Add docs for OIDC verbose_oidc_logging (#7236)

2019-08-01 14:41:35 -07:00 · 2019-08-01 14:41:35 -07:00 · 4584c84d79
parent 788db63ac1
commit 4584c84d79
2 changed files with 8 additions and 1 deletions
--- a/website/source/api/auth/jwt/index.html.md.erb
+++ b/website/source/api/auth/jwt/index.html.md.erb
@ -132,6 +132,9 @@ entities attempting to login. At least one of the bound values must be set.
  The standard scope "openid" is automatically included and need not be specified.
 - `allowed_redirect_uris` `(list: <required>)` - The list of allowed values for redirect_uri
  during OIDC logins.
+- `verbose_oidc_logging` `(bool: false)` - Log received OIDC tokens and claims when debug-level
+  logging is active. Not recommended in production since sensitive information may be present
+  in OIDC responses.

 <%= partial "partials/tokenfields" %>

--- a/website/source/docs/auth/jwt.html.md
+++ b/website/source/docs/auth/jwt.html.md
@ -201,7 +201,11 @@ construct a simple `curl` implicit grant request to obtain a JWT that you can in
 of how to decode the JWT (in this case located in the "access_token" field of a JSON response):

 `cat jwt.json | jq -r .access_token | cut -d. -f2 | base64 -D`
-
+- As of Vault 1.2, the [`verbose_oidc_logging`](/api/auth/jwt/index.html#verbose_oidc_logging) role
+option is available which will log the received OIDC token if debug-level logging is enabled. This can
+be helpful when debugging provider setup and verifying that the received claims are what you expect.
+Since claims data is logged verbatim and may contain sensitive information, this option should not be
+used in production.

 ## JWT Authentication