From f4978b3efde4ea048f4168eadba3002ee8c97dbb Mon Sep 17 00:00:00 2001 From: Stefan Zhelyazkov Date: Thu, 18 Jan 2024 15:57:30 +0200 Subject: [PATCH] Updating Vault docs for JWT support of numeric bound_claims (#24921) * Add a note that the role name is available as role in entity alias metadata * Update JWT docs for numeric bound_claims --- website/content/api-docs/auth/jwt.mdx | 4 ++-- website/content/docs/auth/jwt/index.mdx | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/website/content/api-docs/auth/jwt.mdx b/website/content/api-docs/auth/jwt.mdx index 267e30863b..f5c8cd252c 100644 --- a/website/content/api-docs/auth/jwt.mdx +++ b/website/content/api-docs/auth/jwt.mdx @@ -134,11 +134,11 @@ entities attempting to login. At least one of the bound values must be set. - `bound_subject` `(string: )` - If set, requires that the `sub` claim matches this value. - `bound_claims` `(map: )` - If set, a map of claims (keys) to match against respective claim values (values). - The expected value may be a single string or a list of strings. The interpretation of the bound + Each expected value may be a string, integer, boolean or a list of strings. The interpretation of the bound claim values is configured with `bound_claims_type`. Keys support [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer) syntax for referencing claims. - `bound_claims_type` `(string: "string")` - Configures the interpretation of the bound_claims values. - If `"string"` (the default), the values will treated as string literals and must match exactly. + If `"string"` (the default), the values will be treated as literals and must match exactly. If set to `"glob"`, the values will be interpreted as globs, with `*` matching any number of characters. - `groups_claim` `(string: )` - The claim to use to uniquely identify diff --git a/website/content/docs/auth/jwt/index.mdx b/website/content/docs/auth/jwt/index.mdx index 4478dc2631..7d66ac3d8b 100644 --- a/website/content/docs/auth/jwt/index.mdx +++ b/website/content/docs/auth/jwt/index.mdx @@ -339,7 +339,8 @@ This specifies that the value in the JWT claim "division" should be copied to th "department" claim value will also be copied into metadata but will retain the key name. If a claim is configured in `claim_mappings`, it must existing in the JWT or else the authentication will fail. -Note: the metadata key name "role" is reserved and may not be used for claim mappings. +Note: the metadata key name "role" is reserved and may not be used for claim mappings. Since Vault 1.16 the role name is available +by the key `role` in the alias metadata of the entity after a successful login. ### Claim specifications and JSON pointer