From 67de7f5646e5230fc7166ab9aab109ea9183c992 Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Tue, 15 Sep 2020 16:18:48 -0700
Subject: [PATCH] Further explain the webhook API in architecture.md

---
 doc/architecture.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/architecture.md b/doc/architecture.md
index e7af009bf..a7b83d9c0 100644
--- a/doc/architecture.md
+++ b/doc/architecture.md
@@ -31,7 +31,13 @@ The currently supported external IDP types are outlined here. More will be added
 in the future.
 
 1. Any webhook which implements the
-[Kubernetes TokenReview API](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)
+   [Kubernetes TokenReview API](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication).
+
+   In addition to allowing the integration of any existing IDP which implements this API, webhooks also
+   serve as an extension point for Pinniped by allowing for integration of arbitrary custom authenticators.
+   While a custom implementation may be in any language or framework, this project provides a
+   sample implementation in Golang. See the `ServeHTTP` method of
+   [cmd/local-user-authenticator/main.go](../cmd/local-user-authenticator/main.go).
 
 ## Cluster Integration Strategies