Option to relax bound_issuer validation (domain vs URL)

[thomasgl-orange]

Is your feature request related to a problem? Please describe. GitLab is in the process of modifying the JWT tokens it provides in CI jobs, and in particular it is changing the iss (Issuer) claim value:

• it was gitlab.something.com in old-style tokens (deprecated but widely used)
• it is https://gitlab.something.com in new tokens (obtained via a new pipeline keyword)

It's a legitimate change, but transition is painful in the context of GitLab/Vault interactions, because on Vault side it requires two JWT auth URLs; one for each style of tokens (for each specific bound_issuer). GitLab users (pipelines authors) must take into account that when they update the way they obtain a JWT token, they must also adapt their target Vault auth URL. In our case it will affect many people across many project/teams.

Describe the solution you'd like I'd like to have the option to configure JWT auth plugin only once in Vault, in such a way it tolerates both forms of Issuer claim (FQDN and https://FQDN). It could be a boolean option to enable the special case (something like "ignore protocol in iss: claim if bound_issuer is a domain name"), or the ability to provide a list of bound_issuers. At least the "special case" option would not be too difficult to take into account in cap/jwt, I think, here: https://github.com/hashicorp/cap/blob/6d1e00a6c5e03eb3947f260ee3b14cf8fa18ab6b/jwt/jwt.go#L141

Describe alternatives you've considered The alternative is to live with two JWT auth URL in Vault during the transition period, until deprecated tokens disappear, like this.