diff --git a/website/source/api/auth/jwt/index.html.md.erb b/website/source/api/auth/jwt/index.html.md.erb index daf5d2a23..f4f27f021 100644 --- a/website/source/api/auth/jwt/index.html.md.erb +++ b/website/source/api/auth/jwt/index.html.md.erb @@ -132,6 +132,9 @@ entities attempting to login. At least one of the bound values must be set. The standard scope "openid" is automatically included and need not be specified. - `allowed_redirect_uris` `(list: )` - The list of allowed values for redirect_uri during OIDC logins. +- `verbose_oidc_logging` `(bool: false)` - Log received OIDC tokens and claims when debug-level + logging is active. Not recommended in production since sensitive information may be present + in OIDC responses. <%= partial "partials/tokenfields" %> diff --git a/website/source/docs/auth/jwt.html.md b/website/source/docs/auth/jwt.html.md index 779db3be7..e8c4dbf24 100644 --- a/website/source/docs/auth/jwt.html.md +++ b/website/source/docs/auth/jwt.html.md @@ -201,7 +201,11 @@ construct a simple `curl` implicit grant request to obtain a JWT that you can in of how to decode the JWT (in this case located in the "access_token" field of a JSON response): `cat jwt.json | jq -r .access_token | cut -d. -f2 | base64 -D` - +- As of Vault 1.2, the [`verbose_oidc_logging`](/api/auth/jwt/index.html#verbose_oidc_logging) role +option is available which will log the received OIDC token if debug-level logging is enabled. This can +be helpful when debugging provider setup and verifying that the received claims are what you expect. +Since claims data is logged verbatim and may contain sensitive information, this option should not be +used in production. ## JWT Authentication