2020-05-13 19:14:03 +00:00
|
|
|
## JWT vs OIDC Auth Methods
|
|
|
|
|
|
|
|
Since both the `oidc` and `jwt` auth methods ultimately operate on JWTs as
|
|
|
|
bearer tokens, it may be confusing to know which is right for a given use case.
|
|
|
|
|
|
|
|
- **JWT**: The user or application performing the Consul login must already be
|
|
|
|
in possession of a valid JWT to begin. There is no browser interaction
|
|
|
|
required. This is ideal for machine-oriented headless login where an operator
|
|
|
|
may have already arranged for a valid JWT to be dropped on a VM or provided
|
2020-09-10 17:32:06 +00:00
|
|
|
to a container.
|
2020-05-13 19:14:03 +00:00
|
|
|
|
|
|
|
- **OIDC**: The user performing the Consul login does not have a JWT nor do
|
|
|
|
they even need to know what that means. This is ideal for human-oriented
|
|
|
|
interactive login where an operator or administrator may have deployed SSO
|
|
|
|
widely and doesn't want to have the burden of tracking and distributing
|
|
|
|
Consul ACL tokens to any authorized coworker who may need to have access to a
|
|
|
|
Consul instance. Browser interaction is required. **This is only available in
|
|
|
|
[Consul Enterprise](https://www.hashicorp.com/products/consul/)**.
|