Update docs/src/main/asciidoc/security-openid-connect-web-authenticat…

…ion.adoc

Co-authored-by: George Gastaldi <[email protected]>

docs/src/main/asciidoc/security-openid-connect-web-authentication.adoc

@@ -371,7 +371,7 @@ Note this user session can not be extended forever - the returning user with the
 
 OIDC `CodeAuthenticationMechanism` is using the default `io.quarkus.oidc.TokenStateManager' interface implementation to keep the ID, access and refresh tokens returned in the authorization code or refresh grant responses in a session cookie. It makes Quarkus OIDC endpoints completely stateless.
 
-Note that some endpoints do not require the access token. Access token is only required if the endpoint needs to retrieve `UserInfo` or access the downstream service with this access token or use the roles in the access token (the roles in the ID token are checked by default). In such cases you can set either `quarkus.oidc.state-session-manager.stategy=id-refresh-token` (keep ID and refresh tokens only) or `quarkus.oidc.state-session-manager.stategy=id-token` (keep ID token only).
+Note that some endpoints do not require the access token.An access token is only required if the endpoint needs to retrieve `UserInfo` or access the downstream service with this access token or use the roles associated with the access token (the roles in the ID token are checked by default). In such cases you can set either `quarkus.oidc.state-session-manager.strategy=id-refresh-token` (keep ID and refresh tokens only) or `quarkus.oidc.state-session-manager.strategy=id-token` (keep ID token only).
 
 If the ID, access and refresh tokens are JWT tokens then combining all of them (if the strategy is the default `keep-all-tokens`) or only ID and refresh tokens (if the strategy is `id-refresh-token`) may produce a session cookie value larger than 4KB and the browsers may not be able to keep this cookie.
 In such cases, you can use `quarkus.oidc.token-state-manager.split-tokens=true` to have a unique session token per each of these tokens.