Merge branch 'master' into ui-toolbar
This commit is contained in:
commit
30ab729fe8
|
@ -8,6 +8,7 @@ CHANGES:
|
|||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* auth/jwt: A JWKS endpoint may now be configured for signature verification [JWT-43]
|
||||
* ui: KV v1 and v2 will now gracefully degrade allowing a write without read
|
||||
workflow in the UI [GH-6570]
|
||||
|
||||
|
|
|
@ -30,11 +30,13 @@ set.
|
|||
|
||||
### Parameters
|
||||
|
||||
- `oidc_discovery_url` `(string: <optional>)` - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with `jwt_validation_pubkeys`.
|
||||
- `oidc_discovery_url` `(string: <optional>)` - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys".
|
||||
- `oidc_discovery_ca_pem` `(string: <optional>)` - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used.
|
||||
- `oidc_client_id` `(string: <optional>)` - The OAuth Client ID from the provider for OIDC roles.
|
||||
- `oidc_client_secret` `(string: <optional>)` - The OAuth Client Secret from the provider for OIDC roles.
|
||||
- `jwt_validation_pubkeys` `(comma-separated string, or array of strings: <optional>)` - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with `oidc_discovery_url`.
|
||||
- `jwks_url` `(string: <optional>)` - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
||||
- `jwks_ca_pem` `(string: <optional>)` - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
||||
- `jwt_validation_pubkeys` `(comma-separated string, or array of strings: <optional>)` - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url".
|
||||
- `bound_issuer` `(string: <optional>)` - The value against which to match the `iss` claim in a JWT.
|
||||
- `jwt_supported_algs` `(comma-separated string, or array of strings: <optional>)` - A list of supported signing algorithms. Defaults to [RS256]. ([Available algorithms](https://github.com/hashicorp/vault-plugin-auth-jwt/blob/master/vendor/github.com/coreos/go-oidc/jose.go#L7))
|
||||
- `default_role` `(string: <optional>)` - The default role to use if none is provided during login.
|
||||
|
|
|
@ -24,6 +24,23 @@ Both methods allow additional processing of the claims data in the JWT. Some of
|
|||
the concepts common to both methods will be covered first, followed by specific
|
||||
examples of OIDC and JWT usage.
|
||||
|
||||
### JWT Verification
|
||||
|
||||
JWT signatures will be verified against public keys from the issuer. This process can be done in
|
||||
three different ways, though only one method may be configured for a single backend:
|
||||
|
||||
- **Static Keys**. A set of public keys is stored directly in the backend configuration.
|
||||
|
||||
- **JWKS**. A JSON Web Key Set ([JWKS](https://tools.ietf.org/html/rfc7517)) URL (and optional
|
||||
certificate chain) is configured. Keys will be fetched from this endpoint during authentication.
|
||||
|
||||
- **OIDC Discovery**. An OIDC Discovery URL (and optional certificate chain) is configured. Keys
|
||||
will be fetched from this URL during authentication. When OIDC Discovery is used, OIDC validation
|
||||
criteria (e.g. `iss`, `aud`, etc.) will be applied.
|
||||
|
||||
If multiple methods are needed, another instance of the backend can be mounted and configured
|
||||
at a different path.
|
||||
|
||||
### Bound Claims
|
||||
|
||||
Once a JWT has been validated as being properly signed and not expired, the
|
||||
|
|
Loading…
Reference in a new issue