From c8dbbbacae7c9e032c1f39107afbd5cd553a4c66 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 30 Oct 2020 08:15:34 -0700 Subject: [PATCH] Update OIDC namespace_in_state docs (#10269) To reflect the default of true for new configs. --- website/pages/api-docs/auth/jwt/index.mdx | 4 ++-- website/pages/docs/auth/jwt.mdx | 10 ++++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/website/pages/api-docs/auth/jwt/index.mdx b/website/pages/api-docs/auth/jwt/index.mdx index 85ff5d3a79..2afff7cb63 100644 --- a/website/pages/api-docs/auth/jwt/index.mdx +++ b/website/pages/api-docs/auth/jwt/index.mdx @@ -33,7 +33,7 @@ set. - `oidc_discovery_ca_pem` `(string: )` - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used. - `oidc_client_id` `(string: )` - The OAuth Client ID from the provider for OIDC roles. - `oidc_client_secret` `(string: )` - The OAuth Client Secret from the provider for OIDC roles. -- `oidc_response_mode` `(string: )` - The response mode to be used in the OAuth2 request. Allowed values are "query" and "form_post". Defaults to "query". +- `oidc_response_mode` `(string: )` - The response mode to be used in the OAuth2 request. Allowed values are "query" and "form_post". Defaults to "query". If using Vault namespaces, and oidc_response_mode is "form_post", then "namespace_in_state" should be set to false. - `oidc_response_types` `(comma-separated string, or array of strings: )` - The response types to request. Allowed values are "code" and "id_token". Defaults to "code". Note: "id_token" may only be used if "oidc_response_mode" is set to "form_post". - `jwks_url` `(string: )` - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys". @@ -43,7 +43,7 @@ set. - `jwt_supported_algs` `(comma-separated string, or array of strings: )` - A list of supported signing algorithms. Defaults to [RS256]. ([Available algorithms](https://github.com/hashicorp/vault-plugin-auth-jwt/blob/master/vendor/github.com/coreos/go-oidc/jose.go#L7) + EdDSA) - `default_role` `(string: )` - The default role to use if none is provided during login. - `provider_config` `(map: )` - Configuration options for provider-specific handling. Providers with specific handling include Azure; the options are described in each provider's section in [OIDC Provider Setup](/docs/auth/jwt_oidc_providers) -- `namespace_in_state` `(bool: false)` - Pass namespace in the state parameter instead of as a separate query parameter. With this setting the allowed redirect URL in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. +- `namespace_in_state` `(bool: true)` - Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs. ### Sample Payload diff --git a/website/pages/docs/auth/jwt.mdx b/website/pages/docs/auth/jwt.mdx index d86477e9cb..e70422c558 100644 --- a/website/pages/docs/auth/jwt.mdx +++ b/website/pages/docs/auth/jwt.mdx @@ -145,14 +145,16 @@ Logging in via the Vault UI requires a redirect URI of the form: The "host:port" must be correct for the Vault server, and "path" must match the path the JWT backend is mounted at (e.g. "oidc" or "jwt"). -By default, if [namespaces](/docs/enterprise/namespaces) are being used, + +Prior to Vault 1.6, if [namespaces](/docs/enterprise/namespaces) are in use, they must be added as query parameters, for example: `https://vault.example.com:8200/ui/vault/auth/oidc/oidc/callback?namespace=my_ns` -However, as of Vault 1.6, it is no longer necessary to add the namespace as a -query parameter in the redirect URI, if -[`namespace_in_state`](/api-docs/auth/jwt#namespace_in_state) is set to `true`. +For Vault 1.6+, it is no longer necessary to add the namespace as a query +parameter in the redirect URI, if +[`namespace_in_state`](/api-docs/auth/jwt#namespace_in_state) is set to `true`, +which is the default for new configs. ### OIDC Login (Vault UI)