From 4cb020fb3fa1df66b4539d2ed046a63d2db5cf7c Mon Sep 17 00:00:00 2001 From: Jim Date: Mon, 24 Jul 2023 13:16:10 -0400 Subject: [PATCH] docs (domain/OIDC): add domain docs for OIDC auth method attributes (#3490) * docs (domain/OIDC): add domain docs for OIDC auth method attributes * Update website/content/docs/concepts/domain-model/auth-methods.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> * Update website/content/docs/concepts/domain-model/auth-methods.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> * Update website/content/docs/concepts/domain-model/auth-methods.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> * Update website/content/docs/concepts/domain-model/auth-methods.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> * Update website/content/docs/concepts/domain-model/auth-methods.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> * Update website/content/docs/concepts/domain-model/auth-methods.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> * Update website/content/docs/concepts/domain-model/auth-methods.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> * Update website/content/docs/concepts/domain-model/auth-methods.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> * Update website/content/docs/concepts/domain-model/auth-methods.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> * Update website/content/docs/concepts/domain-model/auth-methods.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> * Update website/content/docs/concepts/domain-model/auth-methods.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> * fixup! docs (domain/OIDC): add domain docs for OIDC auth method attributes --------- Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> --- .../concepts/domain-model/auth-methods.mdx | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/website/content/docs/concepts/domain-model/auth-methods.mdx b/website/content/docs/concepts/domain-model/auth-methods.mdx index 3521db8ca7..1cc2464f6e 100644 --- a/website/content/docs/concepts/domain-model/auth-methods.mdx +++ b/website/content/docs/concepts/domain-model/auth-methods.mdx @@ -31,6 +31,59 @@ The password auth method has the following additional attributes: - `min_password_length` - (required) The default is 8. +### OIDC auth method attributes + +The OIDC auth method has the following additional attributes: + +- `account_claim_maps` (optional list) These are a map from custom + claims to the standard claims of sub, name, and email. These maps are + represented as key=value where the key equals the provider from-claim and the + value equals the Boundary to-claim. For example "oid=sub". You can specify this attribute + multiple times for different to-claims. + +- `allowed_audiences` (optional list) Audiences for which provider + responses are allowed. + +- `api_url_prefix` (required) The API prefix to use when generating callback URLs + for the provider. You should set the value to an address that allows the provider to reach + the controller. + +- `callback_url` (output read-only) The URL that should be provided to the IdP + for callbacks. + +- `claims_scopes` (optional list) The claims scope requested. You can specify this attribute + multiple times. + +- `client_id` (required) The OAuth 2.0 client identifier this auth method should + use with the provider. + +- `client-secret` (required) The corresponding client secret. + +- `client_secret_hmac` (output read-only) The HMAC of the client secret that the Boundary controller + returns. It is used for comparison to the value's initial setting. + +- `disable_discovered_config_validation` (optional) Disables validation logic + to ensure that the OIDC provider's information from its discovery endpoint + matches the information here. The validation is only performed at create or + update time. + +- `idp_ca_certs` - (optional) PEM-encoded X.509 CA certificate that can be used + as trust anchors when you connect to an OIDC provider. You can specify this attribute + multiple times. + +- `issuer` - (required) The provider's issuer URL. This value must match the issuer + field in generated tokens. + +- `max_age` (optional) The max age to send to the provider. This value indicates how + much time is allowed to have passed since the last authentication before the + user is challenged again. A value of `0` sets an immediate requirement for all + users to reauthenticate, and an unset `maxAge` results in a Terraform value of + -1 and the default TTL of the chosen OIDC is used. + +- `signing-algorithm` (required) The allowed signing algorithm. You can specify this attribute + multiple times for multiple values. + + ### LDAP auth method attributes Beta The ldap auth method has the following additional attributes: