summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/content/configuration/identity-providers/openid-connect/provider.md30
-rw-r--r--docs/static/schemas/v4.39/json-schema/configuration.json17
2 files changed, 43 insertions, 4 deletions
diff --git a/docs/content/configuration/identity-providers/openid-connect/provider.md b/docs/content/configuration/identity-providers/openid-connect/provider.md
index ddb9d2dee..7d6d4068b 100644
--- a/docs/content/configuration/identity-providers/openid-connect/provider.md
+++ b/docs/content/configuration/identity-providers/openid-connect/provider.md
@@ -76,6 +76,9 @@ identity_providers:
rules:
- policy: 'deny'
subject: 'group:services'
+ networks:
+ - '192.168.1.0/24'
+ - '192.168.2.51'
lifespans:
access_token: '1h'
authorize_code: '1m'
@@ -401,6 +404,9 @@ identity_providers:
rules:
- policy: 'deny'
subject: 'group:services'
+ networks:
+ - '192.168.1.0/24'
+ - '192.168.2.51'
clients:
- client_id: 'client_with_policy_name'
authorization_policy: 'policy_name'
@@ -427,10 +433,28 @@ The policy which is applied if this rule matches. Valid values are `one_factor`,
##### subject
-{{< confkey type="list(list(string))" required="yes" >}}
+{{< confkey type="list(list(string))" required="situational" >}}
-The subjects criteria as per the [Access Control Configuration](../../security/access-control.md#subject). This must be
-included for the rule to be considered valid.
+_**Situational Note:** Either this option or the [networks](#networks) must be configured or this rule is considered
+invalid._
+
+The subjects criteria as per the [Access Control Configuration](../../security/access-control.md#subject).
+
+##### networks
+
+{{< confkey type="list(string)" syntax="network" required="situational" >}}
+{{< callout context="danger" title="Security Note" icon="outline/rocket" >}}
+The rules can only apply to the Authorization Code Flow when the resource owner is optionally providing
+consent to the Authorization Request. While this is not a major issue for the [subject](#subject) criteria, the users
+IP address may change and there is no technical way to enforce this check after consent has been granted and the tokens
+have been issued. See [ADR1](../../../reference/architecture-decision-log/1.md) for more information.
+{{< /callout >}}
+
+_**Situational Note:** Either this option or the [subject](#subject) must be configured or this rule is considered
+invalid._
+
+The list of networks this rule applies to. Items in this list can also be named
+[Network Definitions](../../definitions/network.md).
### lifespans
diff --git a/docs/static/schemas/v4.39/json-schema/configuration.json b/docs/static/schemas/v4.39/json-schema/configuration.json
index 8d2fd50cd..222c83387 100644
--- a/docs/static/schemas/v4.39/json-schema/configuration.json
+++ b/docs/static/schemas/v4.39/json-schema/configuration.json
@@ -2038,7 +2038,22 @@
"subject": {
"$ref": "#/$defs/AccessControlRuleSubjects",
"title": "Subject",
- "description": "Allows tuning the token lifespans for the authorize code grant."
+ "description": "Subject criteria of the Authorization for this rule to be a match."
+ },
+ "networks": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ ],
+ "title": "Networks",
+ "description": "Networks criteria of the Authorization for this rule to be a match."
}
},
"additionalProperties": false,