>
+            </ul>
           <li>
             <code>list</code>: List accounts
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -249,23 +245,23 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Pin</li>
-          <ul>
-            <li>
-              <code>&lt;auth-method-id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;auth-method-id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>account</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>account</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -273,62 +269,38 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read an account
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>update</code>: Update an account
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=update</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=update</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=update</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=update</code></li>
+            </ul>
           <li>
             <code>delete</code>: Delete an account
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=delete</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=delete</code>
-            </li>
-          </ul>
-          <li>
-            <code>set-password</code>: Set a password on an account, without
-            requiring the current password
-          </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=set-password</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=set-password</code>
-            </li>
-          </ul>
-          <li>
-            <code>change-password</code>: Change a password on an account given
-            the current password
-          </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=change-password</code>
-            </li>
-            <li>
-              <code>
-                id=&lt;pin&gt;;type=&lt;type&gt;;actions=change-password
-              </code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=delete</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=delete</code></li>
+            </ul>
+          <li>
+            <code>set-password</code>: Set a password on an account, without requiring the current password
+          </li>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=set-password</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=set-password</code></li>
+            </ul>
+          <li>
+            <code>change-password</code>: Change a password on an account given the current password
+          </li>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=change-password</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=change-password</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -346,11 +318,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>auth-method</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>auth-method</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -358,19 +330,15 @@ wildcard or templated grant strings.
           <li>
             <code>create</code>: Create an auth method
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=create</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=create</code></li>
+            </ul>
           <li>
             <code>list</code>: List auth methods
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -381,17 +349,17 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>auth-method</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>auth-method</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -399,35 +367,27 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read an auth method
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>update</code>: Update an auth method
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=update</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=update</code></li>
+            </ul>
           <li>
             <code>delete</code>: Delete an auth method
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=delete</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=delete</code></li>
+            </ul>
           <li>
             <code>authenticate</code>: Authenticate to an auth method
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=authenticate</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=authenticate</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -445,11 +405,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>auth-token</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>auth-token</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -457,11 +417,9 @@ wildcard or templated grant strings.
           <li>
             <code>list</code>: List auth tokens
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -472,17 +430,17 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>auth-token</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>auth-token</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -490,19 +448,15 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read an auth token
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>delete</code>: Delete an auth token
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=delete</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=delete</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -521,11 +475,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>group</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>group</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -533,19 +487,15 @@ wildcard or templated grant strings.
           <li>
             <code>create</code>: Create a group
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=create</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=create</code></li>
+            </ul>
           <li>
             <code>list</code>: List groups
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -556,17 +506,17 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>group</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>group</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -574,51 +524,39 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read a group
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>update</code>: Update a group
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=update</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=update</code></li>
+            </ul>
           <li>
             <code>delete</code>: Delete a group
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=delete</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=delete</code></li>
+            </ul>
           <li>
             <code>add-members</code>: Add members to a group
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=add-members</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=add-members</code></li>
+            </ul>
           <li>
             <code>set-members</code>: Set the full set of members on a group
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=set-members</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=set-members</code></li>
+            </ul>
           <li>
             <code>remove-members</code>: Remove members from a group
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=remove-members</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=remove-members</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -635,11 +573,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>host</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>host</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -647,19 +585,15 @@ wildcard or templated grant strings.
           <li>
             <code>create</code>: Create a host
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=create</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=create</code></li>
+            </ul>
           <li>
             <code>list</code>: List hosts
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -670,23 +604,23 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Pin</li>
-          <ul>
-            <li>
-              <code>&lt;host-catalog-id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;host-catalog-id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>host</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>host</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -694,36 +628,24 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read a host
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>update</code>: Update a host
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=update</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=update</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=update</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=update</code></li>
+            </ul>
           <li>
             <code>delete</code>: Delete a host
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=delete</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=delete</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=delete</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=delete</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -740,11 +662,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>host-catalog</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>host-catalog</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -752,19 +674,15 @@ wildcard or templated grant strings.
           <li>
             <code>create</code>: Create a host catalog
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=create</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=create</code></li>
+            </ul>
           <li>
             <code>list</code>: List host catalogs
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -775,17 +693,17 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>host-catalog</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>host-catalog</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -793,27 +711,21 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read a host catalog
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>update</code>: Update a host catalog
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=update</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=update</code></li>
+            </ul>
           <li>
             <code>delete</code>: Delete a host catalog
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=delete</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=delete</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -830,11 +742,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>host-set</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>host-set</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -842,19 +754,15 @@ wildcard or templated grant strings.
           <li>
             <code>create</code>: Create a host set
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=create</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=create</code></li>
+            </ul>
           <li>
             <code>list</code>: List host sets
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -865,23 +773,23 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Pin</li>
-          <ul>
-            <li>
-              <code>&lt;host-catalog-id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;host-catalog-id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>host-set</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>host-set</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -889,69 +797,45 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read a host set
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>update</code>: Update a host set
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=update</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=update</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=update</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=update</code></li>
+            </ul>
           <li>
             <code>delete</code>: Delete a host set
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=delete</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=delete</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=delete</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=delete</code></li>
+            </ul>
           <li>
             <code>add-hosts</code>: Add hosts to a host-set
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=add-hosts</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=add-hosts</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=add-hosts</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=add-hosts</code></li>
+            </ul>
           <li>
             <code>set-hosts</code>: Set the full set of hosts on a host set
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=set-hosts</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=set-hosts</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=set-hosts</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=set-hosts</code></li>
+            </ul>
           <li>
             <code>remove-hosts</code>: Remove hosts from a host set
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=remove-hosts</code>
-            </li>
-            <li>
-              <code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=remove-hosts</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=remove-hosts</code></li>
+              <li><code>id=&lt;pin&gt;;type=&lt;type&gt;;actions=remove-hosts</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -970,11 +854,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>role</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>role</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -982,19 +866,15 @@ wildcard or templated grant strings.
           <li>
             <code>create</code>: Create a role
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=create</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=create</code></li>
+            </ul>
           <li>
             <code>list</code>: List roles
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -1005,17 +885,17 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>role</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>role</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -1023,76 +903,57 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read a role
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>update</code>: Update a role
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=update</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=update</code></li>
+            </ul>
           <li>
             <code>delete</code>: Delete a role
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=delete</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=delete</code></li>
+            </ul>
           <li>
             <code>add-principals</code>: Add principals to a role
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=add-principals</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=add-principals</code></li>
+            </ul>
           <li>
-            <code>set-principals</code>: Set the full set of principals on a
-            role
+            <code>set-principals</code>: Set the full set of principals on a role
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=set-principals</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=set-principals</code></li>
+            </ul>
           <li>
             <code>remove-principals</code>: Remove principals from a role
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=remove-principals</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=remove-principals</code></li>
+            </ul>
           <li>
             <code>add-grants</code>: Add grants to a role
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=add-grants</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=add-grants</code></li>
+            </ul>
           <li>
             <code>set-grants</code>: Set the full set of grants on a role
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=set-grants</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=set-grants</code></li>
+            </ul>
           <li>
             <code>remove-grants</code>: Remove grants from a role
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=remove-grants</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=remove-grants</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -1110,11 +971,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>scope</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>scope</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -1122,19 +983,15 @@ wildcard or templated grant strings.
           <li>
             <code>create</code>: Create a scope
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=create</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=create</code></li>
+            </ul>
           <li>
             <code>list</code>: List scopes
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -1145,17 +1002,17 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>scope</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>scope</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -1163,27 +1020,21 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read a scope
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>update</code>: Update a scope
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=update</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=update</code></li>
+            </ul>
           <li>
             <code>delete</code>: Delete a scope
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=delete</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=delete</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -1200,11 +1051,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>session</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>session</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -1212,11 +1063,9 @@ wildcard or templated grant strings.
           <li>
             <code>list</code>: List sessions
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -1227,17 +1076,17 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>session</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>session</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -1245,37 +1094,27 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read a session
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>cancel</code>: Cancel a session
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=cancel</code>
-            </li>
-          </ul>
-          <li>
-            <code>read:self</code>: Read a session, which must be associated
-            with the calling user
-          </li>
-          <ul>
-            <li>
-              <code>id=*;type=session;actions=read:self</code>
-            </li>
-          </ul>
-          <li>
-            <code>cancel:self</code>: Cancel a session, which must be associated
-            with the calling user
-          </li>
-          <ul>
-            <li>
-              <code>id=*;type=session;actions=cancel:self</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=cancel</code></li>
+            </ul>
+          <li>
+            <code>read:self</code>: Read a session, which must be associated with the calling user
+          </li>
+            <ul>
+              <li><code>id=*;type=session;actions=read:self</code></li>
+            </ul>
+          <li>
+            <code>cancel:self</code>: Cancel a session, which must be associated with the calling user
+          </li>
+            <ul>
+              <li><code>id=*;type=session;actions=cancel:self</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -1292,11 +1131,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>target</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>target</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -1304,19 +1143,15 @@ wildcard or templated grant strings.
           <li>
             <code>create</code>: Create a target
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=create</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=create</code></li>
+            </ul>
           <li>
             <code>list</code>: List targets
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -1327,17 +1162,17 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>target</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>target</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -1345,60 +1180,45 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read a target
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>update</code>: Update a target
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=update</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=update</code></li>
+            </ul>
           <li>
             <code>delete</code>: Delete a target
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=delete</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=delete</code></li>
+            </ul>
           <li>
             <code>add-host-sets</code>: Add host sets to a target
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=add-host-sets</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=add-host-sets</code></li>
+            </ul>
           <li>
-            <code>set-host-sets</code>: Set the full set of host sets on a
-            target
+            <code>set-host-sets</code>: Set the full set of host sets on a target
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=set-host-sets</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=set-host-sets</code></li>
+            </ul>
           <li>
             <code>remove-host-sets</code>: Remove host sets from a target
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=remove-host-sets</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=remove-host-sets</code></li>
+            </ul>
           <li>
             <code>authorize-session</code>: Authorize a session via the target
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=authorize-session</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=authorize-session</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -1416,11 +1236,11 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>user</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>user</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -1428,19 +1248,15 @@ wildcard or templated grant strings.
           <li>
             <code>create</code>: Create a user
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=create</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=create</code></li>
+            </ul>
           <li>
             <code>list</code>: List users
           </li>
-          <ul>
-            <li>
-              <code>type=&lt;type&gt;;actions=list</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>type=&lt;type&gt;;actions=list</code></li>
+            </ul>
         </ul>
       </td>
     </tr>
@@ -1451,17 +1267,17 @@ wildcard or templated grant strings.
       <td>
         <ul>
           <li>ID</li>
-          <ul>
-            <li>
-              <code>&lt;id&gt;</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>&lt;id&gt;</code>
+              </li>
+            </ul>
           <li>Type</li>
-          <ul>
-            <li>
-              <code>user</code>
-            </li>
-          </ul>
+            <ul>
+              <li>
+                <code>user</code>
+              </li>
+            </ul>
         </ul>
       </td>
       <td>
@@ -1469,51 +1285,39 @@ wildcard or templated grant strings.
           <li>
             <code>read</code>: Read a user
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=read</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=read</code></li>
+            </ul>
           <li>
             <code>update</code>: Update a user
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=update</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=update</code></li>
+            </ul>
           <li>
             <code>delete</code>: Delete a user
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=delete</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=delete</code></li>
+            </ul>
           <li>
             <code>add-accounts</code>: Add accounts to a user
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=add-accounts</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=add-accounts</code></li>
+            </ul>
           <li>
             <code>set-accounts</code>: Set the full set of accounts on a user
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=set-accounts</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=set-accounts</code></li>
+            </ul>
           <li>
             <code>remove-accounts</code>: Remove accounts from a user
           </li>
-          <ul>
-            <li>
-              <code>id=&lt;id&gt;;actions=remove-accounts</code>
-            </li>
-          </ul>
+            <ul>
+              <li><code>id=&lt;id&gt;;actions=remove-accounts</code></li>
+            </ul>
         </ul>
       </td>
     </tr>