diff --git a/website/content/api-docs/auth/jwt.mdx b/website/content/api-docs/auth/jwt.mdx index 531b472bc9..85a3e051f4 100644 --- a/website/content/api-docs/auth/jwt.mdx +++ b/website/content/api-docs/auth/jwt.mdx @@ -112,8 +112,9 @@ entities attempting to login. At least one of the bound values must be set. - `name` `(string: )` - Name of the role. - `role_type` `(string: )` - Type of role, either "oidc" (default) or "jwt". - `bound_audiences` `(array: )` - List of `aud` claims to match against. - Any match is sufficient. Required for "jwt" roles if the JWT has an `aud` - claim. Optional for "oidc" roles. + The `bound_audiences` parameter is required for "jwt" roles that contain an + audience (typical case) and **must** match at least one of the associated JWT + `aud` claims. - `user_claim` `(string: )` - The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. The claim value must be a string. diff --git a/website/content/docs/auth/jwt/index.mdx b/website/content/docs/auth/jwt/index.mdx index baae41c23c..f8e85c6a48 100644 --- a/website/content/docs/auth/jwt/index.mdx +++ b/website/content/docs/auth/jwt/index.mdx @@ -10,8 +10,9 @@ description: >- @include 'x509-sha1-deprecation.mdx' ~> **Note**: Starting in Vault 1.17, if the JWT in the authentication request -contains an `aud` claim, the associated `bound_audiences` for the "jwt" role -must match at least one of the `aud` claims declared for the JWT. For +contains an `aud` claim (typical case) the associated `bound_audiences` for the +"jwt" role must **exactly** match at least one of the `aud` claims declared for +the JWT. For additional details, refer to the [JWT auth method (API)](/vault/api-docs/auth/jwt) documentation and [1.17 Upgrade Guide](/vault/docs/upgrading/upgrade-to-1.17.x#jwt-auth-login-requires-bound-audiences-on-the-role). @@ -214,7 +215,7 @@ backend instance per method at different paths. After verifying the JWT signatures, Vault checks the corresponding `aud` claim. If the JWT in the authentication request contains an `aud` claim, the -associated `bound_audiences` for the role must match at least one of the `aud` +associated `bound_audiences` for the role must **exactly** match at least one of the `aud` claims declared for the JWT. ### Via the CLI @@ -324,7 +325,7 @@ In some cases there are dedicated parameters, for example `bound_subject`, that must match the provided `sub` claim. For roles of type "jwt": 1. the `bound_audiences` parameter is required when an `aud` claim is set. -1. the `bound_audiences` parameter must match at least one of provided `aud` claims. +1. the `bound_audiences` parameter must **exactly** match at least one of provided `aud` claims. You can also configure roles to check an arbitrary set of claims and required values with the `bound_claims` map. For example, assume `bound_claims` is set to: