I’ve been playing with the JWT auth method, and so far it seems if the signature is verified and its a valid token, consul will always return a valid token to me.
However I’m setting up ClaimMappings to match certain attributes on the token, however this seems to be ignored.
For instance, I have a ClaimMapping of "sub": "VALUEOFSUB" and if I provide a jwt with a sub that doesn’t match, I still get a consul token.
Claim Mappings are used to convert claims from the JWT into metadata names that you can then use when authoring binding rules. The Trusted Identity Attributes via Claim Mappings section of the JWT auth method docs describe this in more detail.
You will need to create a binding rule if you want to issue a Consul token only when the sub field contains specific values.
@blake does this mean, if I want a different binding-rule/acl role applied to a token, I can only key that off of the sub claim?
Just to ensure I’m following, I could also use claim mappings with a variable value in my binding rule? I’m not entirely sure how that lines up based on the docs