From 3aa6cbc98eab3d6fea89b9f73f8603a49ed2fc76 Mon Sep 17 00:00:00 2001 From: Richard Dennehy Date: Mon, 14 Apr 2025 14:40:29 +0100 Subject: [PATCH 1/6] update JWT realm docs to include at+jwt support --- deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md index 3e971621b9..bec79808e9 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md @@ -218,9 +218,13 @@ The header claims indicate the token type and the algorithm used to sign the tok : (Required, String) Indicates the algorithm that was used to sign the token, such as `HS256`. The algorithm must be in the realm’s allow list. `typ` -: (Optional, String) Indicates the token type, which must be `JWT`. +: (Optional, String) Indicates the token type, which must either be `JWT` for ID tokens, or `at+jwt` for access tokens. +::::{note} +`at+jwt` is supported on {{stack}} 9.1.0 and above. +:::: + ### Payload claims [jwt-validation-payload] Tokens contain several claims, which provide information about the user who is issuing the token, and the token itself. Depending on the token type, these information can optionally be identified by different claims. From 1d8c0aab2656d39c28efd349d431618b26de3ab8 Mon Sep 17 00:00:00 2001 From: Richard Dennehy Date: Mon, 14 Apr 2025 15:11:22 +0100 Subject: [PATCH 2/6] attempt to clarify phrasing --- .../users-roles/cluster-or-deployment-auth/jwt.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md index bec79808e9..61ed07c665 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md @@ -218,12 +218,11 @@ The header claims indicate the token type and the algorithm used to sign the tok : (Required, String) Indicates the algorithm that was used to sign the token, such as `HS256`. The algorithm must be in the realm’s allow list. `typ` -: (Optional, String) Indicates the token type, which must either be `JWT` for ID tokens, or `at+jwt` for access tokens. +: (Optional, String) Indicates the token type. For an ID token, this must be `JWT`; for access tokens, this must be `JWT` or `at+jwt`. - -::::{note} +:::{note} `at+jwt` is supported on {{stack}} 9.1.0 and above. -:::: +::: ### Payload claims [jwt-validation-payload] From 05f4a9bba6a8842cbc7e443026ce3bdb99715ee7 Mon Sep 17 00:00:00 2001 From: Richard Dennehy Date: Tue, 15 Apr 2025 14:59:21 +0100 Subject: [PATCH 3/6] use inline applies_to instead of note --- .../users-roles/cluster-or-deployment-auth/jwt.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md index 61ed07c665..97e4e86ed8 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md @@ -218,11 +218,12 @@ The header claims indicate the token type and the algorithm used to sign the tok : (Required, String) Indicates the algorithm that was used to sign the token, such as `HS256`. The algorithm must be in the realm’s allow list. `typ` -: (Optional, String) Indicates the token type. For an ID token, this must be `JWT`; for access tokens, this must be `JWT` or `at+jwt`. - -:::{note} -`at+jwt` is supported on {{stack}} 9.1.0 and above. -::: +: (Optional, String) Indicates the token type. +For an ID token, this must be +- `JWT` +For access tokens, this must be one of +- `JWT` +- `at+jwt` {applies_to}`stack: ga 9.1` ### Payload claims [jwt-validation-payload] From 61e1bdca04d2f705d49077b6a6efeb79ed41b7e7 Mon Sep 17 00:00:00 2001 From: Richard Dennehy Date: Tue, 15 Apr 2025 15:04:58 +0100 Subject: [PATCH 4/6] fix formatting --- deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md index 97e4e86ed8..c081add978 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md @@ -218,9 +218,11 @@ The header claims indicate the token type and the algorithm used to sign the tok : (Required, String) Indicates the algorithm that was used to sign the token, such as `HS256`. The algorithm must be in the realm’s allow list. `typ` -: (Optional, String) Indicates the token type. +: (Optional, String) Indicates the token type. + For an ID token, this must be -- `JWT` +- `JWT` + For access tokens, this must be one of - `JWT` - `at+jwt` {applies_to}`stack: ga 9.1` From 156379f39712320033729c1a1a4b1e32536236c2 Mon Sep 17 00:00:00 2001 From: Richard Dennehy Date: Tue, 15 Apr 2025 15:10:32 +0100 Subject: [PATCH 5/6] fix formatting --- .../users-roles/cluster-or-deployment-auth/jwt.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md index c081add978..9629b5bd72 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md @@ -219,13 +219,13 @@ The header claims indicate the token type and the algorithm used to sign the tok `typ` : (Optional, String) Indicates the token type. - -For an ID token, this must be -- `JWT` - -For access tokens, this must be one of -- `JWT` -- `at+jwt` {applies_to}`stack: ga 9.1` + + For an ID token, this must be + - `JWT` + + For access tokens, this must be one of + - `JWT` + - `at+jwt` {applies_to}`stack: ga 9.1` ### Payload claims [jwt-validation-payload] From cd9e4b8619df0be15ab0110774887dc9ad4701da Mon Sep 17 00:00:00 2001 From: Richard Dennehy Date: Tue, 15 Apr 2025 15:15:59 +0100 Subject: [PATCH 6/6] fix formatting --- .../users-roles/cluster-or-deployment-auth/jwt.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md index 9629b5bd72..d05003c40e 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md @@ -220,12 +220,12 @@ The header claims indicate the token type and the algorithm used to sign the tok `typ` : (Optional, String) Indicates the token type. - For an ID token, this must be - - `JWT` + For an ID token, this must be + - `JWT` - For access tokens, this must be one of - - `JWT` - - `at+jwt` {applies_to}`stack: ga 9.1` + For access tokens, this must be one of + - `JWT` + - `at+jwt` {applies_to}`stack: ga 9.1` ### Payload claims [jwt-validation-payload]