fix(identity): add known limitation aud required#7874
fix(identity): add known limitation aud required#7874leiicamundi wants to merge 5 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the Management Identity “Connect to an OIDC provider” documentation to clarify that Camunda’s OIDC integration requires access tokens with an aud claim, and to document known provider limitations (notably AWS Cognito) that can break M2M authentication.
Changes:
- Added a prerequisite note that access tokens must contain an
audclaim. - Added an “OIDC provider known limitations” section describing
audenforcement and AWS Cognito’s M2M behavior. - Applied the same documentation updates to both “next” docs and the versioned 8.8 docs.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| docs/self-managed/components/management-identity/configuration/connect-to-an-oidc-provider.md | Adds aud-claim prerequisite note and new limitations section (incl. AWS Cognito). |
| versioned_docs/version-8.8/self-managed/components/management-identity/configuration/connect-to-an-oidc-provider.md | Mirrors the same aud/limitations documentation for v8.8. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
docs/self-managed/components/management-identity/configuration/connect-to-an-oidc-provider.md
Outdated
Show resolved
Hide resolved
...8.8/self-managed/components/management-identity/configuration/connect-to-an-oidc-provider.md
Outdated
Show resolved
Hide resolved
...8.8/self-managed/components/management-identity/configuration/connect-to-an-oidc-provider.md
Outdated
Show resolved
Hide resolved
docs/self-managed/components/management-identity/configuration/connect-to-an-oidc-provider.md
Outdated
Show resolved
Hide resolved
docs/self-managed/components/management-identity/configuration/connect-to-an-oidc-provider.md
Outdated
Show resolved
Hide resolved
docs/self-managed/components/management-identity/configuration/connect-to-an-oidc-provider.md
Show resolved
Hide resolved
|
Thanks for the review @npepinpe @christinaausley and @StevePascoe. I made the suggested modifications. Regarding the matrix of tested providers, I agree but consider it should be backed by @camunda/qa-engineering |
|
The preview environment relating to the commit af3ade9 has successfully been deployed. You can access it at https://preview.docs.camunda.cloud/pr-7874/ |
christinaausley
left a comment
There was a problem hiding this comment.
Approving from a tech writers perspective, though there may be engineering adjustments.
Description
Related to camunda/camunda#44650 (comment), this PR documents the known limitation of oidc providers missing the
audfield.This pull request updates the documentation for configuring OpenID Connect (OIDC) providers with Camunda 8 Self-Managed, clarifying the requirement for the
aud(audience) claim in access tokens and documenting known limitations with certain OIDC providers, especially AWS Cognito. The changes aim to help users avoid misconfiguration and authentication issues related to missing audience claims in tokens.Key documentation updates:
OIDC Audience Claim Requirement:
aud(audience) claim in access tokens, with a reference to a new limitations section for providers that do not meet this requirement. [1] [2]Known Limitations Section:
audclaim for token validation, as per the OpenID Connect specification. It highlights that some providers, particularly in machine-to-machine (M2M) flows, may not include this claim. [1] [2]audclaim in M2M access tokens (usingclient_idinstead), which causes authentication failures with Camunda. The section also notes that this limitation applies to any OIDC provider that does not supply theaudclaim and provides troubleshooting guidance and a link to a related GitHub issue. [1] [2]When should this change go live?
bugorsupportlabel)available & undocumentedlabel)holdlabel)low priolabel)PR Checklist
{type}(scope): {description}commit message(s)/docsdirectory (version 8.9)./versioned_docsdirectory.@camunda/tech-writersunless working with an embedded writer.