Skip to content

Commit ad17418

Browse files
hc-github-team-secure-vault-corejaireddjawed
hc-github-team-secure-vault-core
and
jaireddjawed
authored
backport of commit 1face9d (#30607)
Co-authored-by: Jaired Jawed <[email protected]>
1 parent 8a8e477 commit ad17418

File tree

2 files changed

+8
-6
lines changed

2 files changed

+8
-6
lines changed

website/content/api-docs/auth/jwt.mdx

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -112,8 +112,9 @@ entities attempting to login. At least one of the bound values must be set.
112112
- `name` `(string: <required>)` - Name of the role.
113113
- `role_type` `(string: <optional>)` - Type of role, either "oidc" (default) or "jwt".
114114
- `bound_audiences` `(array: <optional>)` - List of `aud` claims to match against.
115-
Any match is sufficient. Required for "jwt" roles if the JWT has an `aud`
116-
claim. Optional for "oidc" roles.
115+
The `bound_audiences` parameter is required for "jwt" roles that contain an
116+
audience (typical case) and **must** match at least one of the associated JWT
117+
`aud` claims.
117118
- `user_claim` `(string: <required>)` - The claim to use to uniquely identify
118119
the user; this will be used as the name for the Identity entity alias created
119120
due to a successful login. The claim value must be a string.

website/content/docs/auth/jwt/index.mdx

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,9 @@ description: >-
1010
@include 'x509-sha1-deprecation.mdx'
1111

1212
~> **Note**: Starting in Vault 1.17, if the JWT in the authentication request
13-
contains an `aud` claim, the associated `bound_audiences` for the "jwt" role
14-
must match at least one of the `aud` claims declared for the JWT. For
13+
contains an `aud` claim (typical case) the associated `bound_audiences` for the
14+
"jwt" role must **exactly** match at least one of the `aud` claims declared for
15+
the JWT. For
1516
additional details, refer to the [JWT auth method (API)](/vault/api-docs/auth/jwt)
1617
documentation and [1.17 Upgrade Guide](/vault/docs/upgrading/upgrade-to-1.17.x#jwt-auth-login-requires-bound-audiences-on-the-role).
1718

@@ -214,7 +215,7 @@ backend instance per method at different paths.
214215
After verifying the JWT signatures, Vault checks the corresponding `aud` claim.
215216

216217
If the JWT in the authentication request contains an `aud` claim, the
217-
associated `bound_audiences` for the role must match at least one of the `aud`
218+
associated `bound_audiences` for the role must **exactly** match at least one of the `aud`
218219
claims declared for the JWT.
219220

220221
### Via the CLI
@@ -324,7 +325,7 @@ In some cases there are dedicated parameters, for example `bound_subject`,
324325
that must match the provided `sub` claim. For roles of type "jwt":
325326

326327
1. the `bound_audiences` parameter is required when an `aud` claim is set.
327-
1. the `bound_audiences` parameter must match at least one of provided `aud` claims.
328+
1. the `bound_audiences` parameter must **exactly** match at least one of provided `aud` claims.
328329

329330
You can also configure roles to check an arbitrary set of claims and required
330331
values with the `bound_claims` map. For example, assume `bound_claims` is set to:

0 commit comments

Comments
 (0)