docs: document identity option for JWT & Azure AD guard (aklivity#321)

ankitk-me · web-flow · commit 6a050759ee00 · 2025-05-29T18:57:40.000+05:30
diff --git a/src/concepts/security/guard/azure-ad/README.md b/src/concepts/security/guard/azure-ad/README.md
@@ -58,12 +58,13 @@ guards:
 
 The `azure-ad` specific options.
 
-| Property          | Type                          | Description                 |
-|-------------------|-------------------------------|-----------------------------|
-| options.issuer    | `string`                      | Default: `organizations`    |
-| options.audience  | `string`                      | Audience claim.             |
-| options.version   | `enum` [ `v1.0`, `v2.0` ]     | Default: `v2.0`             |
-| options.challenge | `integer`                     | Challenge period (seconds). |
+| Property          | Type                      | Description                 |
+|-------------------|---------------------------|-----------------------------|
+| options.issuer    | `string`                  | Default: `organizations`    |
+| options.audience  | `string`                  | Audience claim.             |
+| options.version   | `enum` [ `v1.0`, `v2.0` ] | Default: `v2.0`             |
+| options.challenge | `integer`                 | Challenge period (seconds). |
+| options.identity  | `string`                  | Default: `sub`              |
 
 :::
 
diff --git a/src/concepts/security/guard/jwt/README.md b/src/concepts/security/guard/jwt/README.md
@@ -57,19 +57,24 @@ guards:
 
 The `jwt` specific options.
 
-| Property | Type | Description |
-| -- | -- | -- |
-| options.issuer |  `string` |  Issuer claim. |
-| options.audience |  `string` | Audience claim. |
-| options.challenge |  `integer` | Challenge period (seconds). |
-| options.keys |  `string`, `object[]` | If not specified, the JWT vault derives the key location from the issuer's `.well-known/jwks.json`. It can also be set as a URI string or a list of objects with supported key values. |
-| options.keys.kty |  `string` | Key type, e.g. "RSA" , "EC". |
-| options.keys.kid |  `string` | Key ID. |
-| options.keys.n |  `string` | "RSA" modulus. |
-| options.keys.e |  `string` | "RSA" exponent. |
-| options.keys.alg |  `string` | "RSA" algorithm, e.g. "RS256". |
-| options.keys.crv |  `string` | "EC" curve name. |
-| options.keys.x |  `string` | "EC" point X coordinate. |
-| options.keys.y |  `string` | "EC" point Y coordinate. |
+| Property          | Type                   | Description                                                                                                                                                                            |
+|-------------------|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| options.issuer    | `string`               | Issuer claim.                                                                                                                                                                          |
+| options.audience  | `string`               | Audience claim.                                                                                                                                                                        |
+| options.challenge | `integer`              | Challenge period (seconds).                                                                                                                                                            |
+| options.identity  | `string`               | Default: `sub`                                                                                                                                                                         |
+| options.keys      | `string`, `object[]`   | If not specified, the JWT vault derives the key location from the issuer's `.well-known/jwks.json`. It can also be set as a URI string or a list of objects with supported key values. |
+| options.keys.kty  | `string`               | Key type, e.g. "RSA" , "EC".                                                                                                                                                           |
+| options.keys.kid  | `string`               | Key ID.                                                                                                                                                                                |
+| options.keys.n    | `string`               | "RSA" modulus.                                                                                                                                                                         |
+| options.keys.e    | `string`               | "RSA" exponent.                                                                                                                                                                        |
+| options.keys.alg  | `string`               | "RSA" algorithm, e.g. "RS256".                                                                                                                                                         |
+| options.keys.crv  | `string`               | "EC" curve name.                                                                                                                                                                       |
+| options.keys.x    | `string`               | "EC" point X coordinate.                                                                                                                                                               |
+| options.keys.y    | `string`               | "EC" point Y coordinate.                                                                                                                                                               |
 
 :::
+
+## Reference
+
+[`jwt` Guard](/reference/config/guards/jwt.md)
diff --git a/src/reference/config/guards/azure-ad.md b/src/reference/config/guards/azure-ad.md
@@ -80,3 +80,9 @@ Azure AD version.
 > `integer`
 
 Challenge period (seconds).
+
+#### options.identity
+
+> `string` | Default: `sub`
+
+Claim to extract the user's identity from the token.
diff --git a/src/reference/config/guards/jwt.md b/src/reference/config/guards/jwt.md
@@ -95,6 +95,12 @@ Audience claim.
 
 Challenge period (seconds).
 
+#### options.identity
+
+> `string` | Default: `sub`
+
+Claim to extract the user's identity from the token.
+
 #### options.keys
 
 > `string`, `array` of `object`
