Add scope pinning and other improvements to privilege worker docs#1539
Add scope pinning and other improvements to privilege worker docs#1539seand52 wants to merge 4 commits into
Conversation
Summary
|
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
hazel-nut
left a comment
There was a problem hiding this comment.
a few copyediting notes
| <Callout icon="file-lines" color="#0EA5E9" iconType="regular"> | ||
| Privileged Worker Token Exchange with Token Vault is currently in Beta. To learn more about Auth0’s product release cycle, read [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages). To participate in this program, contact [Auth0 Support](https://support.auth0.com/) or your Technical Account Manager. | ||
| Privileged Worker Token Exchange with Token Vault is currently in Early Access. To learn more about Auth0’s product release cycle, read [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages). To participate in this program, contact [Auth0 Support](https://support.auth0.com/) or your Technical Account Manager. | ||
| </Callout> |
| ## Configure client application | ||
|
|
||
| To configure the client application's privileged access to Token Vault, you need to provide a public key that will be used to verify a signed JWT as the subject token. | ||
| To configure the client application's privileged access to Token Vault, you need to provide a public key that will be used to verify a signed JWT as the subject token. You also need to restrict which IP addresses the client may make requests from, and pin the client to the connections and scopes it's allowed to request — without these, the Privileged Worker Token Exchange will not work. |
There was a problem hiding this comment.
| To configure the client application's privileged access to Token Vault, you need to provide a public key that will be used to verify a signed JWT as the subject token. You also need to restrict which IP addresses the client may make requests from, and pin the client to the connections and scopes it's allowed to request — without these, the Privileged Worker Token Exchange will not work. | |
| To configure the client application's privileged access to Token Vault, you must: | |
| * Provide a public key, which is used to verify a signed JWT as the subject token. | |
| * Restrict which IP addresses the client may make requests from. | |
| * Pin the client to the connections and scopes it's allowed to request. |
| 2. Select the **Settings** tab, scroll to the **Privileged Worker** section, and toggle on **Enable Privileged Worker**. In the modal, select an existing public key credential or upload a new one, then select **Save**. | ||
| 3. Once the credential is saved, enter at least one IP address or CIDR range in the **IP Allowlist** field. | ||
| 4. Select **Save Changes**. | ||
| 4. Under **Permissions**, select **Add Permission**. In the modal, select a **Connection** and enter the **Scopes** this connection is allowed to request, then select **Save**. Repeat for each connection you want to allow. You can configure up to 5 permissions and 20 scopes in total. |
There was a problem hiding this comment.
| 4. Under **Permissions**, select **Add Permission**. In the modal, select a **Connection** and enter the **Scopes** this connection is allowed to request, then select **Save**. Repeat for each connection you want to allow. You can configure up to 5 permissions and 20 scopes in total. | |
| 4. Under **Permissions**, select **Add Permission**. In the window, select a **Connection** and enter the **Scopes** this connection is allowed to request, then select **Save**. Repeat for each connection you want to allow. You can configure up to 5 permissions and 20 scopes in total. |
| 4. Select **Save Changes**. | ||
| 4. Under **Permissions**, select **Add Permission**. In the modal, select a **Connection** and enter the **Scopes** this connection is allowed to request, then select **Save**. Repeat for each connection you want to allow. You can configure up to 5 permissions and 20 scopes in total. | ||
| 5. Select **Save Changes**. | ||
| 6. For each connection referenced in **Permissions**, make sure it's also enabled for this application. Navigate to **Authentication > [Connection type]**, select the connection, go to the **Applications** tab, and toggle the connection on for your application. |
There was a problem hiding this comment.
| 6. For each connection referenced in **Permissions**, make sure it's also enabled for this application. Navigate to **Authentication > [Connection type]**, select the connection, go to the **Applications** tab, and toggle the connection on for your application. | |
| 6. Enable each connection referenced in **Permissions** for this application. Navigate to **Authentication > [Connection type]**, select the connection, go to the **Applications** tab, and toggle the connection on for your application. |
| ### Configure IP allowlist | ||
|
|
||
| To restrict which IP addresses may make Privileged Worker exchange requests, configure an `ip_allowlist` on your client. This binds the client credential to known server egress IPs, so a leaked credential cannot be used from an arbitrary IP address. Both IPv4 and IPv6 addresses and CIDR ranges are supported, with a maximum of 10 entries. | ||
| For each connection referenced in `grants`, the connection must also be enabled for this client. Enable it with: |
There was a problem hiding this comment.
| For each connection referenced in `grants`, the connection must also be enabled for this client. Enable it with: | |
| For each connection referenced in `grants`, you must also enable the connection for this client: |
| @@ -1,19 +1,19 @@ | |||
| --- | |||
| description: Learn how an application can access the Token Vault to exchange a JWT bearer token for an access or refresh token to call external APIs. | |||
| description: Learn how an application can access the Token Vault to exchange a JWT bearer token for an access token to call external APIs. | |||
There was a problem hiding this comment.
| description: Learn how an application can access the Token Vault to exchange a JWT bearer token for an access token to call external APIs. | |
| description: Grant an application access to Token Vault so it can exchange a JWT bearer token for an access token to call external APIs. |
Description
Update privilege worker documentation with the following:
References
Testing
Checklist
CONTRIBUTING.md.