update oauth2.conf docs; closes #76

zandbelt · zandbelt · commit 8d1d1f95fddb · 2025-05-06T20:50:55.000+02:00
Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/oauth2.conf b/oauth2.conf
@@ -94,7 +94,8 @@
 # pubkey     <string>   PEM formatted RSA public key              kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
 # eckey_uri  <url>      URL on wich the Elliptic Curve key is     eckey_uri.ssl_verify, eckey_uri.cache, eckey_uri.expiry,
 #                       published as a PEM (Amazon ALB specific)  verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
-#                       
+# aws_alb    <string>   ALB ARN                                   alb_base_url, aws_alb.ssl_verify, aws_alb.auth, aws_alb.cache, aws_alb.expiry
+#                                                                 verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
 #
 # OAuth2TokenVerify Options:
 #
@@ -107,16 +108,16 @@
 # verify.iat.slack_before  <number>                  acceptable clock drift in seconds for the "iat" claim: anything issued before now-number will be rejected
 # verify.iat.slack_after   <number>                  acceptable clock drift in seconds for the "iat" claim: anything issued after now+number will be rejected
 # type                     [mtls|dpop]               type of proof of possession, mtls.policy=[optional|required]
-# cache                    <string>                  cache backend name for access token validation results,
+# verify.cache             <string>                  cache backend name for access token validation results,
 #                                                    default is "default", otherwise must refer to a named cache defined with OAuth2Cache
 # expiry                   <number>                  cache expiry in seconds for access token validation results
 # introspect.auth          <auth>                    endpoint authentication, see Authentication Options
 # introspect.token_param_name <string>               name of the parameter in which the access token is sent, if is not the default "token"
 # introspect.params        <form-encoded-string>     form-encoded extra POST parameters sent to the introspectoin endpoint e.g. key1%3Done%26key2%3Dtwo
 # *.ssl_verify             true|false                verify the TLS certificate presented on the configured HTTPs URL
-# *.cache                  <string>                  cache backend name for results resolved from a URI
+# *.cache                  <string>                  [introspect|jwks_uri|eckey_uri|aws_alb] cache backend name for content resolved from a URI
 #                                                    default is "default", otherwise must refer to a named cache defined with OAuth2Cache
-# *.expiry                 <number>                  cache expiry for results resolved from a URI
+# *.expiry                 <number>                  [introspect|jwks_uri|eckey_uri|aws_alb] cache expiry for content resolved from a URI
 #
 # Authentication Options:
 #
