Updating docs

Dylan Souza · Dylan Souza · commit fab992bdeb3d · 2019-04-12T16:21:40.000Z
diff --git a/plugins/experimental/uri_signing/README.md b/plugins/experimental/uri_signing/README.md
@@ -1,8 +1,7 @@
 URI Signing Plugin
 ==================
 
-This remap plugin implements the draft URI Signing protocol documented here:
-https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-16 .
+This remap plugin implements the draft URI Signing protocol documented [here](https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-16):
 
 It takes a single argument: the name of a config file that contains key information.
 
@@ -77,16 +76,25 @@ It's worth noting that multiple issuers can provide `auth_directives`.
 Each issuer will be processed in order and any issuer can provide access to
 a path.
 
-### Token Stripping
+### More Configuration Options
 
-When The boolean strip_token parameter is set to true, the plugin removes the 
+**Strip Token**
+When the strip_token parameter is set to true, the plugin removes the 
 token from both the url that is sent upstream to the origin and the url that 
-is used as the cache key. It can be set like this:
+is used as the cache key. The strip_token parameter defaults to false and should
+be set by only one issuer.
+**ID**
+The id field takes a string indicating the identification of the entity processing the request.
+This is used in aud claim checks to ensure that the receiver is the intended audience of a 
+tokenized request. The id parameter can only be set by one issuer.
+
+Example:
 
     {
       "Kabletown URI Authority": {
         "renewal_kid": "Second Key",
         "strip_token" : true,
+        "id" : "mycdn",
         "auth_directives": [
           ⋮
         ]
@@ -95,8 +103,6 @@ is used as the cache key. It can be set like this:
         ]
     }
 
-The strip_token parameter defaults to false and should be set by only one issuer.
-
 Usage
 -----
 
@@ -107,17 +113,18 @@ will receive a 403 Forbidden response, instead of receiving content.
 Tokens will be found in either of these places:
 
   - A query parameter named `URISigningPackage`. The value must be the JWT.
+  - A path parameter named `URISigningPackage`. The value must be the JWT.
   - A cookie named `URISigningPackage`. The value of the cookie must be the JWT.
 
-Path parameters will not be searched for JWTs.
-
 ### Supported Claims
 
 The following claims are understood:
 
   - `iss`: Must be present. The issuer is used to locate the key for verification.
   - `sub`: May be present, but is not validated.
   - `exp`: Expired tokens are not valid.
+  - `nbf`: Tokens processed before this time are not valid.
+  - `aud`: Token aud claim strings must match the configured id to be considered valid.
   - `iat`: May be present, but is not validated.
   - `cdniv`: Must be missing or 1.
   - `cdniuc`: Validated last, after key verificationD. **Only `regex` is supported!**
@@ -129,8 +136,6 @@ The following claims are understood:
 
 These claims are not supported. If they are present, the token will not validate:
 
-  - `aud`
-  - `nbf`
   - `jti`
   - `cdnicrit`
   - `cdniip`
