From a847fcbf231bee58dbd2c38d9b0c20890e74a9c0 Mon Sep 17 00:00:00 2001
From: Scott Miller <sgmiller@gmail.com>
Date: Mon, 5 Aug 2024 15:27:27 -0500
Subject: [PATCH] Add the ability to ignore unhandled critical certificate
 exceptions (#313)

* Wire up support for ignoring unhandled critical extensions

* update deps

* update dep

* Peg to real tag

* attempts at testing

* Support the cert pool

* setup the CA roots in the roundtripper if present

* remove dead code
---
 go.mod              |  33 +++---
 go.sum              |  67 ++++++------
 path_config.go      | 135 ++++++++++++++++--------
 path_config_test.go | 249 ++++++++++++++++++++++++--------------------
 path_login_test.go  |   4 +
 path_oidc_test.go   |   4 +
 6 files changed, 279 insertions(+), 213 deletions(-)

diff --git a/go.mod b/go.mod
index 0580a591..ca6dedc0 100644
--- a/go.mod
+++ b/go.mod
@@ -1,16 +1,17 @@
 module github.com/hashicorp/vault-plugin-auth-jwt
 
-go 1.21
+go 1.22.5
 
 require (
 	github.com/go-jose/go-jose/v3 v3.0.3
 	github.com/go-test/deep v1.1.0
-	github.com/hashicorp/cap v0.6.0
+	github.com/hashicorp/cap v0.7.0
 	github.com/hashicorp/errwrap v1.1.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
-	github.com/hashicorp/go-hclog v1.6.2
+	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
+	github.com/hashicorp/go-secure-stdlib/httputil v0.1.0
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2
 	github.com/hashicorp/go-sockaddr v1.0.6
 	github.com/hashicorp/vault/api v1.12.0
@@ -20,28 +21,27 @@ require (
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/ryanuber/go-glob v1.0.0
 	github.com/stretchr/testify v1.9.0
-	golang.org/x/oauth2 v0.18.0
-	golang.org/x/sync v0.6.0
+	golang.org/x/oauth2 v0.21.0
+	golang.org/x/sync v0.7.0
 	google.golang.org/api v0.163.0
 )
 
 require (
-	cloud.google.com/go/compute v1.23.3 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
-	github.com/coreos/go-oidc/v3 v3.10.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.11.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v24.0.9+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
-	github.com/fatih/color v1.16.0 // indirect
+	github.com/fatih/color v1.17.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
@@ -85,14 +85,13 @@ require (
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
-	golang.org/x/mod v0.11.0 // indirect
-	golang.org/x/net v0.24.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/net v0.27.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.10.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe // indirect
 	google.golang.org/grpc v1.61.1 // indirect
diff --git a/go.sum b/go.sum
index ae89c069..3924a29f 100644
--- a/go.sum
+++ b/go.sum
@@ -1,8 +1,6 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk=
-cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI=
-cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -32,8 +30,8 @@ github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6D
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
-github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac=
+github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
+github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -54,8 +52,8 @@ github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJ
 github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
-github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
-github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
+github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
+github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
 github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -64,8 +62,8 @@ github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebP
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
-github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
-github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
@@ -96,8 +94,6 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
@@ -108,7 +104,6 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -122,8 +117,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfF
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
 github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
 github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
-github.com/hashicorp/cap v0.6.0 h1:uOSdbtXu8zsbRyjwpiTy6QiuX3+5paAbNkYlop7QexM=
-github.com/hashicorp/cap v0.6.0/go.mod h1:DwzHkoG6pxSARiqwvAgxmCPUpTTCCw2wVuPrIFOzpe0=
+github.com/hashicorp/cap v0.7.0 h1:atLIEU5lJslYXo1qsv7RtUL1HrJVVxnfkErIT3uxLp0=
+github.com/hashicorp/cap v0.7.0/go.mod h1:UynhCoGX3pxL0OfVrfMzPWAyjMYp96bk11BNTf2zt8o=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -132,8 +127,8 @@ github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v1.6.2 h1:NOtoftovWkDheyUM/8JW3QMiXyxJK3uHRK7wV04nD2I=
-github.com/hashicorp/go-hclog v1.6.2/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
 github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
@@ -153,6 +148,8 @@ github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5O
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
+github.com/hashicorp/go-secure-stdlib/httputil v0.1.0 h1:0cT/LmCfurGE6/MOq8ig3meKYS32YDh0sTE9g86ANgg=
+github.com/hashicorp/go-secure-stdlib/httputil v0.1.0/go.mod h1:Md+jfeLf7CjGjTmgBWzFyc4vznsIb8yEiX7/CGAJvkI=
 github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 h1:p4AKXPPS24tO8Wc8i1gLvSKdmkiSY5xuju57czJ/IJQ=
 github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
@@ -322,8 +319,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -332,8 +329,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
-golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -349,11 +346,11 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
-golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
+golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -362,8 +359,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -387,8 +384,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -397,11 +394,11 @@ golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -414,8 +411,8 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
-golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -424,8 +421,6 @@ google.golang.org/api v0.163.0 h1:4BBDpPaSH+H28NhnX+WwjXxbRLQ7TWuEKp4BQyEjxvk=
 google.golang.org/api v0.163.0/go.mod h1:6SulDkfoBIg4NFmCuZ39XeeAgSHCPecfSUuDyYlAHs0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
-google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
@@ -451,8 +446,6 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
diff --git a/path_config.go b/path_config.go
index c96df0c8..6d137bac 100644
--- a/path_config.go
+++ b/path_config.go
@@ -8,6 +8,7 @@ import (
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/asn1"
 	"errors"
 	"fmt"
 	"net/http"
@@ -17,6 +18,7 @@ import (
 	"github.com/hashicorp/cap/oidc"
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-cleanhttp"
+	httputil "github.com/hashicorp/go-secure-stdlib/httputil"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
@@ -108,6 +110,10 @@ func pathConfig(b *jwtAuthBackend) *framework.Path {
 					Value: true,
 				},
 			},
+			"unsupported_critical_cert_extensions": {
+				Type:        framework.TypeCommaStringSlice,
+				Description: `A list of ASN1 OIDs of certificate extensions marked Critical that are unsupported by Vault and should be ignored.  This option should very rarely be needed except in specialized PKI environments.`,
+			},
 		},
 
 		Operations: map[logical.Operation]framework.OperationHandler{
@@ -196,20 +202,21 @@ func (b *jwtAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reques
 
 	resp := &logical.Response{
 		Data: map[string]interface{}{
-			"oidc_discovery_url":     config.OIDCDiscoveryURL,
-			"oidc_discovery_ca_pem":  config.OIDCDiscoveryCAPEM,
-			"oidc_client_id":         config.OIDCClientID,
-			"oidc_response_mode":     config.OIDCResponseMode,
-			"oidc_response_types":    config.OIDCResponseTypes,
-			"default_role":           config.DefaultRole,
-			"jwt_validation_pubkeys": config.JWTValidationPubKeys,
-			"jwt_supported_algs":     config.JWTSupportedAlgs,
-			"jwks_url":               config.JWKSURL,
-			"jwks_pairs":             config.JWKSPairs,
-			"jwks_ca_pem":            config.JWKSCAPEM,
-			"bound_issuer":           config.BoundIssuer,
-			"provider_config":        providerConfig,
-			"namespace_in_state":     config.NamespaceInState,
+			"oidc_discovery_url":                   config.OIDCDiscoveryURL,
+			"oidc_discovery_ca_pem":                config.OIDCDiscoveryCAPEM,
+			"oidc_client_id":                       config.OIDCClientID,
+			"oidc_response_mode":                   config.OIDCResponseMode,
+			"oidc_response_types":                  config.OIDCResponseTypes,
+			"default_role":                         config.DefaultRole,
+			"jwt_validation_pubkeys":               config.JWTValidationPubKeys,
+			"jwt_supported_algs":                   config.JWTSupportedAlgs,
+			"jwks_url":                             config.JWKSURL,
+			"jwks_pairs":                           config.JWKSPairs,
+			"jwks_ca_pem":                          config.JWKSCAPEM,
+			"bound_issuer":                         config.BoundIssuer,
+			"provider_config":                      providerConfig,
+			"namespace_in_state":                   config.NamespaceInState,
+			"unsupported_critical_cert_extensions": config.UnsupportedCriticalCertExtensions,
 		},
 	}
 
@@ -218,20 +225,21 @@ func (b *jwtAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reques
 
 func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	config := &jwtConfig{
-		OIDCDiscoveryURL:     d.Get("oidc_discovery_url").(string),
-		OIDCDiscoveryCAPEM:   d.Get("oidc_discovery_ca_pem").(string),
-		OIDCClientID:         d.Get("oidc_client_id").(string),
-		OIDCClientSecret:     d.Get("oidc_client_secret").(string),
-		OIDCResponseMode:     d.Get("oidc_response_mode").(string),
-		OIDCResponseTypes:    d.Get("oidc_response_types").([]string),
-		JWKSURL:              d.Get("jwks_url").(string),
-		JWKSPairs:            d.Get("jwks_pairs").([]interface{}),
-		JWKSCAPEM:            d.Get("jwks_ca_pem").(string),
-		DefaultRole:          d.Get("default_role").(string),
-		JWTValidationPubKeys: d.Get("jwt_validation_pubkeys").([]string),
-		JWTSupportedAlgs:     d.Get("jwt_supported_algs").([]string),
-		BoundIssuer:          d.Get("bound_issuer").(string),
-		ProviderConfig:       d.Get("provider_config").(map[string]interface{}),
+		OIDCDiscoveryURL:                  d.Get("oidc_discovery_url").(string),
+		OIDCDiscoveryCAPEM:                d.Get("oidc_discovery_ca_pem").(string),
+		OIDCClientID:                      d.Get("oidc_client_id").(string),
+		OIDCClientSecret:                  d.Get("oidc_client_secret").(string),
+		OIDCResponseMode:                  d.Get("oidc_response_mode").(string),
+		OIDCResponseTypes:                 d.Get("oidc_response_types").([]string),
+		JWKSURL:                           d.Get("jwks_url").(string),
+		JWKSPairs:                         d.Get("jwks_pairs").([]interface{}),
+		JWKSCAPEM:                         d.Get("jwks_ca_pem").(string),
+		DefaultRole:                       d.Get("default_role").(string),
+		JWTValidationPubKeys:              d.Get("jwt_validation_pubkeys").([]string),
+		JWTSupportedAlgs:                  d.Get("jwt_supported_algs").([]string),
+		BoundIssuer:                       d.Get("bound_issuer").(string),
+		ProviderConfig:                    d.Get("provider_config").(map[string]interface{}),
+		UnsupportedCriticalCertExtensions: d.Get("unsupported_critical_cert_extensions").([]string),
 	}
 
 	// Check if the config already exists, to determine if this is a create or
@@ -286,7 +294,6 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque
 			b.Logger().Error("error checking oidc discovery URL", "error", err)
 			return logical.ErrorResponse("error checking oidc discovery URL"), nil
 		}
-
 	case config.OIDCClientID != "" && config.OIDCDiscoveryURL == "":
 		return logical.ErrorResponse("'oidc_discovery_url' must be set for OIDC"), nil
 
@@ -318,6 +325,12 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque
 				return logical.ErrorResponse(fmt.Errorf("error parsing public key: %w", err).Error()), nil
 			}
 		}
+	case len(config.UnsupportedCriticalCertExtensions) > 0:
+		for _, v := range config.UnsupportedCriticalCertExtensions {
+			if _, err := certutil.StringToOid(v); err != nil {
+				return logical.ErrorResponse(fmt.Errorf("error parsing extension OID: %w", err).Error()), nil
+			}
+		}
 
 	default:
 		return nil, errors.New("unknown condition")
@@ -374,9 +387,40 @@ func (b *jwtAuthBackend) createProvider(config *jwtConfig) (*oidc.Provider, erro
 		supportedSigAlgs = []oidc.Alg{oidc.RS256}
 	}
 
+	var opts []oidc.Option
+	if len(config.UnsupportedCriticalCertExtensions) > 0 {
+		var oids []asn1.ObjectIdentifier
+		for _, v := range config.UnsupportedCriticalCertExtensions {
+			oid, err := certutil.StringToOid(v)
+			if err != nil {
+				return nil, errwrap.Wrapf("error creating provider: {{err}}", err)
+			}
+			oids = append(oids, oid)
+		}
+
+		var tp http.RoundTripper
+
+		if config.OIDCDiscoveryCAPEM != "" {
+			certPool := x509.NewCertPool()
+			if ok := certPool.AppendCertsFromPEM([]byte(config.OIDCDiscoveryCAPEM)); ok {
+				tp = &http.Transport{
+					TLSClientConfig: &tls.Config{
+						RootCAs: certPool,
+					},
+				}
+			}
+		}
+		ietripper, err := httputil.NewIgnoreUnhandledExtensionsRoundTripper(tp, oids)
+		if err != nil {
+			return nil, err
+		}
+		opts = append(opts, oidc.WithRoundTripper(ietripper))
+	} else if config.OIDCDiscoveryCAPEM != "" {
+		opts = append(opts, oidc.WithProviderCA(config.OIDCDiscoveryCAPEM))
+	}
 	c, err := oidc.NewConfig(config.OIDCDiscoveryURL, config.OIDCClientID,
 		oidc.ClientSecret(config.OIDCClientSecret), supportedSigAlgs, []string{},
-		oidc.WithProviderCA(config.OIDCDiscoveryCAPEM))
+		opts...)
 	if err != nil {
 		return nil, errwrap.Wrapf("error creating provider: {{err}}", err)
 	}
@@ -440,21 +484,22 @@ func (b *jwtAuthBackend) validateJWKSURL(ctx context.Context, JWKSURL, JWKSCAPEM
 }
 
 type jwtConfig struct {
-	OIDCDiscoveryURL     string                 `json:"oidc_discovery_url"`
-	OIDCDiscoveryCAPEM   string                 `json:"oidc_discovery_ca_pem"`
-	OIDCClientID         string                 `json:"oidc_client_id"`
-	OIDCClientSecret     string                 `json:"oidc_client_secret"`
-	OIDCResponseMode     string                 `json:"oidc_response_mode"`
-	OIDCResponseTypes    []string               `json:"oidc_response_types"`
-	JWKSURL              string                 `json:"jwks_url"`
-	JWKSCAPEM            string                 `json:"jwks_ca_pem"`
-	JWKSPairs            []interface{}          `json:"jwks_pairs"`
-	JWTValidationPubKeys []string               `json:"jwt_validation_pubkeys"`
-	JWTSupportedAlgs     []string               `json:"jwt_supported_algs"`
-	BoundIssuer          string                 `json:"bound_issuer"`
-	DefaultRole          string                 `json:"default_role"`
-	ProviderConfig       map[string]interface{} `json:"provider_config"`
-	NamespaceInState     bool                   `json:"namespace_in_state"`
+	OIDCDiscoveryURL                  string                 `json:"oidc_discovery_url"`
+	OIDCDiscoveryCAPEM                string                 `json:"oidc_discovery_ca_pem"`
+	OIDCClientID                      string                 `json:"oidc_client_id"`
+	OIDCClientSecret                  string                 `json:"oidc_client_secret"`
+	OIDCResponseMode                  string                 `json:"oidc_response_mode"`
+	OIDCResponseTypes                 []string               `json:"oidc_response_types"`
+	JWKSURL                           string                 `json:"jwks_url"`
+	JWKSCAPEM                         string                 `json:"jwks_ca_pem"`
+	JWKSPairs                         []interface{}          `json:"jwks_pairs"`
+	JWTValidationPubKeys              []string               `json:"jwt_validation_pubkeys"`
+	JWTSupportedAlgs                  []string               `json:"jwt_supported_algs"`
+	BoundIssuer                       string                 `json:"bound_issuer"`
+	DefaultRole                       string                 `json:"default_role"`
+	ProviderConfig                    map[string]interface{} `json:"provider_config"`
+	NamespaceInState                  bool                   `json:"namespace_in_state"`
+	UnsupportedCriticalCertExtensions []string               `json:"unsupported_critical_cert_extensions"`
 
 	ParsedJWTPubKeys []crypto.PublicKey `json:"-"`
 }
diff --git a/path_config_test.go b/path_config_test.go
index 32f3059b..68f5b023 100644
--- a/path_config_test.go
+++ b/path_config_test.go
@@ -20,20 +20,21 @@ func TestConfig_JWT_Read(t *testing.T) {
 	b, storage := getBackend(t)
 
 	data := map[string]interface{}{
-		"oidc_discovery_url":     "",
-		"oidc_discovery_ca_pem":  "",
-		"oidc_client_id":         "",
-		"oidc_response_mode":     "",
-		"oidc_response_types":    []string{},
-		"default_role":           "",
-		"jwt_validation_pubkeys": []string{testJWTPubKey},
-		"jwt_supported_algs":     []string{},
-		"jwks_url":               "",
-		"jwks_ca_pem":            "",
-		"jwks_pairs":             []interface{}{},
-		"bound_issuer":           "http://vault.example.com/",
-		"provider_config":        map[string]interface{}{},
-		"namespace_in_state":     false,
+		"oidc_discovery_url":                   "",
+		"oidc_discovery_ca_pem":                "",
+		"oidc_client_id":                       "",
+		"oidc_response_mode":                   "",
+		"oidc_response_types":                  []string{},
+		"default_role":                         "",
+		"jwt_validation_pubkeys":               []string{testJWTPubKey},
+		"jwt_supported_algs":                   []string{},
+		"jwks_url":                             "",
+		"jwks_ca_pem":                          "",
+		"jwks_pairs":                           []interface{}{},
+		"bound_issuer":                         "http://vault.example.com/",
+		"provider_config":                      map[string]interface{}{},
+		"namespace_in_state":                   false,
+		"unsupported_critical_cert_extensions": []string{},
 	}
 
 	req := &logical.Request{
@@ -136,14 +137,15 @@ func TestConfig_JWT_Write(t *testing.T) {
 	}
 
 	expected := &jwtConfig{
-		ParsedJWTPubKeys:     []crypto.PublicKey{pubkey},
-		JWTValidationPubKeys: []string{testJWTPubKey},
-		JWTSupportedAlgs:     []string{},
-		OIDCResponseTypes:    []string{},
-		JWKSPairs:            []interface{}{},
-		BoundIssuer:          "http://vault.example.com/",
-		ProviderConfig:       map[string]interface{}{},
-		NamespaceInState:     true,
+		ParsedJWTPubKeys:                  []crypto.PublicKey{pubkey},
+		JWTValidationPubKeys:              []string{testJWTPubKey},
+		JWTSupportedAlgs:                  []string{},
+		OIDCResponseTypes:                 []string{},
+		JWKSPairs:                         []interface{}{},
+		BoundIssuer:                       "http://vault.example.com/",
+		ProviderConfig:                    map[string]interface{}{},
+		NamespaceInState:                  true,
+		UnsupportedCriticalCertExtensions: []string{},
 	}
 
 	conf, err := b.(*jwtAuthBackend).config(context.Background(), storage)
@@ -246,20 +248,21 @@ func TestConfig_JWKS_Update(t *testing.T) {
 	}
 
 	data := map[string]interface{}{
-		"jwks_url":               s.server.URL + "/certs",
-		"jwks_ca_pem":            cert,
-		"jwks_pairs":             []interface{}{},
-		"oidc_discovery_url":     "",
-		"oidc_discovery_ca_pem":  "",
-		"oidc_client_id":         "",
-		"oidc_response_mode":     "form_post",
-		"oidc_response_types":    []string{},
-		"default_role":           "",
-		"jwt_validation_pubkeys": []string{},
-		"jwt_supported_algs":     []string{},
-		"bound_issuer":           "",
-		"provider_config":        map[string]interface{}{},
-		"namespace_in_state":     false,
+		"jwks_url":                             s.server.URL + "/certs",
+		"jwks_ca_pem":                          cert,
+		"jwks_pairs":                           []interface{}{},
+		"oidc_discovery_url":                   "",
+		"oidc_discovery_ca_pem":                "",
+		"oidc_client_id":                       "",
+		"oidc_response_mode":                   "form_post",
+		"oidc_response_types":                  []string{},
+		"default_role":                         "",
+		"jwt_validation_pubkeys":               []string{},
+		"jwt_supported_algs":                   []string{},
+		"bound_issuer":                         "",
+		"provider_config":                      map[string]interface{}{},
+		"namespace_in_state":                   false,
+		"unsupported_critical_cert_extensions": []string{},
 	}
 
 	req := &logical.Request{
@@ -380,17 +383,18 @@ func TestConfig_JWKS_Pairs_Update(t *testing.T) {
 			map[string]interface{}{"jwks_url": s.server.URL + "/certs", "jwks_ca_pem": cert},
 			map[string]interface{}{"jwks_url": s2.server.URL + "/certs", "jwks_ca_pem": cert2},
 		},
-		"oidc_discovery_url":     "",
-		"oidc_discovery_ca_pem":  "",
-		"oidc_client_id":         "",
-		"oidc_response_mode":     "form_post",
-		"oidc_response_types":    []string{},
-		"default_role":           "",
-		"jwt_validation_pubkeys": []string{},
-		"jwt_supported_algs":     []string{},
-		"bound_issuer":           "",
-		"provider_config":        map[string]interface{}{},
-		"namespace_in_state":     false,
+		"oidc_discovery_url":                   "",
+		"oidc_discovery_ca_pem":                "",
+		"oidc_client_id":                       "",
+		"oidc_response_mode":                   "form_post",
+		"oidc_response_types":                  []string{},
+		"default_role":                         "",
+		"jwt_validation_pubkeys":               []string{},
+		"jwt_supported_algs":                   []string{},
+		"bound_issuer":                         "",
+		"provider_config":                      map[string]interface{}{},
+		"namespace_in_state":                   false,
+		"unsupported_critical_cert_extensions": []string{},
 	}
 
 	req := &logical.Request{
@@ -576,15 +580,16 @@ func TestConfig_OIDC_Write(t *testing.T) {
 	}
 
 	expected := &jwtConfig{
-		JWTValidationPubKeys: []string{},
-		JWTSupportedAlgs:     []string{},
-		JWKSPairs:            []interface{}{},
-		OIDCResponseTypes:    []string{},
-		OIDCDiscoveryURL:     "https://team-vault.auth0.com/",
-		OIDCClientID:         "abc",
-		OIDCClientSecret:     "def",
-		ProviderConfig:       map[string]interface{}{},
-		NamespaceInState:     true,
+		JWTValidationPubKeys:              []string{},
+		JWTSupportedAlgs:                  []string{},
+		JWKSPairs:                         []interface{}{},
+		OIDCResponseTypes:                 []string{},
+		OIDCDiscoveryURL:                  "https://team-vault.auth0.com/",
+		OIDCClientID:                      "abc",
+		OIDCClientSecret:                  "def",
+		ProviderConfig:                    map[string]interface{}{},
+		NamespaceInState:                  true,
+		UnsupportedCriticalCertExtensions: []string{},
 	}
 
 	conf, err := b.(*jwtAuthBackend).config(context.Background(), storage)
@@ -660,6 +665,10 @@ func TestConfig_OIDC_Write_ProviderConfig(t *testing.T) {
 				"provider":     "azure",
 				"extraOptions": "abound",
 			},
+			"unsupported_critical_cert_extensions": []string{
+				"2.5.29.54",
+				"2.5.29.36",
+			},
 		}
 
 		resp, err := b.HandleRequest(context.Background(), req)
@@ -678,6 +687,10 @@ func TestConfig_OIDC_Write_ProviderConfig(t *testing.T) {
 				"extraOptions": "abound",
 			},
 			NamespaceInState: true,
+			UnsupportedCriticalCertExtensions: []string{
+				"2.5.29.54",
+				"2.5.29.36",
+			},
 		}
 
 		conf, err := b.(*jwtAuthBackend).config(context.Background(), storage)
@@ -729,13 +742,14 @@ func TestConfig_OIDC_Write_ProviderConfig(t *testing.T) {
 		}
 
 		expected := &jwtConfig{
-			JWTValidationPubKeys: []string{},
-			JWTSupportedAlgs:     []string{},
-			JWKSPairs:            []interface{}{},
-			OIDCResponseTypes:    []string{},
-			OIDCDiscoveryURL:     "https://team-vault.auth0.com/",
-			ProviderConfig:       map[string]interface{}{},
-			NamespaceInState:     true,
+			JWTValidationPubKeys:              []string{},
+			JWTSupportedAlgs:                  []string{},
+			JWKSPairs:                         []interface{}{},
+			OIDCResponseTypes:                 []string{},
+			OIDCDiscoveryURL:                  "https://team-vault.auth0.com/",
+			ProviderConfig:                    map[string]interface{}{},
+			NamespaceInState:                  true,
+			UnsupportedCriticalCertExtensions: []string{},
 		}
 
 		conf, err := b.(*jwtAuthBackend).config(context.Background(), storage)
@@ -760,13 +774,14 @@ func TestConfig_OIDC_Create_Namespace(t *testing.T) {
 				"oidc_discovery_url": "https://team-vault.auth0.com/",
 			},
 			expected: jwtConfig{
-				OIDCDiscoveryURL:     "https://team-vault.auth0.com/",
-				NamespaceInState:     true,
-				OIDCResponseTypes:    []string{},
-				JWKSPairs:            []interface{}{},
-				JWTSupportedAlgs:     []string{},
-				JWTValidationPubKeys: []string{},
-				ProviderConfig:       map[string]interface{}{},
+				OIDCDiscoveryURL:                  "https://team-vault.auth0.com/",
+				NamespaceInState:                  true,
+				OIDCResponseTypes:                 []string{},
+				JWKSPairs:                         []interface{}{},
+				JWTSupportedAlgs:                  []string{},
+				JWTValidationPubKeys:              []string{},
+				ProviderConfig:                    map[string]interface{}{},
+				UnsupportedCriticalCertExtensions: []string{},
 			},
 		},
 		"namespace_in_state true": {
@@ -775,13 +790,14 @@ func TestConfig_OIDC_Create_Namespace(t *testing.T) {
 				"namespace_in_state": true,
 			},
 			expected: jwtConfig{
-				OIDCDiscoveryURL:     "https://team-vault.auth0.com/",
-				NamespaceInState:     true,
-				OIDCResponseTypes:    []string{},
-				JWKSPairs:            []interface{}{},
-				JWTSupportedAlgs:     []string{},
-				JWTValidationPubKeys: []string{},
-				ProviderConfig:       map[string]interface{}{},
+				OIDCDiscoveryURL:                  "https://team-vault.auth0.com/",
+				NamespaceInState:                  true,
+				OIDCResponseTypes:                 []string{},
+				JWKSPairs:                         []interface{}{},
+				JWTSupportedAlgs:                  []string{},
+				JWTValidationPubKeys:              []string{},
+				ProviderConfig:                    map[string]interface{}{},
+				UnsupportedCriticalCertExtensions: []string{},
 			},
 		},
 		"namespace_in_state false": {
@@ -790,13 +806,14 @@ func TestConfig_OIDC_Create_Namespace(t *testing.T) {
 				"namespace_in_state": false,
 			},
 			expected: jwtConfig{
-				OIDCDiscoveryURL:     "https://team-vault.auth0.com/",
-				NamespaceInState:     false,
-				OIDCResponseTypes:    []string{},
-				JWKSPairs:            []interface{}{},
-				JWTSupportedAlgs:     []string{},
-				JWTValidationPubKeys: []string{},
-				ProviderConfig:       map[string]interface{}{},
+				OIDCDiscoveryURL:                  "https://team-vault.auth0.com/",
+				NamespaceInState:                  false,
+				OIDCResponseTypes:                 []string{},
+				JWKSPairs:                         []interface{}{},
+				JWTSupportedAlgs:                  []string{},
+				JWTValidationPubKeys:              []string{},
+				ProviderConfig:                    map[string]interface{}{},
+				UnsupportedCriticalCertExtensions: []string{},
 			},
 		},
 	}
@@ -839,13 +856,14 @@ func TestConfig_OIDC_Update_Namespace(t *testing.T) {
 				"namespace_in_state": true,
 			},
 			expected: jwtConfig{
-				OIDCDiscoveryURL:     "https://team-vault.auth0.com/",
-				NamespaceInState:     true,
-				OIDCResponseTypes:    []string{},
-				JWKSPairs:            []interface{}{},
-				JWTSupportedAlgs:     []string{},
-				JWTValidationPubKeys: []string{},
-				ProviderConfig:       map[string]interface{}{},
+				OIDCDiscoveryURL:                  "https://team-vault.auth0.com/",
+				NamespaceInState:                  true,
+				OIDCResponseTypes:                 []string{},
+				JWKSPairs:                         []interface{}{},
+				JWTSupportedAlgs:                  []string{},
+				JWTValidationPubKeys:              []string{},
+				ProviderConfig:                    map[string]interface{}{},
+				UnsupportedCriticalCertExtensions: []string{},
 			},
 		},
 		"existing false, update something else": {
@@ -858,14 +876,15 @@ func TestConfig_OIDC_Update_Namespace(t *testing.T) {
 				"default_role":       "ui",
 			},
 			expected: jwtConfig{
-				OIDCDiscoveryURL:     "https://team-vault.auth0.com/",
-				NamespaceInState:     false,
-				DefaultRole:          "ui",
-				OIDCResponseTypes:    []string{},
-				JWKSPairs:            []interface{}{},
-				JWTSupportedAlgs:     []string{},
-				JWTValidationPubKeys: []string{},
-				ProviderConfig:       map[string]interface{}{},
+				OIDCDiscoveryURL:                  "https://team-vault.auth0.com/",
+				NamespaceInState:                  false,
+				DefaultRole:                       "ui",
+				OIDCResponseTypes:                 []string{},
+				JWKSPairs:                         []interface{}{},
+				JWTSupportedAlgs:                  []string{},
+				JWTValidationPubKeys:              []string{},
+				ProviderConfig:                    map[string]interface{}{},
+				UnsupportedCriticalCertExtensions: []string{},
 			},
 		},
 		"existing true, update to false": {
@@ -878,13 +897,14 @@ func TestConfig_OIDC_Update_Namespace(t *testing.T) {
 				"namespace_in_state": false,
 			},
 			expected: jwtConfig{
-				OIDCDiscoveryURL:     "https://team-vault.auth0.com/",
-				NamespaceInState:     false,
-				OIDCResponseTypes:    []string{},
-				JWKSPairs:            []interface{}{},
-				JWTSupportedAlgs:     []string{},
-				JWTValidationPubKeys: []string{},
-				ProviderConfig:       map[string]interface{}{},
+				OIDCDiscoveryURL:                  "https://team-vault.auth0.com/",
+				NamespaceInState:                  false,
+				OIDCResponseTypes:                 []string{},
+				JWKSPairs:                         []interface{}{},
+				JWTSupportedAlgs:                  []string{},
+				JWTValidationPubKeys:              []string{},
+				ProviderConfig:                    map[string]interface{}{},
+				UnsupportedCriticalCertExtensions: []string{},
 			},
 		},
 		"existing true, update something else": {
@@ -897,14 +917,15 @@ func TestConfig_OIDC_Update_Namespace(t *testing.T) {
 				"default_role":       "ui",
 			},
 			expected: jwtConfig{
-				OIDCDiscoveryURL:     "https://team-vault.auth0.com/",
-				NamespaceInState:     true,
-				DefaultRole:          "ui",
-				OIDCResponseTypes:    []string{},
-				JWKSPairs:            []interface{}{},
-				JWTSupportedAlgs:     []string{},
-				JWTValidationPubKeys: []string{},
-				ProviderConfig:       map[string]interface{}{},
+				OIDCDiscoveryURL:                  "https://team-vault.auth0.com/",
+				NamespaceInState:                  true,
+				DefaultRole:                       "ui",
+				OIDCResponseTypes:                 []string{},
+				JWKSPairs:                         []interface{}{},
+				JWTSupportedAlgs:                  []string{},
+				JWTValidationPubKeys:              []string{},
+				ProviderConfig:                    map[string]interface{}{},
+				UnsupportedCriticalCertExtensions: []string{},
 			},
 		},
 	}
diff --git a/path_login_test.go b/path_login_test.go
index d949a8d7..f6e54e35 100644
--- a/path_login_test.go
+++ b/path_login_test.go
@@ -63,6 +63,10 @@ func setupBackend(t *testing.T, cfg testConfig) (closeableBackend, logical.Stora
 		data = map[string]interface{}{
 			"bound_issuer":       "https://team-vault.auth0.com/",
 			"oidc_discovery_url": "https://team-vault.auth0.com/",
+			"unsupported_critical_cert_extensions": []string{
+				"2.5.29.54",
+				"2.5.29.36",
+			},
 		}
 	} else {
 		if !cfg.jwks {
diff --git a/path_oidc_test.go b/path_oidc_test.go
index 2b66a1ac..776a4b5e 100644
--- a/path_oidc_test.go
+++ b/path_oidc_test.go
@@ -41,6 +41,10 @@ func TestOIDC_AuthURL(t *testing.T) {
 		"oidc_client_secret":    "def",
 		"default_role":          "test",
 		"bound_issuer":          "http://vault.example.com/",
+		"unsupported_critical_cert_extensions": []string{
+			"2.5.29.54",
+			"2.5.29.36",
+		},
 	}
 
 	// basic configuration