Skip to content

Commit 40a8f3c

Browse files
committed
chore: regenerate for upstream verify_bearer_signature OIDC field
New field landed on github.com/tetrateio/tetrate:master independently of this repo's own changes; picked up now that the dependency is pinned to a real upstream commit instead of the stale local replace.
1 parent b4386c0 commit 40a8f3c

2 files changed

Lines changed: 9 additions & 5 deletions

File tree

docs/resources/oidc.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,7 @@ Optional:
9393
- `groups_claim` (String) GroupsClaim selects which OIDC token claim carries the user's group memberships, matched against each team's `oidc_groups` during reconciliation. Defaults to "groups". Ignored for providers whose groups are resolved via an external directory (GroupSync.group_source) rather than a token claim.
9494
- `provider_name` (String) ProviderName is recorded on the created user's `provider_name` field, identifying which configured identity provider the user originated from (for example "google", "azure-oidc", or "pingam"). Empty leaves the field unset.
9595
- `subject_claim` (String) SubjectClaim selects which OIDC claim becomes the TSB principal name. Valid values: "sub" (default; recommended), "email", "preferred_username", and "email-prefix" (the local part of the "email" claim, preserved for backward compatibility with the legacy Google behavior). An empty value defaults to "sub".
96+
- `verify_bearer_signature` (Boolean) VerifyBearerSignature makes the management-plane apiserver cryptographically verify the IAM-minted session bearer's signature before it provisions a JIT user, rather than trusting the IAM ext-authz edge alone (defense in depth). The apiserver already mounts IAM's signing configuration, so no extra setup is required. Off by default: enable it once the apiserver gRPC port is confirmed reachable only through the IAM front door. An OIDC bearer that fails verification is rejected, so a forged token can neither provision a user nor act as an existing one. See docs/jit/deployment-trust-boundary.md.
9697

9798
<a id="nestedatt--config--jit_provisioning--group_sync"></a>
9899
### Nested Schema for `config.jit_provisioning.group_sync`

internal/provider/models_gen.go

Lines changed: 8 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)