From 451f2a6f36f7d14b14a218b63e90d2f2c603a9fe Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Fri, 12 Apr 2019 14:08:02 -0700 Subject: [PATCH] Update JWT docs for bound_claims improvements (#6559) --- website/source/api/auth/jwt/index.html.md | 1 + website/source/docs/auth/jwt.html.md | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/website/source/api/auth/jwt/index.html.md b/website/source/api/auth/jwt/index.html.md index 812656cdd5..17b72b0ed1 100644 --- a/website/source/api/auth/jwt/index.html.md +++ b/website/source/api/auth/jwt/index.html.md @@ -124,6 +124,7 @@ entities attempting to login. At least one of the bound values must be set. source address for login requests. This value is also encoded into any resulting token. - `bound_claims` `(map: )` - If set, a map of claims/values to match against. + The expected value may be a single string or a list of strings. - `groups_claim` `(string: )` - The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim diff --git a/website/source/docs/auth/jwt.html.md b/website/source/docs/auth/jwt.html.md index 541e56cefd..a49cb54cd0 100644 --- a/website/source/docs/auth/jwt.html.md +++ b/website/source/docs/auth/jwt.html.md @@ -43,6 +43,15 @@ to: Only JWTs containing both the "division" and "department" claims, and respective matching values of "Europe" and "Engineering", would be authorized. +If the expected value is a list, the claim must match one of the items in the list. +To limit authorization to a set of email addresses: + +```json +{ + "email": ["fred@example.com", "julie@example.com"] +} +``` + ### Claims as Metadata