zuplo 6.72.3 → 6.72.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/docs/analytics/access-and-entitlements.md +27 -34
  2. package/docs/analytics/overview.md +7 -6
  3. package/docs/analytics/reference/url-parameters.md +2 -10
  4. package/docs/analytics/shared-controls.md +3 -10
  5. package/docs/analytics/tabs/agents.md +3 -3
  6. package/docs/analytics/tabs/requests.md +2 -4
  7. package/docs/articles/connect-to-aws-alb-with-mtls.mdx +89 -13
  8. package/docs/articles/graphql-security.mdx +2 -1
  9. package/docs/articles/graphql.mdx +8 -0
  10. package/docs/articles/opentelemetry.mdx +7 -5
  11. package/docs/articles/securing-backend-mtls.mdx +92 -3
  12. package/docs/articles/troubleshooting-slow-responses.mdx +4 -3
  13. package/docs/articles/troubleshooting.md +3 -1
  14. package/docs/policies/_index.md +2 -0
  15. package/docs/policies/clerk-jwt-auth-inbound/schema.json +3 -3
  16. package/docs/policies/mcp-auth0-oauth-inbound/schema.json +8 -5
  17. package/docs/policies/mcp-clerk-oauth-inbound/schema.json +78 -0
  18. package/docs/policies/mcp-cognito-oauth-inbound/schema.json +78 -0
  19. package/docs/policies/mcp-entra-oauth-inbound/schema.json +78 -0
  20. package/docs/policies/mcp-google-oauth-inbound/schema.json +78 -0
  21. package/docs/policies/mcp-keycloak-oauth-inbound/schema.json +78 -0
  22. package/docs/policies/mcp-logto-oauth-inbound/schema.json +78 -0
  23. package/docs/policies/mcp-oauth-inbound/schema.json +8 -5
  24. package/docs/policies/mcp-okta-oauth-inbound/schema.json +78 -0
  25. package/docs/policies/mcp-onelogin-oauth-inbound/schema.json +78 -0
  26. package/docs/policies/mcp-ping-oauth-inbound/schema.json +78 -0
  27. package/docs/policies/mcp-token-exchange-inbound/doc.md +72 -4
  28. package/docs/policies/mcp-token-exchange-inbound/intro.md +5 -4
  29. package/docs/policies/mcp-token-exchange-inbound/schema.json +277 -2
  30. package/docs/policies/mcp-workos-oauth-inbound/schema.json +78 -0
  31. package/docs/policies/open-id-jwt-auth-inbound/schema.json +3 -3
  32. package/docs/policies/propel-auth-jwt-inbound/schema.json +3 -3
  33. package/docs/policies/upstream-aws-federated-auth-inbound/doc.md +78 -0
  34. package/docs/policies/upstream-aws-federated-auth-inbound/intro.md +20 -0
  35. package/docs/policies/upstream-aws-federated-auth-inbound/schema.json +98 -0
  36. package/docs/policies/upstream-aws-service-auth-inbound/doc.md +89 -0
  37. package/docs/policies/upstream-aws-service-auth-inbound/intro.md +19 -0
  38. package/docs/policies/upstream-aws-service-auth-inbound/schema.json +113 -0
  39. package/docs/policies/upstream-azure-ad-service-auth-inbound/schema.json +4 -4
  40. package/docs/policies/upstream-gcp-federated-auth-inbound/doc.md +2 -2
  41. package/docs/policies/upstream-gcp-federated-auth-inbound/schema.json +4 -4
  42. package/docs/policies/upstream-gcp-service-auth-inbound/doc.md +3 -3
  43. package/docs/policies/upstream-gcp-service-auth-inbound/schema.json +3 -3
  44. package/docs/policies/upstream-zuplo-jwt-auth-inbound/schema.json +19 -0
  45. package/package.json +4 -4
@@ -82,6 +82,84 @@
82
82
  }
83
83
  }
84
84
  },
85
+ "idJag": {
86
+ "description": "Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.",
87
+ "oneOf": [
88
+ {
89
+ "type": "object",
90
+ "additionalProperties": false,
91
+ "required": ["enabled"],
92
+ "properties": {
93
+ "enabled": {
94
+ "const": false,
95
+ "description": "Disable ID-JAG support."
96
+ }
97
+ }
98
+ },
99
+ {
100
+ "type": "object",
101
+ "additionalProperties": false,
102
+ "required": ["enabled"],
103
+ "properties": {
104
+ "enabled": {
105
+ "const": true,
106
+ "description": "Enable ID-JAG support."
107
+ },
108
+ "trustedIssuers": {
109
+ "type": "array",
110
+ "minItems": 1,
111
+ "description": "Trusted ID-JAG issuers. These values are never published in OAuth metadata. Omit to trust this policy's browser-login IdP.",
112
+ "items": {
113
+ "type": "object",
114
+ "additionalProperties": false,
115
+ "dependentRequired": {
116
+ "issuer": ["jwksUrl"],
117
+ "jwksUrl": ["issuer"]
118
+ },
119
+ "properties": {
120
+ "issuer": {
121
+ "type": "string",
122
+ "format": "uri",
123
+ "description": "Exact issuer URL expected in the ID-JAG iss claim. Provide together with jwksUrl, or omit both to default to this policy's browser-login IdP."
124
+ },
125
+ "jwksUrl": {
126
+ "type": "string",
127
+ "format": "uri",
128
+ "description": "JWKS URL used to verify ID-JAG signatures from this issuer. Provide together with issuer, or omit both to default to this policy's browser-login IdP."
129
+ },
130
+ "expectedClientIds": {
131
+ "type": "array",
132
+ "items": {
133
+ "type": "string",
134
+ "minLength": 1
135
+ },
136
+ "description": "Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client."
137
+ },
138
+ "subjectMapping": {
139
+ "type": "string",
140
+ "enum": [
141
+ "iss_prefix",
142
+ "iss_tenant_prefix",
143
+ "sub_id_only"
144
+ ],
145
+ "default": "iss_prefix",
146
+ "description": "How the ID-JAG subject is mapped into the gateway subject ID."
147
+ }
148
+ }
149
+ }
150
+ },
151
+ "authorizationDetailsTypesAllowed": {
152
+ "type": "array",
153
+ "items": {
154
+ "type": "string",
155
+ "minLength": 1
156
+ },
157
+ "description": "Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs."
158
+ }
159
+ }
160
+ }
161
+ ]
162
+ },
85
163
  "browserLoginOverrides": {
86
164
  "type": "object",
87
165
  "description": "Optional overrides for the derived browser-login settings.",
@@ -98,6 +98,84 @@
98
98
  }
99
99
  }
100
100
  },
101
+ "idJag": {
102
+ "description": "Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.",
103
+ "oneOf": [
104
+ {
105
+ "type": "object",
106
+ "additionalProperties": false,
107
+ "required": ["enabled"],
108
+ "properties": {
109
+ "enabled": {
110
+ "const": false,
111
+ "description": "Disable ID-JAG support."
112
+ }
113
+ }
114
+ },
115
+ {
116
+ "type": "object",
117
+ "additionalProperties": false,
118
+ "required": ["enabled"],
119
+ "properties": {
120
+ "enabled": {
121
+ "const": true,
122
+ "description": "Enable ID-JAG support."
123
+ },
124
+ "trustedIssuers": {
125
+ "type": "array",
126
+ "minItems": 1,
127
+ "description": "Trusted ID-JAG issuers. These values are never published in OAuth metadata. Omit to trust this policy's browser-login IdP.",
128
+ "items": {
129
+ "type": "object",
130
+ "additionalProperties": false,
131
+ "dependentRequired": {
132
+ "issuer": ["jwksUrl"],
133
+ "jwksUrl": ["issuer"]
134
+ },
135
+ "properties": {
136
+ "issuer": {
137
+ "type": "string",
138
+ "format": "uri",
139
+ "description": "Exact issuer URL expected in the ID-JAG iss claim. Provide together with jwksUrl, or omit both to default to this policy's browser-login IdP."
140
+ },
141
+ "jwksUrl": {
142
+ "type": "string",
143
+ "format": "uri",
144
+ "description": "JWKS URL used to verify ID-JAG signatures from this issuer. Provide together with issuer, or omit both to default to this policy's browser-login IdP."
145
+ },
146
+ "expectedClientIds": {
147
+ "type": "array",
148
+ "items": {
149
+ "type": "string",
150
+ "minLength": 1
151
+ },
152
+ "description": "Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client."
153
+ },
154
+ "subjectMapping": {
155
+ "type": "string",
156
+ "enum": [
157
+ "iss_prefix",
158
+ "iss_tenant_prefix",
159
+ "sub_id_only"
160
+ ],
161
+ "default": "iss_prefix",
162
+ "description": "How the ID-JAG subject is mapped into the gateway subject ID."
163
+ }
164
+ }
165
+ }
166
+ },
167
+ "authorizationDetailsTypesAllowed": {
168
+ "type": "array",
169
+ "items": {
170
+ "type": "string",
171
+ "minLength": 1
172
+ },
173
+ "description": "Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs."
174
+ }
175
+ }
176
+ }
177
+ ]
178
+ },
101
179
  "browserLoginOverrides": {
102
180
  "type": "object",
103
181
  "description": "Optional overrides for the derived browser-login settings.",
@@ -79,6 +79,84 @@
79
79
  }
80
80
  }
81
81
  },
82
+ "idJag": {
83
+ "description": "Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.",
84
+ "oneOf": [
85
+ {
86
+ "type": "object",
87
+ "additionalProperties": false,
88
+ "required": ["enabled"],
89
+ "properties": {
90
+ "enabled": {
91
+ "const": false,
92
+ "description": "Disable ID-JAG support."
93
+ }
94
+ }
95
+ },
96
+ {
97
+ "type": "object",
98
+ "additionalProperties": false,
99
+ "required": ["enabled"],
100
+ "properties": {
101
+ "enabled": {
102
+ "const": true,
103
+ "description": "Enable ID-JAG support."
104
+ },
105
+ "trustedIssuers": {
106
+ "type": "array",
107
+ "minItems": 1,
108
+ "description": "Trusted ID-JAG issuers. These values are never published in OAuth metadata. Omit to trust this policy's browser-login IdP.",
109
+ "items": {
110
+ "type": "object",
111
+ "additionalProperties": false,
112
+ "dependentRequired": {
113
+ "issuer": ["jwksUrl"],
114
+ "jwksUrl": ["issuer"]
115
+ },
116
+ "properties": {
117
+ "issuer": {
118
+ "type": "string",
119
+ "format": "uri",
120
+ "description": "Exact issuer URL expected in the ID-JAG iss claim. Provide together with jwksUrl, or omit both to default to this policy's browser-login IdP."
121
+ },
122
+ "jwksUrl": {
123
+ "type": "string",
124
+ "format": "uri",
125
+ "description": "JWKS URL used to verify ID-JAG signatures from this issuer. Provide together with issuer, or omit both to default to this policy's browser-login IdP."
126
+ },
127
+ "expectedClientIds": {
128
+ "type": "array",
129
+ "items": {
130
+ "type": "string",
131
+ "minLength": 1
132
+ },
133
+ "description": "Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client."
134
+ },
135
+ "subjectMapping": {
136
+ "type": "string",
137
+ "enum": [
138
+ "iss_prefix",
139
+ "iss_tenant_prefix",
140
+ "sub_id_only"
141
+ ],
142
+ "default": "iss_prefix",
143
+ "description": "How the ID-JAG subject is mapped into the gateway subject ID."
144
+ }
145
+ }
146
+ }
147
+ },
148
+ "authorizationDetailsTypesAllowed": {
149
+ "type": "array",
150
+ "items": {
151
+ "type": "string",
152
+ "minLength": 1
153
+ },
154
+ "description": "Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs."
155
+ }
156
+ }
157
+ }
158
+ ]
159
+ },
82
160
  "browserLoginOverrides": {
83
161
  "type": "object",
84
162
  "description": "Optional overrides for the derived browser-login settings.",
@@ -74,6 +74,84 @@
74
74
  }
75
75
  }
76
76
  },
77
+ "idJag": {
78
+ "description": "Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.",
79
+ "oneOf": [
80
+ {
81
+ "type": "object",
82
+ "additionalProperties": false,
83
+ "required": ["enabled"],
84
+ "properties": {
85
+ "enabled": {
86
+ "const": false,
87
+ "description": "Disable ID-JAG support."
88
+ }
89
+ }
90
+ },
91
+ {
92
+ "type": "object",
93
+ "additionalProperties": false,
94
+ "required": ["enabled"],
95
+ "properties": {
96
+ "enabled": {
97
+ "const": true,
98
+ "description": "Enable ID-JAG support."
99
+ },
100
+ "trustedIssuers": {
101
+ "type": "array",
102
+ "minItems": 1,
103
+ "description": "Trusted ID-JAG issuers. These values are never published in OAuth metadata. Omit to trust this policy's browser-login IdP.",
104
+ "items": {
105
+ "type": "object",
106
+ "additionalProperties": false,
107
+ "dependentRequired": {
108
+ "issuer": ["jwksUrl"],
109
+ "jwksUrl": ["issuer"]
110
+ },
111
+ "properties": {
112
+ "issuer": {
113
+ "type": "string",
114
+ "format": "uri",
115
+ "description": "Exact issuer URL expected in the ID-JAG iss claim. Provide together with jwksUrl, or omit both to default to this policy's browser-login IdP."
116
+ },
117
+ "jwksUrl": {
118
+ "type": "string",
119
+ "format": "uri",
120
+ "description": "JWKS URL used to verify ID-JAG signatures from this issuer. Provide together with issuer, or omit both to default to this policy's browser-login IdP."
121
+ },
122
+ "expectedClientIds": {
123
+ "type": "array",
124
+ "items": {
125
+ "type": "string",
126
+ "minLength": 1
127
+ },
128
+ "description": "Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client."
129
+ },
130
+ "subjectMapping": {
131
+ "type": "string",
132
+ "enum": [
133
+ "iss_prefix",
134
+ "iss_tenant_prefix",
135
+ "sub_id_only"
136
+ ],
137
+ "default": "iss_prefix",
138
+ "description": "How the ID-JAG subject is mapped into the gateway subject ID."
139
+ }
140
+ }
141
+ }
142
+ },
143
+ "authorizationDetailsTypesAllowed": {
144
+ "type": "array",
145
+ "items": {
146
+ "type": "string",
147
+ "minLength": 1
148
+ },
149
+ "description": "Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs."
150
+ }
151
+ }
152
+ }
153
+ ]
154
+ },
77
155
  "browserLoginOverrides": {
78
156
  "type": "object",
79
157
  "description": "Optional overrides for the derived browser-login settings.",
@@ -87,6 +87,84 @@
87
87
  }
88
88
  }
89
89
  },
90
+ "idJag": {
91
+ "description": "Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.",
92
+ "oneOf": [
93
+ {
94
+ "type": "object",
95
+ "additionalProperties": false,
96
+ "required": ["enabled"],
97
+ "properties": {
98
+ "enabled": {
99
+ "const": false,
100
+ "description": "Disable ID-JAG support."
101
+ }
102
+ }
103
+ },
104
+ {
105
+ "type": "object",
106
+ "additionalProperties": false,
107
+ "required": ["enabled"],
108
+ "properties": {
109
+ "enabled": {
110
+ "const": true,
111
+ "description": "Enable ID-JAG support."
112
+ },
113
+ "trustedIssuers": {
114
+ "type": "array",
115
+ "minItems": 1,
116
+ "description": "Trusted ID-JAG issuers. These values are never published in OAuth metadata. Omit to trust this policy's browser-login IdP.",
117
+ "items": {
118
+ "type": "object",
119
+ "additionalProperties": false,
120
+ "dependentRequired": {
121
+ "issuer": ["jwksUrl"],
122
+ "jwksUrl": ["issuer"]
123
+ },
124
+ "properties": {
125
+ "issuer": {
126
+ "type": "string",
127
+ "format": "uri",
128
+ "description": "Exact issuer URL expected in the ID-JAG iss claim. Provide together with jwksUrl, or omit both to default to this policy's browser-login IdP."
129
+ },
130
+ "jwksUrl": {
131
+ "type": "string",
132
+ "format": "uri",
133
+ "description": "JWKS URL used to verify ID-JAG signatures from this issuer. Provide together with issuer, or omit both to default to this policy's browser-login IdP."
134
+ },
135
+ "expectedClientIds": {
136
+ "type": "array",
137
+ "items": {
138
+ "type": "string",
139
+ "minLength": 1
140
+ },
141
+ "description": "Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client."
142
+ },
143
+ "subjectMapping": {
144
+ "type": "string",
145
+ "enum": [
146
+ "iss_prefix",
147
+ "iss_tenant_prefix",
148
+ "sub_id_only"
149
+ ],
150
+ "default": "iss_prefix",
151
+ "description": "How the ID-JAG subject is mapped into the gateway subject ID."
152
+ }
153
+ }
154
+ }
155
+ },
156
+ "authorizationDetailsTypesAllowed": {
157
+ "type": "array",
158
+ "items": {
159
+ "type": "string",
160
+ "minLength": 1
161
+ },
162
+ "description": "Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs."
163
+ }
164
+ }
165
+ }
166
+ ]
167
+ },
90
168
  "browserLoginOverrides": {
91
169
  "type": "object",
92
170
  "description": "Optional overrides for the derived browser-login settings.",
@@ -79,6 +79,84 @@
79
79
  }
80
80
  }
81
81
  },
82
+ "idJag": {
83
+ "description": "Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.",
84
+ "oneOf": [
85
+ {
86
+ "type": "object",
87
+ "additionalProperties": false,
88
+ "required": ["enabled"],
89
+ "properties": {
90
+ "enabled": {
91
+ "const": false,
92
+ "description": "Disable ID-JAG support."
93
+ }
94
+ }
95
+ },
96
+ {
97
+ "type": "object",
98
+ "additionalProperties": false,
99
+ "required": ["enabled"],
100
+ "properties": {
101
+ "enabled": {
102
+ "const": true,
103
+ "description": "Enable ID-JAG support."
104
+ },
105
+ "trustedIssuers": {
106
+ "type": "array",
107
+ "minItems": 1,
108
+ "description": "Trusted ID-JAG issuers. These values are never published in OAuth metadata. Omit to trust this policy's browser-login IdP.",
109
+ "items": {
110
+ "type": "object",
111
+ "additionalProperties": false,
112
+ "dependentRequired": {
113
+ "issuer": ["jwksUrl"],
114
+ "jwksUrl": ["issuer"]
115
+ },
116
+ "properties": {
117
+ "issuer": {
118
+ "type": "string",
119
+ "format": "uri",
120
+ "description": "Exact issuer URL expected in the ID-JAG iss claim. Provide together with jwksUrl, or omit both to default to this policy's browser-login IdP."
121
+ },
122
+ "jwksUrl": {
123
+ "type": "string",
124
+ "format": "uri",
125
+ "description": "JWKS URL used to verify ID-JAG signatures from this issuer. Provide together with issuer, or omit both to default to this policy's browser-login IdP."
126
+ },
127
+ "expectedClientIds": {
128
+ "type": "array",
129
+ "items": {
130
+ "type": "string",
131
+ "minLength": 1
132
+ },
133
+ "description": "Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client."
134
+ },
135
+ "subjectMapping": {
136
+ "type": "string",
137
+ "enum": [
138
+ "iss_prefix",
139
+ "iss_tenant_prefix",
140
+ "sub_id_only"
141
+ ],
142
+ "default": "iss_prefix",
143
+ "description": "How the ID-JAG subject is mapped into the gateway subject ID."
144
+ }
145
+ }
146
+ }
147
+ },
148
+ "authorizationDetailsTypesAllowed": {
149
+ "type": "array",
150
+ "items": {
151
+ "type": "string",
152
+ "minLength": 1
153
+ },
154
+ "description": "Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs."
155
+ }
156
+ }
157
+ }
158
+ ]
159
+ },
82
160
  "browserLoginOverrides": {
83
161
  "type": "object",
84
162
  "description": "Optional overrides for the derived browser-login settings.",
@@ -165,7 +165,7 @@
165
165
  {
166
166
  "type": "object",
167
167
  "additionalProperties": false,
168
- "required": ["enabled", "trustedIssuers"],
168
+ "required": ["enabled"],
169
169
  "properties": {
170
170
  "enabled": {
171
171
  "const": true,
@@ -174,21 +174,24 @@
174
174
  "trustedIssuers": {
175
175
  "type": "array",
176
176
  "minItems": 1,
177
- "description": "Trusted ID-JAG issuers. These values are never published in OAuth metadata.",
177
+ "description": "Trusted ID-JAG issuers. These values are never published in OAuth metadata. Omit to trust this policy's browser-login IdP.",
178
178
  "items": {
179
179
  "type": "object",
180
180
  "additionalProperties": false,
181
- "required": ["issuer", "jwksUrl"],
181
+ "dependentRequired": {
182
+ "issuer": ["jwksUrl"],
183
+ "jwksUrl": ["issuer"]
184
+ },
182
185
  "properties": {
183
186
  "issuer": {
184
187
  "type": "string",
185
188
  "format": "uri",
186
- "description": "Exact issuer URL expected in the ID-JAG iss claim."
189
+ "description": "Exact issuer URL expected in the ID-JAG iss claim. Provide together with jwksUrl, or omit both to default to this policy's browser-login IdP."
187
190
  },
188
191
  "jwksUrl": {
189
192
  "type": "string",
190
193
  "format": "uri",
191
- "description": "JWKS URL used to verify ID-JAG signatures from this issuer."
194
+ "description": "JWKS URL used to verify ID-JAG signatures from this issuer. Provide together with issuer, or omit both to default to this policy's browser-login IdP."
192
195
  },
193
196
  "expectedClientIds": {
194
197
  "type": "array",
@@ -84,6 +84,84 @@
84
84
  }
85
85
  }
86
86
  },
87
+ "idJag": {
88
+ "description": "Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.",
89
+ "oneOf": [
90
+ {
91
+ "type": "object",
92
+ "additionalProperties": false,
93
+ "required": ["enabled"],
94
+ "properties": {
95
+ "enabled": {
96
+ "const": false,
97
+ "description": "Disable ID-JAG support."
98
+ }
99
+ }
100
+ },
101
+ {
102
+ "type": "object",
103
+ "additionalProperties": false,
104
+ "required": ["enabled"],
105
+ "properties": {
106
+ "enabled": {
107
+ "const": true,
108
+ "description": "Enable ID-JAG support."
109
+ },
110
+ "trustedIssuers": {
111
+ "type": "array",
112
+ "minItems": 1,
113
+ "description": "Trusted ID-JAG issuers. These values are never published in OAuth metadata. Omit to trust this policy's browser-login IdP.",
114
+ "items": {
115
+ "type": "object",
116
+ "additionalProperties": false,
117
+ "dependentRequired": {
118
+ "issuer": ["jwksUrl"],
119
+ "jwksUrl": ["issuer"]
120
+ },
121
+ "properties": {
122
+ "issuer": {
123
+ "type": "string",
124
+ "format": "uri",
125
+ "description": "Exact issuer URL expected in the ID-JAG iss claim. Provide together with jwksUrl, or omit both to default to this policy's browser-login IdP."
126
+ },
127
+ "jwksUrl": {
128
+ "type": "string",
129
+ "format": "uri",
130
+ "description": "JWKS URL used to verify ID-JAG signatures from this issuer. Provide together with issuer, or omit both to default to this policy's browser-login IdP."
131
+ },
132
+ "expectedClientIds": {
133
+ "type": "array",
134
+ "items": {
135
+ "type": "string",
136
+ "minLength": 1
137
+ },
138
+ "description": "Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client."
139
+ },
140
+ "subjectMapping": {
141
+ "type": "string",
142
+ "enum": [
143
+ "iss_prefix",
144
+ "iss_tenant_prefix",
145
+ "sub_id_only"
146
+ ],
147
+ "default": "iss_prefix",
148
+ "description": "How the ID-JAG subject is mapped into the gateway subject ID."
149
+ }
150
+ }
151
+ }
152
+ },
153
+ "authorizationDetailsTypesAllowed": {
154
+ "type": "array",
155
+ "items": {
156
+ "type": "string",
157
+ "minLength": 1
158
+ },
159
+ "description": "Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs."
160
+ }
161
+ }
162
+ }
163
+ ]
164
+ },
87
165
  "browserLoginOverrides": {
88
166
  "type": "object",
89
167
  "description": "Optional overrides for the derived browser-login settings.",