diff --git a/docs/router/authentication-and-authorization.mdx b/docs/router/authentication-and-authorization.mdx index e69768a9..495c11c3 100644 --- a/docs/router/authentication-and-authorization.mdx +++ b/docs/router/authentication-and-authorization.mdx @@ -30,6 +30,9 @@ In the current router version, the configuration and behavior of authentication refresh_interval: 2m # optional list of allowed algorithms per JWKS algorithms: ["RS256", "EdDSA", "HS512"] + audiences: + - http://aud1 + - http://aud2 - symmetric_algorithm: HS256 secret: header_key_id: some-key-id diff --git a/docs/router/configuration.mdx b/docs/router/configuration.mdx index 89437326..86692ec0 100644 --- a/docs/router/configuration.mdx +++ b/docs/router/configuration.mdx @@ -1427,6 +1427,14 @@ This is useful when you have a symmetric key that you cannot expose through a JW | symmetric_algorithm | | Specify which symmetric algorithm is used for signing, supported algorithms are "HS256", "HS384", "HS512" | | +#### Audience Validation +In addition to the above JWKS configuration flavours, you can define a list of audiences of which one is required (if specified) with either options. + +| YAML | Required | Description | Default Value | +| --------------------------------------------------------------------------- | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -----------------| +| audiences | | The allowed list of audiences, of which at least one audience is required in the token | [] | + + ### JWT | YAML | Required | Description | Default Value |