Pull JWT auth plugin and update CL

CHANGELOG.md

@@ -1,11 +1,8 @@
-## Next
+## 1.1.1 (unreleased)
 
 CHANGES:
 
- * auth/jwt: Disallow logins of role_type "oidc" via the `/login` path
+ * auth/jwt: Disallow logins of role_type "oidc" via the `/login` path [JWT-38]
-   [[GH-38]](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/38)
-
-## 1.1.1 (unreleased)
 
 IMPROVEMENTS: 
 
@@ -14,20 +11,27 @@ IMPROVEMENTS:
  * ui: Navigating away from secret list view will clear any page-specific
    filter that was applied [GH-6511]
 
-
 BUG FIXES: 
 
  * agent: Allow auto-auth to be used with caching without having to define any
    sinks [GH-6468]
+ * auth/ldap: Fix CN check not working if CN was not all in uppercase [GH-6518]
  * auth/jwt: The CLI helper for OIDC logins will now open the browser to the correct
-   URL when running on Windows. [[GH-37]](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/37)
+   URL when running on Windows [JWT-37]
  * auth/jwt: Fix an issue where the `oidc_scopes` parameter was not being included in
-   the response to a role read request [[GH-35]](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/35)
+   the response to a role read request [JWT-35]
+ * core: Fix seal migration case when migrating to Shamir and a seal block
+   wasn't explicitly specified [GH-6455]
+ * core: Fix unwrapping when using namespaced wrapping tokens [GH-6536]
  * core: Fix incorrect representation of required properties in OpenAPI output
-   [[GH-6490]](https://github.com/hashicorp/vault/pull/6490)
+   [GH-6490]
+ * identity: Fix updating groups removing existing members [GH-6527]
+ * replication: Fix mount filter invalidation on performance standby nodes
+ * replication: Fix license reloading on performance standby nodes
+ * replication: Fix handling of control groups on performance standby nodes
  * secret/pki: Use `uri_sans` param in when not using CSR parameters [GH-6505]
  * storage/dynamodb: Fix a race condition possible in HA configurations that could
-   leave the cluster without a leader [[GH-6512]](https://github.com/hashicorp/vault/pull/6512)
+   leave the cluster without a leader [GH-6512]
  * ui: Fix an issue where in production builds OpenAPI model generation was
    failing, causing any form using it to render labels with missing fields [GH-6474]
  * ui: Fix issue nav-hiding when moving between namespaces [GH-6473]

vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go

@@ -68,6 +68,10 @@ func (b *jwtAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d
 		return logical.ErrorResponse("role %q could not be found", roleName), nil
 	}
 
+	if role.RoleType == "oidc" {
+		return logical.ErrorResponse("role with oidc role_type is not allowed"), nil
+	}
+
 	token := d.Get("jwt").(string)
 	if len(token) == 0 {
 		return logical.ErrorResponse("missing token"), nil
@@ -228,13 +232,9 @@ func (b *jwtAuthBackend) verifyOIDCToken(ctx context.Context, config *jwtConfig,
 
 	oidcConfig := &oidc.Config{
 		SupportedSigningAlgs: config.JWTSupportedAlgs,
+		SkipClientIDCheck:    true,
 	}
 
-	if role.RoleType == "oidc" {
-		oidcConfig.ClientID = config.OIDCClientID
-	} else {
-		oidcConfig.SkipClientIDCheck = true
-	}
 	verifier := provider.Verifier(oidcConfig)
 
 	idToken, err := verifier.Verify(ctx, rawToken)

vendor/vendor.json

@@ -1391,10 +1391,10 @@
 			"revisionTime": "2019-04-02T00:00:36Z"
 		},
 		{
-			"checksumSHA1": "itJt7LtTNuCOBfBVGDcTtUu9HIc=",
+			"checksumSHA1": "7htT8U/t65ixPdTbbzSBrERPvoE=",
 			"path": "github.com/hashicorp/vault-plugin-auth-jwt",
-			"revision": "7b19d4b328acbeaecd0e4781c613bf7401115f63",
+			"revision": "7ca4cefd94ef8f290b0a8c93b214ee80defd5618",
-			"revisionTime": "2019-04-01T19:55:01Z"
+			"revisionTime": "2019-04-04T21:59:00Z"
 		},
 		{
 			"checksumSHA1": "2GD7htZi0dpYxt7kxljXq2qK61s=",