From 7d8a6a379d2307b60f171a3d8e1a59edeb2a6488 Mon Sep 17 00:00:00 2001 From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Date: Thu, 21 Dec 2023 17:16:23 -0500 Subject: [PATCH] Update JWT documentation to recommend only using jwt_header or audit logging not both (#5914) * readd auth token doc Signed-off-by: Stephen Crawford * Fix vale Signed-off-by: Stephen Crawford * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Fix embedded command Signed-off-by: Stephen Crawford * Blank lines after headings Signed-off-by: Stephen Crawford * Update _security/access-control/authentication-tokens.md Co-authored-by: Melissa Vagi Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: Melissa Vagi Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: Melissa Vagi Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: Melissa Vagi Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * change Signed-off-by: Stephen Crawford * Update _security/access-control/authentication-tokens.md Co-authored-by: Melissa Vagi Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: Melissa Vagi Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: Melissa Vagi Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: Melissa Vagi Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: Melissa Vagi Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: Melissa Vagi Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Melissa Vagi Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Style guidelines Signed-off-by: Stephen Crawford * Update _security/access-control/authentication-tokens.md Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * Update _security/access-control/authentication-tokens.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> * warn about audit logging of custom headers Signed-off-by: Stephen Crawford * Update _security/authentication-backends/jwt.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> --------- Signed-off-by: Stephen Crawford Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Co-authored-by: Melissa Vagi Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- _security/authentication-backends/jwt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_security/authentication-backends/jwt.md b/_security/authentication-backends/jwt.md index 629b6266f8..846004d45c 100644 --- a/_security/authentication-backends/jwt.md +++ b/_security/authentication-backends/jwt.md @@ -116,7 +116,7 @@ The following table lists the configuration parameters. Name | Description :--- | :--- `signing_key` | The signing key to use when verifying the token. If you use a symmetric key algorithm, it is the base64-encoded shared secret. If you use an asymmetric algorithm, it contains the public key. -`jwt_header` | The HTTP header in which the token is transmitted. This is typically the `Authorization` header with the `Bearer` schema: `Authorization: Bearer `. Default is `Authorization`. +`jwt_header` | The HTTP header in which the token is transmitted. This is typically the `Authorization` header with the `Bearer` schema,`Authorization: Bearer `. Default is `Authorization`. Replacing this field with a value other than `Authorization` prevents the audit log from properly redacting the JWT header from audit messages. It is recommended that users only use `Authorization` when using JWTs with audit logging. `jwt_url_parameter` | If the token is not transmitted in the HTTP header but rather as an URL parameter, define the name of the parameter here. `subject_key` | The key in the JSON payload that stores the username. If not set, the [subject](https://tools.ietf.org/html/rfc7519#section-4.1.2) registered claim is used. `roles_key` | The key in the JSON payload that stores the user's roles. The value of this key must be a comma-separated list of roles.