Accepted SPIFFE trust domains. In non-federated setups you usually configure exactly one trust domain.
SPIFFE authentication configurations. Each entry defines a trusted SPIFFE identity that is allowed to authenticate.
| jwks-uri | string JWKS (JWK Set) endpoint URL used to fetch the issuer's public keys. Common in OIDC and also used for JWT bundles. |
| jwks-ca-cert | string <ca-cert> One or more root certificates in PEM format. CA certificates, in PEM format, to use when validating the TLS connection to jwks-uri. Multiple certs may be added as one string. By default, the system root CA bundle is used (see jwks-use-root-ca-certs). Configure this leaf when using a private CA. TLS verification can be disabled entirely with jwks-tls-verify false. |
| jwks-use-root-ca-certs | boolean Default: true Use the system root CA certificate bundle when validating the TLS certificate of jwks-uri. |
| jwks-server-name-indication | string Override the TLS SNI hostname used when connecting to jwks-uri. By default the hostname from jwks-uri is used. |
| jwks-tls-verify | boolean Default: true Verify the TLS certificate of jwks-uri. Should only be set to false in test environments, never in production. |
| jwks-refresh-interval | string <duration> Default: "5m" A duration in years, days, hours, minutes and seconds. Format is Examples: How often to refresh the JWKS from jwks-uri. |
| jwks-request-timeout | string <duration> Default: "5s" A duration in years, days, hours, minutes and seconds. Format is Examples: Timeout for JWKS retrieval. |
| jwks-cache-max-age | string <duration> Default: "1h" A duration in years, days, hours, minutes and seconds. Format is Examples: Max time to use cached keys if JWKS fetch fails. |
| name | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ Trust domain name. This is compared to the JWT 'iss' claim and
also used to validate that 'sub' begins with 'spiffe:// |
| allowed-algorithms | Array of strings <enumeration>
JOSE algorithms accepted for signatures, e.g. 'es256', 'es384', 'rs256'. The default set is: 'es256', 'es384', 'rs256'. |
| allowed-clock-skew | string <duration> Default: "60s" A duration in years, days, hours, minutes and seconds. Format is Examples: Allowed clock skew when validating exp/nbf/iat. |
| require-exp | boolean Default: true Require 'exp' claim. |
| require-aud | boolean Default: true Require 'aud' claim. |
| issuer | string Expected 'iss' claim value, e.g. 'https://spiffe.example.com'. If not set, the 'iss' claim is not validated and any issuer is accepted. |
| allowed-audiences | Array of strings If set, the JWT 'aud' claim must contain at least one of these values. |
required | Array of objects Authorization-oriented constraints on the SPIFFE IDs allowed to log in (post-authentication). Each entry matches a glob pattern against the 'sub' claim, e.g. 'spiffe://example.org/ns/prod/sa/*'. |
| verbose-logging | boolean Default: false Enable verbose logging for SPIFFE authentication attempts. Do not enable in production. The log entries will appear in the volga topic system:logs on the site where the logging occurred. |
to (object) or sites (object) or deployments (object) |
Created
Bad Request
Unauthorized
Forbidden
Not Found
Conflict (instance exists)
Service Unavailable (strongbox sealed)
name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all
SPIFFE authentication configurations. Each entry defines a trusted SPIFFE identity that is allowed to authenticate.
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| validate | string <enumeration> Validate the request but do not actually perform the requested operation |
| keys | string <enumeration> Retrieve only the keys for the list |
| count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
- name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all
Global settings for SPIFFE authentication, such as the trust domain and JWT signing key used for issuing JWT-SVIDs.
| issuing-ca | string <leafref> Name of TLS CA used to issue x.509 SPIFFE certificates. If not set, X.509 SVIDs will not be issued even if token-spiffe-x509 is configured on a role. The signing CA should be configured to rotate every 12-24 months. Use 6-12 for stronger security posture. |
| jwt-signing-key | string <leafref> Name of transit key to use when signing SPIFFE JWTs. The key should be of type ecdsa-p256, ecdsa-p384, or rsa-2048 or stronger. The recommendation is ecdsa-p256. If not set, JWT-SVIDs will not be issued even if token-spiffe-jwt is configured on a role. The signing key should be configured to rotate every 6-12 months. Use 3-6 months for stronger security posture. |
| jwt-issuer | string The 'iss' claim value placed in all JWT-SVIDs issued by this instance. Typically the HTTPS URL of this Strongbox deployment, e.g. 'https://strongbox.example.com'. The host part is also used as the SPIFFE trust domain when constructing SPIFFE IDs for issued SVIDs. When omitted, the issuer is auto-derived as
https://api. |
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
issuing-ca: spiffe jwt-signing-key: spiffe jwt-issuer: https://production.telco.avassa.net
Global settings for SPIFFE authentication, such as the trust domain and JWT signing key used for issuing JWT-SVIDs.
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
Global settings for SPIFFE authentication, such as the trust domain and JWT signing key used for issuing JWT-SVIDs.
| issuing-ca | string <leafref> Name of TLS CA used to issue x.509 SPIFFE certificates. If not set, X.509 SVIDs will not be issued even if token-spiffe-x509 is configured on a role. The signing CA should be configured to rotate every 12-24 months. Use 6-12 for stronger security posture. |
| jwt-signing-key | string <leafref> Name of transit key to use when signing SPIFFE JWTs. The key should be of type ecdsa-p256, ecdsa-p384, or rsa-2048 or stronger. The recommendation is ecdsa-p256. If not set, JWT-SVIDs will not be issued even if token-spiffe-jwt is configured on a role. The signing key should be configured to rotate every 6-12 months. Use 3-6 months for stronger security posture. |
| jwt-issuer | string The 'iss' claim value placed in all JWT-SVIDs issued by this instance. Typically the HTTPS URL of this Strongbox deployment, e.g. 'https://strongbox.example.com'. The host part is also used as the SPIFFE trust domain when constructing SPIFFE IDs for issued SVIDs. When omitted, the issuer is auto-derived as
https://api. |
Created
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
issuing-ca: spiffe jwt-signing-key: spiffe jwt-issuer: https://production.telco.avassa.net
Global settings for SPIFFE authentication, such as the trust domain and JWT signing key used for issuing JWT-SVIDs.
| fields | string Retrieve only requested fields from the resource See section fields |
| validate | string <enumeration> Validate the request but do not actually perform the requested operation |
OK
Not Modified
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
issuing-ca: spiffe jwt-signing-key: spiffe jwt-issuer: https://production.telco.avassa.net
SPIFFE authentication configurations. Each entry defines a trusted SPIFFE identity that is allowed to authenticate.
| jwks-uri | string JWKS (JWK Set) endpoint URL used to fetch the issuer's public keys. Common in OIDC and also used for JWT bundles. |
| jwks-ca-cert | string <ca-cert> One or more root certificates in PEM format. CA certificates, in PEM format, to use when validating the TLS connection to jwks-uri. Multiple certs may be added as one string. By default, the system root CA bundle is used (see jwks-use-root-ca-certs). Configure this leaf when using a private CA. TLS verification can be disabled entirely with jwks-tls-verify false. |
| jwks-use-root-ca-certs | boolean Default: true Use the system root CA certificate bundle when validating the TLS certificate of jwks-uri. |
| jwks-server-name-indication | string Override the TLS SNI hostname used when connecting to jwks-uri. By default the hostname from jwks-uri is used. |
| jwks-tls-verify | boolean Default: true Verify the TLS certificate of jwks-uri. Should only be set to false in test environments, never in production. |
| jwks-refresh-interval | string <duration> Default: "5m" A duration in years, days, hours, minutes and seconds. Format is Examples: How often to refresh the JWKS from jwks-uri. |
| jwks-request-timeout | string <duration> Default: "5s" A duration in years, days, hours, minutes and seconds. Format is Examples: Timeout for JWKS retrieval. |
| jwks-cache-max-age | string <duration> Default: "1h" A duration in years, days, hours, minutes and seconds. Format is Examples: Max time to use cached keys if JWKS fetch fails. |
| name | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ Trust domain name. This is compared to the JWT 'iss' claim and
also used to validate that 'sub' begins with 'spiffe:// |
| allowed-algorithms | Array of strings <enumeration>
JOSE algorithms accepted for signatures, e.g. 'es256', 'es384', 'rs256'. The default set is: 'es256', 'es384', 'rs256'. |
| allowed-clock-skew | string <duration> Default: "60s" A duration in years, days, hours, minutes and seconds. Format is Examples: Allowed clock skew when validating exp/nbf/iat. |
| require-exp | boolean Default: true Require 'exp' claim. |
| require-aud | boolean Default: true Require 'aud' claim. |
| issuer | string Expected 'iss' claim value, e.g. 'https://spiffe.example.com'. If not set, the 'iss' claim is not validated and any issuer is accepted. |
| allowed-audiences | Array of strings If set, the JWT 'aud' claim must contain at least one of these values. |
required | Array of objects Authorization-oriented constraints on the SPIFFE IDs allowed to log in (post-authentication). Each entry matches a glob pattern against the 'sub' claim, e.g. 'spiffe://example.org/ns/prod/sa/*'. |
| verbose-logging | boolean Default: false Enable verbose logging for SPIFFE authentication attempts. Do not enable in production. The log entries will appear in the volga topic system:logs on the site where the logging occurred. |
to (object) or sites (object) or deployments (object) |
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all
SPIFFE authentication configurations. Each entry defines a trusted SPIFFE identity that is allowed to authenticate.
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
SPIFFE authentication configurations. Each entry defines a trusted SPIFFE identity that is allowed to authenticate.
| jwks-uri | string JWKS (JWK Set) endpoint URL used to fetch the issuer's public keys. Common in OIDC and also used for JWT bundles. |
| jwks-ca-cert | string <ca-cert> One or more root certificates in PEM format. CA certificates, in PEM format, to use when validating the TLS connection to jwks-uri. Multiple certs may be added as one string. By default, the system root CA bundle is used (see jwks-use-root-ca-certs). Configure this leaf when using a private CA. TLS verification can be disabled entirely with jwks-tls-verify false. |
| jwks-use-root-ca-certs | boolean Default: true Use the system root CA certificate bundle when validating the TLS certificate of jwks-uri. |
| jwks-server-name-indication | string Override the TLS SNI hostname used when connecting to jwks-uri. By default the hostname from jwks-uri is used. |
| jwks-tls-verify | boolean Default: true Verify the TLS certificate of jwks-uri. Should only be set to false in test environments, never in production. |
| jwks-refresh-interval | string <duration> Default: "5m" A duration in years, days, hours, minutes and seconds. Format is Examples: How often to refresh the JWKS from jwks-uri. |
| jwks-request-timeout | string <duration> Default: "5s" A duration in years, days, hours, minutes and seconds. Format is Examples: Timeout for JWKS retrieval. |
| jwks-cache-max-age | string <duration> Default: "1h" A duration in years, days, hours, minutes and seconds. Format is Examples: Max time to use cached keys if JWKS fetch fails. |
| name | string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ Trust domain name. This is compared to the JWT 'iss' claim and
also used to validate that 'sub' begins with 'spiffe:// |
| allowed-algorithms | Array of strings <enumeration>
JOSE algorithms accepted for signatures, e.g. 'es256', 'es384', 'rs256'. The default set is: 'es256', 'es384', 'rs256'. |
| allowed-clock-skew | string <duration> Default: "60s" A duration in years, days, hours, minutes and seconds. Format is Examples: Allowed clock skew when validating exp/nbf/iat. |
| require-exp | boolean Default: true Require 'exp' claim. |
| require-aud | boolean Default: true Require 'aud' claim. |
| issuer | string Expected 'iss' claim value, e.g. 'https://spiffe.example.com'. If not set, the 'iss' claim is not validated and any issuer is accepted. |
| allowed-audiences | Array of strings If set, the JWT 'aud' claim must contain at least one of these values. |
required | Array of objects Authorization-oriented constraints on the SPIFFE IDs allowed to log in (post-authentication). Each entry matches a glob pattern against the 'sub' claim, e.g. 'spiffe://example.org/ns/prod/sa/*'. |
| verbose-logging | boolean Default: false Enable verbose logging for SPIFFE authentication attempts. Do not enable in production. The log entries will appear in the volga topic system:logs on the site where the logging occurred. |
to (object) or sites (object) or deployments (object) |
Created
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all
SPIFFE authentication configurations. Each entry defines a trusted SPIFFE identity that is allowed to authenticate.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all
Fetch the CA certificate bundle for verifying x509-SVIDs issued by this tenant. Consumers of x509-SVIDs use this to verify the certificate chain without authenticating to Strongbox.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
tenant: system
cert: | -----BEGIN CERTIFICATE----- MIICGjCCAcCgAwIBAgITAOhCghMs02nt/Et/U6tlNKRbzDAKBggqhkjOPQQDAjBj MRgwFgYDVQQDEw9BdmFzc2EgQVBJIHJvb3QxEjAQBgNVBAcTCVN0b2NraG9sbTEL MAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0 aW9uMCIYDzIwMjExMjMwMTQxMzQ4WhgPMjAyNTA1MTAxNzQ5NDhaMGMxGDAWBgNV BAMTD0F2YXNzYSBBUEkgcm9vdDESMBAGA1UEBxMJU3RvY2tob2xtMQswCQYDVQQG EwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmlidXRpb24wWTAT BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT7XREAgO0C2o/akCa9yFGViGoJi7oL+YLT Zr0QN5mu+6ymkYOjZAC0laQXv1zGe9W3X6eM8FwdmwP7wAGrzFuQo08wTTAOBgNV HQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATAnBgNVHR8EIDAeMBygGqAY hhZodHRwOi8vY3JsLmF2YXNzYS5uZXQvMAoGCCqGSM49BAMCA0gAMEUCIBjoTpxR oc+ycvTOg3SriC38o6sKQeY+G4KeqU72wR8DAiEAuBDRyrZK1tiTyL5+dzcf2rOc XWQ9mlueeqeDsCzNsYk= -----END CERTIFICATE-----
Fetch the public JWKS for verifying JWT-SVIDs issued by this tenant. Consumers of JWT-SVIDs use this to verify signatures without authenticating to Strongbox.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
tenant: system
jwks: "{\"keys\":[{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU\",\"y\":\"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0\",\"kid\":\"1\",\"use\":\"sig\",\"alg\":\"ES256\"}]}"
SPIFFE authentication configurations. Each entry defines a trusted SPIFFE identity that is allowed to authenticate.
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
| keys | string <enumeration> Retrieve only the keys for the list |
| count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
- name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all distribution-status: to: all
Global settings for SPIFFE authentication, such as the trust domain and JWT signing key used for issuing JWT-SVIDs.
| fields | string Retrieve only requested fields from the resource See section fields |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
issuing-ca: spiffe jwt-signing-key: spiffe jwt-issuer: https://production.telco.avassa.net discovery-url: https://production.telco.avassa.net tenant-uuid: 550e8400-e29b-41d4-a716-446655440000
SPIFFE authentication configurations. Each entry defines a trusted SPIFFE identity that is allowed to authenticate.
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
name: example jwks-uri: https://oidc.example.test:8443/keys jwks-ca-cert: | -----BEGIN CERTIFICATE----- MIIB...REPLACE_ME...== -----END CERTIFICATE----- jwks-use-root-ca-certs: false jwks-server-name-indication: oidc.example.test jwks-tls-verify: true jwks-refresh-interval: 1m jwks-request-timeout: 3s jwks-cache-max-age: 30m allowed-algorithms: - es256 allowed-clock-skew: 1m require-exp: true require-aud: true issuer: https://oidc.example.test:8443 allowed-audiences: - avassa-dev spiffe-id-patterns: - name: spiffe://example.org/ns/dev/* token-ttl: 1d token-max-ttl: 30d token-policies: - user token-auto-bound-cidrs: host token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true token-spiffe-jwt: jwt-audiences: - popcorn token-spiffe-x509: cert-type: client server-ext-usage: false client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false verbose-logging: false distribute: to: all distribution-status: to: all