Update Bound Audiences Breaking Change Description for 1.16.x (#1126)

This PR updates the "Important Changes" section for the 1.16.x release
line to provide a clearer and more detailed explanation of how audience
(aud) claims validation works in the JWT auth plugin.

The goal of this clarification is to help users who may have been
unintentionally affected by the stricter validation behavior introduced
and later reverted in certain versions.

Author: jaireddjawed

content/vault/v1.16.x/content/docs/upgrading/upgrade-to-1.16.x.mdx

@@ -12,7 +12,7 @@ The Vault 1.16.x upgrade guide contains information on deprecations, important
 or breaking changes, and remediation recommendations for anyone upgrading from
 Vault 1.15. **Please read carefully**.
 
-## Breakding changes
+## Breaking changes
 
 @include '../../../global/partials/important-changes/breaking-changes/cve-2025-6000.mdx'
 

content/vault/v1.16.x/content/partials/known-issues/1_16-jwt_auth_bound_audiences.mdx

@@ -8,24 +8,50 @@
 - 1.16.4
 
 #### Issue
-A behavior change was made in the jwt auth plugin to address CVE-2024-5798.
-Since the behavior change was a breaking change, we reverted the change in
-the versions after 1.15.10 and 1.16.4. However, the behavior change will go
-into effect in 1.17.
-
-The new behavior requires that the `bound_audiences` parameter of "jwt" roles
-**must** match at least one of the JWT's associated `aud` claims. The `aud`
-claim can be a single string or a list of strings as per
+
+A behavior change was introduced in the **JWT auth plugin** to address **CVE-2024-5798**.
+Because this change introduced breaking behavior, it was **reverted** in versions **after 1.15.10 and 1.16.4**.
+However, the change was **reintroduced in version 1.17+**.
+
+The updated behavior enforces stricter validation of the `bound_audiences` parameter in JWT roles.
+
+- The `bound_audiences` parameter **must** match at least one of the JWT’s `aud` (audience) claims.
+- The `aud` claim can be a single string or an array of strings, as defined in
 [RFC 7519 Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3).
 
-Users may not be able to log into Vault if the JWT role is configured
-incorrectly. For additional details, refer to the
+Once a JWT is confirmed to be properly signed and not expired, Vault performs additional authorization checks to ensure that configured “bound”
+parameters match the corresponding claims in the token.
+
+For **roles of type `jwt`**:
+
+- The `bound_audiences` parameter is **required** when an `aud` claim is present.
+- The value of `bound_audiences` must **exactly match** at least one of the provided `aud` claims.
+
+Additionally, roles can validate arbitrary claim values using the `bound_claims` map.
+
+```json
+{
+  "division": "Europe",
+  "department": "Engineering"
+}
+```
+
+Only JWTs containing both the "division" and "department" claims, and respective matching values of "Europe" and "Engineering", would be authorized.
+If the expected value is a list, the claim must match one of the items in the list. To limit authorization to a set of email addresses:
+
+```json
+{
+  "email": ["fred@example.com", "julie@example.com"]
+}
+```
+
+For additional details, refer to the
 [JWT auth method (API)](/vault/api-docs/auth/jwt) documentation.
 
 See this [issue](https://github.com/hashicorp/vault/issues/27343) for more details.
 
 #### Workaround
 
 Configure the `bound_audiences` parameter of "jwt" roles to match at least one
-of the JWT's associated `aud` claims. This configuratoin will be required for
+of the JWT's associated `aud` claims. This configuration will be required for
 1.17 and later.