From ca5715564f0fdf77264ea10400b1098b236cbd19 Mon Sep 17 00:00:00 2001 From: Steven Clark Date: Mon, 12 Dec 2022 18:08:00 +0000 Subject: [PATCH] backport of commit 6795afe14dda1adb62568cab5ec0b3f4dc77710c --- builtin/credential/cert/path_certs.go | 2 +- website/content/api-docs/auth/cert.mdx | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/builtin/credential/cert/path_certs.go b/builtin/credential/cert/path_certs.go index 00e103b51a561..d303dec15d46c 100644 --- a/builtin/credential/cert/path_certs.go +++ b/builtin/credential/cert/path_certs.go @@ -117,7 +117,7 @@ All values much match. Supports globbing on "value".`, "allowed_metadata_extensions": { Type: framework.TypeCommaStringSlice, Description: `A comma-separated string or array of oid extensions. -Upon successfull authentication, these extensions will be added as metadata if they are present +Upon successful authentication, these extensions will be added as metadata if they are present in the certificate. The metadata key will be the string consisting of the oid numbers separated by a dash (-) instead of a dot (.) to allow usage in ACL templates.`, }, diff --git a/website/content/api-docs/auth/cert.mdx b/website/content/api-docs/auth/cert.mdx index 0aee9430fa072..9ac2f0a0c7de2 100644 --- a/website/content/api-docs/auth/cert.mdx +++ b/website/content/api-docs/auth/cert.mdx @@ -61,6 +61,11 @@ Sets a CA cert and associated parameters in a role name. string or array of `oid:value`. Expects the extension value to be some type of ASN1 encoded string. All conditions _must_ be met. Supports globbing on `value`. +- `allowed_metadata_extensions` `(array:[])` - A comma separated string or + array of oid extensions. Upon successful authentication, these extensions + will be added as metadata if they are present in the certificate. The + metadata key will be the string consisting of the oid numbers separated + by a dash (-) instead of a dot (.) to allow usage in ACL templates. - `display_name` `(string: "")` - The `display_name` to set on tokens issued when authenticating against this CA certificate. If not set, defaults to the name of the role. @@ -294,6 +299,9 @@ Configuration options for the method. - `disable_binding` `(boolean: false)` - If set, during renewal, skips the matching of presented client identity with the client identity used during login. +- `enable_identity_alias_metadata` `(boolean: false)` - If set, metadata of + the certificate including the metadata corresponding to + `allowed_metadata_extensions` will be stored in the alias ### Sample Payload