From e69806289afa02756deb96e39edf1279c0ed970b Mon Sep 17 00:00:00 2001
From: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Date: Tue, 2 Dec 2025 22:45:57 +0100
Subject: [PATCH] chore: Update docs to reflect new oauth parameters

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>
---
 docs/configuration/configuration.md | 42 ++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md
index 0b944008ef..09f71b5d3c 100644
--- a/docs/configuration/configuration.md
+++ b/docs/configuration/configuration.md
@@ -761,16 +761,56 @@ A `tls_config` allows configuring TLS connections.
 
 OAuth 2.0 authentication using the client credentials or password grant type.
 Prometheus fetches an access token from the specified endpoint with
-the given client access and secret keys.
+the given client access and credentials.
 
 ```yaml
 client_id: <string>
+
+# OAuth2 grant type to use. It can be one of
+# "client_credentials" or "urn:ietf:params:oauth:grant-type:jwt-bearer" (RFC 7523).
+# Default value is "client_credentials"
+[ grant_type: <string> ]
+
+# Client secret to provide to authorization server. Only used if
+# GrantType is set empty or set to "client_credentials".
 [ client_secret: <secret> ]
 
 # Read the client secret from a file.
 # It is mutually exclusive with `client_secret`.
 [ client_secret_file: <filename> ]
 
+# RSA key to sign JWT with. Only used if
+# GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
+[ client_certificate_key: <secret> ]
+
+# Read the RSA key from a file.
+# It is mutually exclusive with `client_certificate_key`.
+[ client_certificate_key_file: <filename> ]
+
+# JWT kid value to include in the JWT header. Only used if
+# GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
+[ client_certificate_key_id: <string> ]
+
+# RSA algorithm used to sign JWT token. Only used if
+# GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
+# Default value is RS256 and valid values RS256, RS384, RS512
+[ signature_algorithm: <string> ]
+
+# OAuth client identifier used when communicating with
+# the configured OAuth provider. Default value is client_id. Only used if
+# GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
+[ iss: <string> ]
+
+# Intended audience of the request. If empty, the value 
+# of TokenURL is used as the intended audience. Only used if
+# GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
+[ audience: <string> ]
+
+# Map of claims to be added to the JWT token. Only used if
+# GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
+claims:
+  [ <string>: <string> ... ]
+
 # Scopes for the token request.
 scopes:
   [ - <string> ... ]