Jan 2026 audit - docs: inputs: http doc missing section for oauth2 JWT #2500
Description
pipeline/inputs/http.md —
Commits: 0059149e5 — in_http: add OAuth2 JWT validation support + ddd2aa1fa — input: add OAuth2 JWT config map support
The HTTP input now supports server-side OAuth2 JWT validation of incoming bearer tokens. None of these parameters or the feature are documented.
- Add to config parameters table:
| Key | Description | Default |
|---|---|---|
| oauth2.validate | Enable OAuth2 JWT validation for incoming requests. | false |
| oauth2.issuer | Expected issuer (iss) claim. Required when oauth2.validate is true. | none |
| oauth2.jwks_url | JWKS endpoint URL used to fetch public keys. Required when oauth2.validate is true. | none |
| oauth2.allowed_audience | Audience claim to enforce when validating tokens. | none |
| oauth2.allowed_clients | Authorized client_id or azp claim values. Can be specified multiple times. | none |
| oauth2.jwks_refresh_interval | How often in seconds to refresh cached JWKS keys. | 300 |
- Add a usage section explaining the feature: when oauth2.validate true is set, incoming requests must carry a valid bearer token; oauth2.issuer and
oauth2.jwks_url are both required; JWKS is fetched lazily on first request.