Update identity token docs (#8398)

`client_id` is configurable as of version 1.4.
2020-02-21 10:59:09 -08:00 · 2020-02-21 10:59:09 -08:00 · 1bc1b45c07
parent 587b331d8f
commit 1bc1b45c07
1 changed files with 5 additions and 5 deletions
--- a/website/pages/docs/secrets/identity/index.mdx
+++ b/website/pages/docs/secrets/identity/index.mdx
@ -150,11 +150,11 @@ OIDC-compliant ID tokens are generated against a role which allows configuration
 of token claims via a templating system, token ttl, and a way to specify which
 "key" will be used to sign the token. The role template is an optional parameter
 to customize the token contents and is described in the next section. Token TTL
-controls the expiration time of the token, after which verification library will
-consider the token invalid. All roles have a Vault-generated `client_id`
-attribute that is returned when the role is read. This value cannot be changed
-and will be added to the token's `aud` parameter. JWT/OIDC libraries will often
-require this value.
+controls the expiration time of the token, after which verification libraries will
+consider the token invalid. All roles have an associated `client_id` that will be
+added to the token's `aud` parameter. JWT/OIDC libraries will usually require this
+value. The parameter may be set by the operator to a chosen value, or a
+Vault-generated value will be used if left unconfigured.

 A role's `key` parameter links a role to an existing named key (multiple roles
 may refer to the same key). It is not possible to generate an unsigned ID token.