You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md
+16-2Lines changed: 16 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -121,10 +121,22 @@ Client authentication is enabled by default for the JWT realms. Disabling client
121
121
: Indicates that {{es}} should use the `RS256` or `HS256` signature algorithms to verify the signature of the JWT from the JWT issuer.
122
122
123
123
`pkc_jwkset_path`
124
-
: The file name or URL to a JSON Web Key Set (JWKS) with the public key material that the JWT Realm uses for verifying token signatures. A value is considered a file name if it does not begin with `https`. The file name is resolved relative to the {{es}} configuration directory. If a URL is provided, then it must begin with `https://` (`http://` is not supported). {{es}} automatically caches the JWK set and will attempt to refresh the JWK set upon signature verification failure, as this might indicate that the JWT Provider has rotated the signing keys.
124
+
: The file name or URL to a JSON Web Key Set (JWKS) with the public key material that the JWT Realm uses for verifying token signatures. A value is considered a file name if it does not begin with `https`. The file name is resolved relative to the {{es}} configuration directory. If a URL is provided, then it must begin with `https://` (`http://` is not supported). {{es}} automatically caches the JWK set and will attempt to refresh the JWK set upon signature verification failure, as this might indicate that the JWT Provider has rotated the signing keys. Background JWKS reloading can also be configured with the setting `pkc_jwkset_reload.enabled`. This ensures that rotated keys are automatically discovered and used to verify JWT signatures.
125
+
126
+
`pkc_jwkset_reload.enabled` {applies_to}`stack: ga 9.3`
127
+
: Indicates whether JWKS background reloading is enabled. Defaults to `false`.
128
+
129
+
`pkc_jwkset_reload.file_interval` {applies_to}`stack: ga 9.3`
130
+
: Specifies the reload interval for file-based JWKS. Defaults to `5m`.
131
+
132
+
`pkc_jwkset_reload.url_interval_min` {applies_to}`stack: ga 9.3`
133
+
: Specifies the minimum reload interval for URL-based JWKS. The `Expires` and `Cache-Control` HTTP response headers inform the reload interval. This configuration setting is the lower bound of what is considered, and it is also the default interval in the absence of useful response headers. Defaults to `1h`.
134
+
135
+
`pkc_jwkset_reload.url_interval_max` {applies_to}`stack: ga 9.3`
136
+
: Specifies the maximum reload interval for URL-based JWKS. This configuration setting is the upper bound of what is considered from header responses (`5d`).
125
137
126
138
`claims.principal`
127
-
: The name of the JWT claim that contains the user’s principal (username).
139
+
: The name of the JWT claim that contains the user’s principal. Defaults to `username`.
128
140
129
141
::::
130
142
@@ -434,6 +446,8 @@ PKC JSON Web Token Key Sets (JWKS) can contain public RSA and EC keys. HMAC JWKS
434
446
435
447
JWT realms load a PKC JWKS and an HMAC JWKS or HMAC UTF-8 JWK at startup. JWT realms can also reload PKC JWKS contents at runtime; a reload is triggered by signature validation failures.
436
448
449
+
JWT realms can also be configured to reload a PKC JWKS periodically in the background.
450
+
437
451
::::{note}
438
452
HMAC JWKS or HMAC UTF-8 JWK reloading is not supported at this time.
0 commit comments