Package io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3

Class JwtProvider.Builder

java.lang.Object
com.google.protobuf.AbstractMessageLite.Builder
com.google.protobuf.AbstractMessage.Builder<BuilderT>
com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>
io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.Builder
All Implemented Interfaces:
com.google.protobuf.Message.Builder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, JwtProviderOrBuilder, Cloneable
Enclosing class:
JwtProvider
public static final class JwtProvider.Builder extends com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder> implements JwtProviderOrBuilder
 Please see following for JWT authentication flow:

 * `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_
 * `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_
 * `OpenID Connect <http://openid.net/connect>`_

 A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:

 * issuer: the principal that issues the JWT. If specified, it has to match the ``iss`` field in JWT.
 * allowed audiences: the ones in the token have to be listed here.
 * how to fetch public key JWKS to verify the token signature.
 * how to extract the JWT in the request.
 * how to pass successfully verified token payload.

 Example:

 .. code-block:: yaml

     issuer: https://example.com
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
     remote_jwks:
       http_uri:
         uri: https://example.com/.well-known/jwks.json
         cluster: example_jwks_cluster
         timeout: 1s
       cache_duration:
         seconds: 300

 [#next-free-field: 22]
Protobuf type envoy.extensions.filters.http.jwt_authn.v3.JwtProvider

  • Method Details

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>

    • clear

      public JwtProvider.Builder clear()
      Specified by:
      clear in interface com.google.protobuf.Message.Builder
      Specified by:
      clear in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clear in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>

    • getDescriptorForType

      public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
      Specified by:
      getDescriptorForType in interface com.google.protobuf.Message.Builder
      Specified by:
      getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
      Overrides:
      getDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>

    • getDefaultInstanceForType

      public JwtProvider getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder

    • build

      public JwtProvider build()
      Specified by:
      build in interface com.google.protobuf.Message.Builder
      Specified by:
      build in interface com.google.protobuf.MessageLite.Builder

    • buildPartial

      public JwtProvider buildPartial()
      Specified by:
      buildPartial in interface com.google.protobuf.Message.Builder
      Specified by:
      buildPartial in interface com.google.protobuf.MessageLite.Builder

    • clone

      public JwtProvider.Builder clone()
      Specified by:
      clone in interface com.google.protobuf.Message.Builder
      Specified by:
      clone in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clone in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>

    • setField

      public JwtProvider.Builder setField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      setField in interface com.google.protobuf.Message.Builder
      Overrides:
      setField in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>

    • clearField

      public JwtProvider.Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field)
      Specified by:
      clearField in interface com.google.protobuf.Message.Builder
      Overrides:
      clearField in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>

    • clearOneof

      public JwtProvider.Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof)
      Specified by:
      clearOneof in interface com.google.protobuf.Message.Builder
      Overrides:
      clearOneof in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>

    • setRepeatedField

      public JwtProvider.Builder setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, int index, Object value)
      Specified by:
      setRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      setRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>

    • addRepeatedField

      public JwtProvider.Builder addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      addRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      addRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>

    • mergeFrom

      public JwtProvider.Builder mergeFrom(com.google.protobuf.Message other)
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<JwtProvider.Builder>

    • mergeFrom

      public JwtProvider.Builder mergeFrom(JwtProvider other)

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>

    • mergeFrom

      public JwtProvider.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Specified by:
      mergeFrom in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<JwtProvider.Builder>
      Throws:
      IOException

    • getJwksSourceSpecifierCase

      public JwtProvider.JwksSourceSpecifierCase getJwksSourceSpecifierCase()
      Specified by:
      getJwksSourceSpecifierCase in interface JwtProviderOrBuilder

    • clearJwksSourceSpecifier

      public JwtProvider.Builder clearJwksSourceSpecifier()

    • getIssuer

      public String getIssuer()
       Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.

 It is optional. If specified, it has to match the ``iss`` field in JWT,
 otherwise the JWT ``iss`` field is not checked.

 .. note::
     ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
     and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
     are implemented differently than other ``JwtRequirements``. Hence the usage of this field
     is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used:

     * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``.
     * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty.
     * Multiple ``JwtProviders`` should not have same value in this field.

 Examples:

 * https://securetoken.google.com
 * Example: 1234567-compute@developer.gserviceaccount.com
      string issuer = 1;
      Specified by:
      getIssuer in interface JwtProviderOrBuilder
      Returns:
      The issuer.

    • getIssuerBytes

      public com.google.protobuf.ByteString getIssuerBytes()
       Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.

 It is optional. If specified, it has to match the ``iss`` field in JWT,
 otherwise the JWT ``iss`` field is not checked.

 .. note::
     ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
     and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
     are implemented differently than other ``JwtRequirements``. Hence the usage of this field
     is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used:

     * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``.
     * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty.
     * Multiple ``JwtProviders`` should not have same value in this field.

 Examples:

 * https://securetoken.google.com
 * Example: 1234567-compute@developer.gserviceaccount.com
      string issuer = 1;
      Specified by:
      getIssuerBytes in interface JwtProviderOrBuilder
      Returns:
      The bytes for issuer.

    • setIssuer

      public JwtProvider.Builder setIssuer(String value)
       Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.

 It is optional. If specified, it has to match the ``iss`` field in JWT,
 otherwise the JWT ``iss`` field is not checked.

 .. note::
     ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
     and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
     are implemented differently than other ``JwtRequirements``. Hence the usage of this field
     is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used:

     * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``.
     * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty.
     * Multiple ``JwtProviders`` should not have same value in this field.

 Examples:

 * https://securetoken.google.com
 * Example: 1234567-compute@developer.gserviceaccount.com
      string issuer = 1;
      Parameters:
      value - The issuer to set.
      Returns:
      This builder for chaining.

    • clearIssuer

      public JwtProvider.Builder clearIssuer()
       Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.

 It is optional. If specified, it has to match the ``iss`` field in JWT,
 otherwise the JWT ``iss`` field is not checked.

 .. note::
     ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
     and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
     are implemented differently than other ``JwtRequirements``. Hence the usage of this field
     is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used:

     * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``.
     * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty.
     * Multiple ``JwtProviders`` should not have same value in this field.

 Examples:

 * https://securetoken.google.com
 * Example: 1234567-compute@developer.gserviceaccount.com
      string issuer = 1;
      Returns:
      This builder for chaining.

    • setIssuerBytes

      public JwtProvider.Builder setIssuerBytes(com.google.protobuf.ByteString value)
       Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.

 It is optional. If specified, it has to match the ``iss`` field in JWT,
 otherwise the JWT ``iss`` field is not checked.

 .. note::
     ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
     and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
     are implemented differently than other ``JwtRequirements``. Hence the usage of this field
     is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used:

     * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``.
     * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty.
     * Multiple ``JwtProviders`` should not have same value in this field.

 Examples:

 * https://securetoken.google.com
 * Example: 1234567-compute@developer.gserviceaccount.com
      string issuer = 1;
      Parameters:
      value - The bytes for issuer to set.
      Returns:
      This builder for chaining.

    • getAudiencesList

      public com.google.protobuf.ProtocolStringList getAudiencesList()
       The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.

 Example:

 .. code-block:: yaml

     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
      repeated string audiences = 2;
      Specified by:
      getAudiencesList in interface JwtProviderOrBuilder
      Returns:
      A list containing the audiences.

    • getAudiencesCount

      public int getAudiencesCount()
       The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.

 Example:

 .. code-block:: yaml

     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
      repeated string audiences = 2;
      Specified by:
      getAudiencesCount in interface JwtProviderOrBuilder
      Returns:
      The count of audiences.

    • getAudiences

      public String getAudiences(int index)
       The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.

 Example:

 .. code-block:: yaml

     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
      repeated string audiences = 2;
      Specified by:
      getAudiences in interface JwtProviderOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The audiences at the given index.

    • getAudiencesBytes

      public com.google.protobuf.ByteString getAudiencesBytes(int index)
       The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.

 Example:

 .. code-block:: yaml

     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
      repeated string audiences = 2;
      Specified by:
      getAudiencesBytes in interface JwtProviderOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the audiences at the given index.

    • setAudiences

      public JwtProvider.Builder setAudiences(int index, String value)
       The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.

 Example:

 .. code-block:: yaml

     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
      repeated string audiences = 2;
      Parameters:
      index - The index to set the value at.
      value - The audiences to set.
      Returns:
      This builder for chaining.

    • addAudiences

      public JwtProvider.Builder addAudiences(String value)
       The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.

 Example:

 .. code-block:: yaml

     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
      repeated string audiences = 2;
      Parameters:
      value - The audiences to add.
      Returns:
      This builder for chaining.

    • addAllAudiences

      public JwtProvider.Builder addAllAudiences(Iterable<String> values)
       The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.

 Example:

 .. code-block:: yaml

     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
      repeated string audiences = 2;
      Parameters:
      values - The audiences to add.
      Returns:
      This builder for chaining.

    • clearAudiences

      public JwtProvider.Builder clearAudiences()
       The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.

 Example:

 .. code-block:: yaml

     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
      repeated string audiences = 2;
      Returns:
      This builder for chaining.

    • addAudiencesBytes

      public JwtProvider.Builder addAudiencesBytes(com.google.protobuf.ByteString value)
       The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.

 Example:

 .. code-block:: yaml

     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
      repeated string audiences = 2;
      Parameters:
      value - The bytes of the audiences to add.
      Returns:
      This builder for chaining.

    • hasSubjects

      public boolean hasSubjects()
       Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
 that the JwtProvider can assert. For instance, this could implement JWT-SVID
 `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
 If not specified, will not check subjects in the token.

 Example:

 .. code-block:: yaml

     subjects:
       prefix: spiffe://spiffe.example.com/
      .envoy.type.matcher.v3.StringMatcher subjects = 19;
      Specified by:
      hasSubjects in interface JwtProviderOrBuilder
      Returns:
      Whether the subjects field is set.

    • getSubjects

      public StringMatcher getSubjects()
       Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
 that the JwtProvider can assert. For instance, this could implement JWT-SVID
 `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
 If not specified, will not check subjects in the token.

 Example:

 .. code-block:: yaml

     subjects:
       prefix: spiffe://spiffe.example.com/
      .envoy.type.matcher.v3.StringMatcher subjects = 19;
      Specified by:
      getSubjects in interface JwtProviderOrBuilder
      Returns:
      The subjects.

    • setSubjects

      public JwtProvider.Builder setSubjects(StringMatcher value)
       Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
 that the JwtProvider can assert. For instance, this could implement JWT-SVID
 `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
 If not specified, will not check subjects in the token.

 Example:

 .. code-block:: yaml

     subjects:
       prefix: spiffe://spiffe.example.com/
      .envoy.type.matcher.v3.StringMatcher subjects = 19;

    • setSubjects

      public JwtProvider.Builder setSubjects(StringMatcher.Builder builderForValue)
       Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
 that the JwtProvider can assert. For instance, this could implement JWT-SVID
 `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
 If not specified, will not check subjects in the token.

 Example:

 .. code-block:: yaml

     subjects:
       prefix: spiffe://spiffe.example.com/
      .envoy.type.matcher.v3.StringMatcher subjects = 19;

    • mergeSubjects

      public JwtProvider.Builder mergeSubjects(StringMatcher value)
       Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
 that the JwtProvider can assert. For instance, this could implement JWT-SVID
 `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
 If not specified, will not check subjects in the token.

 Example:

 .. code-block:: yaml

     subjects:
       prefix: spiffe://spiffe.example.com/
      .envoy.type.matcher.v3.StringMatcher subjects = 19;

    • clearSubjects

      public JwtProvider.Builder clearSubjects()
       Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
 that the JwtProvider can assert. For instance, this could implement JWT-SVID
 `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
 If not specified, will not check subjects in the token.

 Example:

 .. code-block:: yaml

     subjects:
       prefix: spiffe://spiffe.example.com/
      .envoy.type.matcher.v3.StringMatcher subjects = 19;

    • getSubjectsBuilder

      public StringMatcher.Builder getSubjectsBuilder()
       Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
 that the JwtProvider can assert. For instance, this could implement JWT-SVID
 `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
 If not specified, will not check subjects in the token.

 Example:

 .. code-block:: yaml

     subjects:
       prefix: spiffe://spiffe.example.com/
      .envoy.type.matcher.v3.StringMatcher subjects = 19;

    • getSubjectsOrBuilder

      public StringMatcherOrBuilder getSubjectsOrBuilder()
       Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
 that the JwtProvider can assert. For instance, this could implement JWT-SVID
 `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
 If not specified, will not check subjects in the token.

 Example:

 .. code-block:: yaml

     subjects:
       prefix: spiffe://spiffe.example.com/
      .envoy.type.matcher.v3.StringMatcher subjects = 19;
      Specified by:
      getSubjectsOrBuilder in interface JwtProviderOrBuilder

    • getRequireExpiration

      public boolean getRequireExpiration()
       Requires that the credential contains an `expiration <https://tools.ietf.org/html/rfc7519#section-4.1.4>`_.
 For instance, this could implement JWT-SVID
 `expiration restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#33-expiration-time>`_.
 Unlike ``max_lifetime``, this only requires that expiration is present, where ``max_lifetime`` also checks the value.

 Example:

 .. code-block:: yaml

     require_expiration: true
      bool require_expiration = 20;
      Specified by:
      getRequireExpiration in interface JwtProviderOrBuilder
      Returns:
      The requireExpiration.

    • setRequireExpiration

      public JwtProvider.Builder setRequireExpiration(boolean value)
       Requires that the credential contains an `expiration <https://tools.ietf.org/html/rfc7519#section-4.1.4>`_.
 For instance, this could implement JWT-SVID
 `expiration restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#33-expiration-time>`_.
 Unlike ``max_lifetime``, this only requires that expiration is present, where ``max_lifetime`` also checks the value.

 Example:

 .. code-block:: yaml

     require_expiration: true
      bool require_expiration = 20;
      Parameters:
      value - The requireExpiration to set.
      Returns:
      This builder for chaining.

    • clearRequireExpiration

      public JwtProvider.Builder clearRequireExpiration()
       Requires that the credential contains an `expiration <https://tools.ietf.org/html/rfc7519#section-4.1.4>`_.
 For instance, this could implement JWT-SVID
 `expiration restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#33-expiration-time>`_.
 Unlike ``max_lifetime``, this only requires that expiration is present, where ``max_lifetime`` also checks the value.

 Example:

 .. code-block:: yaml

     require_expiration: true
      bool require_expiration = 20;
      Returns:
      This builder for chaining.

    • hasMaxLifetime

      public boolean hasMaxLifetime()
       Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime
 is the difference between the current time and the expiration of the credential. For instance,
 the following example will reject credentials that have a lifetime longer than 24 hours. If not set,
 expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence
 over ``require_expiration``.

 Example:

 .. code-block:: yaml

     max_lifetime:
       seconds: 86400
      .google.protobuf.Duration max_lifetime = 21;
      Specified by:
      hasMaxLifetime in interface JwtProviderOrBuilder
      Returns:
      Whether the maxLifetime field is set.

    • getMaxLifetime

      public com.google.protobuf.Duration getMaxLifetime()
       Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime
 is the difference between the current time and the expiration of the credential. For instance,
 the following example will reject credentials that have a lifetime longer than 24 hours. If not set,
 expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence
 over ``require_expiration``.

 Example:

 .. code-block:: yaml

     max_lifetime:
       seconds: 86400
      .google.protobuf.Duration max_lifetime = 21;
      Specified by:
      getMaxLifetime in interface JwtProviderOrBuilder
      Returns:
      The maxLifetime.

    • setMaxLifetime

      public JwtProvider.Builder setMaxLifetime(com.google.protobuf.Duration value)
       Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime
 is the difference between the current time and the expiration of the credential. For instance,
 the following example will reject credentials that have a lifetime longer than 24 hours. If not set,
 expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence
 over ``require_expiration``.

 Example:

 .. code-block:: yaml

     max_lifetime:
       seconds: 86400
      .google.protobuf.Duration max_lifetime = 21;

    • setMaxLifetime

      public JwtProvider.Builder setMaxLifetime(com.google.protobuf.Duration.Builder builderForValue)
       Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime
 is the difference between the current time and the expiration of the credential. For instance,
 the following example will reject credentials that have a lifetime longer than 24 hours. If not set,
 expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence
 over ``require_expiration``.

 Example:

 .. code-block:: yaml

     max_lifetime:
       seconds: 86400
      .google.protobuf.Duration max_lifetime = 21;

    • mergeMaxLifetime

      public JwtProvider.Builder mergeMaxLifetime(com.google.protobuf.Duration value)
       Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime
 is the difference between the current time and the expiration of the credential. For instance,
 the following example will reject credentials that have a lifetime longer than 24 hours. If not set,
 expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence
 over ``require_expiration``.

 Example:

 .. code-block:: yaml

     max_lifetime:
       seconds: 86400
      .google.protobuf.Duration max_lifetime = 21;

    • clearMaxLifetime

      public JwtProvider.Builder clearMaxLifetime()
       Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime
 is the difference between the current time and the expiration of the credential. For instance,
 the following example will reject credentials that have a lifetime longer than 24 hours. If not set,
 expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence
 over ``require_expiration``.

 Example:

 .. code-block:: yaml

     max_lifetime:
       seconds: 86400
      .google.protobuf.Duration max_lifetime = 21;

    • getMaxLifetimeBuilder

      public com.google.protobuf.Duration.Builder getMaxLifetimeBuilder()
       Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime
 is the difference between the current time and the expiration of the credential. For instance,
 the following example will reject credentials that have a lifetime longer than 24 hours. If not set,
 expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence
 over ``require_expiration``.

 Example:

 .. code-block:: yaml

     max_lifetime:
       seconds: 86400
      .google.protobuf.Duration max_lifetime = 21;

    • getMaxLifetimeOrBuilder

      public com.google.protobuf.DurationOrBuilder getMaxLifetimeOrBuilder()
       Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime
 is the difference between the current time and the expiration of the credential. For instance,
 the following example will reject credentials that have a lifetime longer than 24 hours. If not set,
 expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence
 over ``require_expiration``.

 Example:

 .. code-block:: yaml

     max_lifetime:
       seconds: 86400
      .google.protobuf.Duration max_lifetime = 21;
      Specified by:
      getMaxLifetimeOrBuilder in interface JwtProviderOrBuilder

    • hasRemoteJwks

      public boolean hasRemoteJwks()
       JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.

 Example:

 .. code-block:: yaml

    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
      .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;
      Specified by:
      hasRemoteJwks in interface JwtProviderOrBuilder
      Returns:
      Whether the remoteJwks field is set.

    • getRemoteJwks

      public RemoteJwks getRemoteJwks()
       JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.

 Example:

 .. code-block:: yaml

    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
      .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;
      Specified by:
      getRemoteJwks in interface JwtProviderOrBuilder
      Returns:
      The remoteJwks.

    • setRemoteJwks

      public JwtProvider.Builder setRemoteJwks(RemoteJwks value)
       JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.

 Example:

 .. code-block:: yaml

    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
      .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;

    • setRemoteJwks

      public JwtProvider.Builder setRemoteJwks(RemoteJwks.Builder builderForValue)
       JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.

 Example:

 .. code-block:: yaml

    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
      .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;

    • mergeRemoteJwks

      public JwtProvider.Builder mergeRemoteJwks(RemoteJwks value)
       JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.

 Example:

 .. code-block:: yaml

    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
      .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;

    • clearRemoteJwks

      public JwtProvider.Builder clearRemoteJwks()
       JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.

 Example:

 .. code-block:: yaml

    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
      .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;

    • getRemoteJwksBuilder

      public RemoteJwks.Builder getRemoteJwksBuilder()
       JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.

 Example:

 .. code-block:: yaml

    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
      .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;

    • getRemoteJwksOrBuilder

      public RemoteJwksOrBuilder getRemoteJwksOrBuilder()
       JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.

 Example:

 .. code-block:: yaml

    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
      .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;
      Specified by:
      getRemoteJwksOrBuilder in interface JwtProviderOrBuilder

    • hasLocalJwks

      public boolean hasLocalJwks()
       JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.

 Example: local file

 .. code-block:: yaml

    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt

 Example: inline_string

 .. code-block:: yaml

    local_jwks:
      inline_string: ACADADADADA
      .envoy.config.core.v3.DataSource local_jwks = 4;
      Specified by:
      hasLocalJwks in interface JwtProviderOrBuilder
      Returns:
      Whether the localJwks field is set.

    • getLocalJwks

      public DataSource getLocalJwks()
       JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.

 Example: local file

 .. code-block:: yaml

    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt

 Example: inline_string

 .. code-block:: yaml

    local_jwks:
      inline_string: ACADADADADA
      .envoy.config.core.v3.DataSource local_jwks = 4;
      Specified by:
      getLocalJwks in interface JwtProviderOrBuilder
      Returns:
      The localJwks.

    • setLocalJwks

      public JwtProvider.Builder setLocalJwks(DataSource value)
       JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.

 Example: local file

 .. code-block:: yaml

    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt

 Example: inline_string

 .. code-block:: yaml

    local_jwks:
      inline_string: ACADADADADA
      .envoy.config.core.v3.DataSource local_jwks = 4;

    • setLocalJwks

      public JwtProvider.Builder setLocalJwks(DataSource.Builder builderForValue)
       JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.

 Example: local file

 .. code-block:: yaml

    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt

 Example: inline_string

 .. code-block:: yaml

    local_jwks:
      inline_string: ACADADADADA
      .envoy.config.core.v3.DataSource local_jwks = 4;

    • mergeLocalJwks

      public JwtProvider.Builder mergeLocalJwks(DataSource value)
       JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.

 Example: local file

 .. code-block:: yaml

    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt

 Example: inline_string

 .. code-block:: yaml

    local_jwks:
      inline_string: ACADADADADA
      .envoy.config.core.v3.DataSource local_jwks = 4;

    • clearLocalJwks

      public JwtProvider.Builder clearLocalJwks()
       JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.

 Example: local file

 .. code-block:: yaml

    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt

 Example: inline_string

 .. code-block:: yaml

    local_jwks:
      inline_string: ACADADADADA
      .envoy.config.core.v3.DataSource local_jwks = 4;

    • getLocalJwksBuilder

      public DataSource.Builder getLocalJwksBuilder()
       JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.

 Example: local file

 .. code-block:: yaml

    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt

 Example: inline_string

 .. code-block:: yaml

    local_jwks:
      inline_string: ACADADADADA
      .envoy.config.core.v3.DataSource local_jwks = 4;

    • getLocalJwksOrBuilder

      public DataSourceOrBuilder getLocalJwksOrBuilder()
       JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.

 Example: local file

 .. code-block:: yaml

    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt

 Example: inline_string

 .. code-block:: yaml

    local_jwks:
      inline_string: ACADADADADA
      .envoy.config.core.v3.DataSource local_jwks = 4;
      Specified by:
      getLocalJwksOrBuilder in interface JwtProviderOrBuilder

    • getForward

      public boolean getForward()
       If false, the JWT is removed in the request after a success verification. If true, the JWT is
 not removed in the request. Default value is false.
 caveat: only works for from_header/from_params & has no effect for JWTs extracted through from_cookies.
      bool forward = 5;
      Specified by:
      getForward in interface JwtProviderOrBuilder
      Returns:
      The forward.

    • setForward

      public JwtProvider.Builder setForward(boolean value)
       If false, the JWT is removed in the request after a success verification. If true, the JWT is
 not removed in the request. Default value is false.
 caveat: only works for from_header/from_params & has no effect for JWTs extracted through from_cookies.
      bool forward = 5;
      Parameters:
      value - The forward to set.
      Returns:
      This builder for chaining.

    • clearForward

      public JwtProvider.Builder clearForward()
       If false, the JWT is removed in the request after a success verification. If true, the JWT is
 not removed in the request. Default value is false.
 caveat: only works for from_header/from_params & has no effect for JWTs extracted through from_cookies.
      bool forward = 5;
      Returns:
      This builder for chaining.

    • getFromHeadersList

      public List<JwtHeader> getFromHeadersList()
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;
      Specified by:
      getFromHeadersList in interface JwtProviderOrBuilder

    • getFromHeadersCount

      public int getFromHeadersCount()
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;
      Specified by:
      getFromHeadersCount in interface JwtProviderOrBuilder

    • getFromHeaders

      public JwtHeader getFromHeaders(int index)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;
      Specified by:
      getFromHeaders in interface JwtProviderOrBuilder

    • setFromHeaders

      public JwtProvider.Builder setFromHeaders(int index, JwtHeader value)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • setFromHeaders

      public JwtProvider.Builder setFromHeaders(int index, JwtHeader.Builder builderForValue)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • addFromHeaders

      public JwtProvider.Builder addFromHeaders(JwtHeader value)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • addFromHeaders

      public JwtProvider.Builder addFromHeaders(int index, JwtHeader value)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • addFromHeaders

      public JwtProvider.Builder addFromHeaders(JwtHeader.Builder builderForValue)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • addFromHeaders

      public JwtProvider.Builder addFromHeaders(int index, JwtHeader.Builder builderForValue)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • addAllFromHeaders

      public JwtProvider.Builder addAllFromHeaders(Iterable<? extends JwtHeader> values)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • clearFromHeaders

      public JwtProvider.Builder clearFromHeaders()
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • removeFromHeaders

      public JwtProvider.Builder removeFromHeaders(int index)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • getFromHeadersBuilder

      public JwtHeader.Builder getFromHeadersBuilder(int index)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • getFromHeadersOrBuilder

      public JwtHeaderOrBuilder getFromHeadersOrBuilder(int index)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;
      Specified by:
      getFromHeadersOrBuilder in interface JwtProviderOrBuilder

    • getFromHeadersOrBuilderList

      public List<? extends JwtHeaderOrBuilder> getFromHeadersOrBuilderList()
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;
      Specified by:
      getFromHeadersOrBuilderList in interface JwtProviderOrBuilder

    • addFromHeadersBuilder

      public JwtHeader.Builder addFromHeadersBuilder()
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • addFromHeadersBuilder

      public JwtHeader.Builder addFromHeadersBuilder(int index)
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • getFromHeadersBuilderList

      public List<JwtHeader.Builder> getFromHeadersBuilderList()
       Two fields below define where to extract the JWT from an HTTP request.

 If no explicit location is specified, the following default locations are tried in order:

 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::

    Authorization: Bearer <token>.

 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.

 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.

 Specify the HTTP headers to extract the JWT. For examples, following config:

 .. code-block:: yaml

   from_headers:
   - name: x-goog-iap-jwt-assertion

 can be used to extract token from header::

   ``x-goog-iap-jwt-assertion: <JWT>``.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

    • getFromParamsList

      public com.google.protobuf.ProtocolStringList getFromParamsList()
       JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.

 For example, if config is:

 .. code-block:: yaml

   from_params:
   - jwt_token

 The JWT format in query parameter is::

    /path?jwt_token=<JWT>
      repeated string from_params = 7;
      Specified by:
      getFromParamsList in interface JwtProviderOrBuilder
      Returns:
      A list containing the fromParams.

    • getFromParamsCount

      public int getFromParamsCount()
       JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.

 For example, if config is:

 .. code-block:: yaml

   from_params:
   - jwt_token

 The JWT format in query parameter is::

    /path?jwt_token=<JWT>
      repeated string from_params = 7;
      Specified by:
      getFromParamsCount in interface JwtProviderOrBuilder
      Returns:
      The count of fromParams.

    • getFromParams

      public String getFromParams(int index)
       JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.

 For example, if config is:

 .. code-block:: yaml

   from_params:
   - jwt_token

 The JWT format in query parameter is::

    /path?jwt_token=<JWT>
      repeated string from_params = 7;
      Specified by:
      getFromParams in interface JwtProviderOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The fromParams at the given index.

    • getFromParamsBytes

      public com.google.protobuf.ByteString getFromParamsBytes(int index)
       JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.

 For example, if config is:

 .. code-block:: yaml

   from_params:
   - jwt_token

 The JWT format in query parameter is::

    /path?jwt_token=<JWT>
      repeated string from_params = 7;
      Specified by:
      getFromParamsBytes in interface JwtProviderOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the fromParams at the given index.

    • setFromParams

      public JwtProvider.Builder setFromParams(int index, String value)
       JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.

 For example, if config is:

 .. code-block:: yaml

   from_params:
   - jwt_token

 The JWT format in query parameter is::

    /path?jwt_token=<JWT>
      repeated string from_params = 7;
      Parameters:
      index - The index to set the value at.
      value - The fromParams to set.
      Returns:
      This builder for chaining.

    • addFromParams

      public JwtProvider.Builder addFromParams(String value)
       JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.

 For example, if config is:

 .. code-block:: yaml

   from_params:
   - jwt_token

 The JWT format in query parameter is::

    /path?jwt_token=<JWT>
      repeated string from_params = 7;
      Parameters:
      value - The fromParams to add.
      Returns:
      This builder for chaining.

    • addAllFromParams

      public JwtProvider.Builder addAllFromParams(Iterable<String> values)
       JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.

 For example, if config is:

 .. code-block:: yaml

   from_params:
   - jwt_token

 The JWT format in query parameter is::

    /path?jwt_token=<JWT>
      repeated string from_params = 7;
      Parameters:
      values - The fromParams to add.
      Returns:
      This builder for chaining.

    • clearFromParams

      public JwtProvider.Builder clearFromParams()
       JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.

 For example, if config is:

 .. code-block:: yaml

   from_params:
   - jwt_token

 The JWT format in query parameter is::

    /path?jwt_token=<JWT>
      repeated string from_params = 7;
      Returns:
      This builder for chaining.

    • addFromParamsBytes

      public JwtProvider.Builder addFromParamsBytes(com.google.protobuf.ByteString value)
       JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.

 For example, if config is:

 .. code-block:: yaml

   from_params:
   - jwt_token

 The JWT format in query parameter is::

    /path?jwt_token=<JWT>
      repeated string from_params = 7;
      Parameters:
      value - The bytes of the fromParams to add.
      Returns:
      This builder for chaining.

    • getFromCookiesList

      public com.google.protobuf.ProtocolStringList getFromCookiesList()
       JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.

 For example, if config is:

 .. code-block:: yaml

   from_cookies:
   - auth-token

 Then JWT will be extracted from ``auth-token`` cookie in the request.
      repeated string from_cookies = 13;
      Specified by:
      getFromCookiesList in interface JwtProviderOrBuilder
      Returns:
      A list containing the fromCookies.

    • getFromCookiesCount

      public int getFromCookiesCount()
       JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.

 For example, if config is:

 .. code-block:: yaml

   from_cookies:
   - auth-token

 Then JWT will be extracted from ``auth-token`` cookie in the request.
      repeated string from_cookies = 13;
      Specified by:
      getFromCookiesCount in interface JwtProviderOrBuilder
      Returns:
      The count of fromCookies.

    • getFromCookies

      public String getFromCookies(int index)
       JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.

 For example, if config is:

 .. code-block:: yaml

   from_cookies:
   - auth-token

 Then JWT will be extracted from ``auth-token`` cookie in the request.
      repeated string from_cookies = 13;
      Specified by:
      getFromCookies in interface JwtProviderOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The fromCookies at the given index.

    • getFromCookiesBytes

      public com.google.protobuf.ByteString getFromCookiesBytes(int index)
       JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.

 For example, if config is:

 .. code-block:: yaml

   from_cookies:
   - auth-token

 Then JWT will be extracted from ``auth-token`` cookie in the request.
      repeated string from_cookies = 13;
      Specified by:
      getFromCookiesBytes in interface JwtProviderOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the fromCookies at the given index.

    • setFromCookies

      public JwtProvider.Builder setFromCookies(int index, String value)
       JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.

 For example, if config is:

 .. code-block:: yaml

   from_cookies:
   - auth-token

 Then JWT will be extracted from ``auth-token`` cookie in the request.
      repeated string from_cookies = 13;
      Parameters:
      index - The index to set the value at.
      value - The fromCookies to set.
      Returns:
      This builder for chaining.

    • addFromCookies

      public JwtProvider.Builder addFromCookies(String value)
       JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.

 For example, if config is:

 .. code-block:: yaml

   from_cookies:
   - auth-token

 Then JWT will be extracted from ``auth-token`` cookie in the request.
      repeated string from_cookies = 13;
      Parameters:
      value - The fromCookies to add.
      Returns:
      This builder for chaining.

    • addAllFromCookies

      public JwtProvider.Builder addAllFromCookies(Iterable<String> values)
       JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.

 For example, if config is:

 .. code-block:: yaml

   from_cookies:
   - auth-token

 Then JWT will be extracted from ``auth-token`` cookie in the request.
      repeated string from_cookies = 13;
      Parameters:
      values - The fromCookies to add.
      Returns:
      This builder for chaining.

    • clearFromCookies

      public JwtProvider.Builder clearFromCookies()
       JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.

 For example, if config is:

 .. code-block:: yaml

   from_cookies:
   - auth-token

 Then JWT will be extracted from ``auth-token`` cookie in the request.
      repeated string from_cookies = 13;
      Returns:
      This builder for chaining.

    • addFromCookiesBytes

      public JwtProvider.Builder addFromCookiesBytes(com.google.protobuf.ByteString value)
       JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.

 For example, if config is:

 .. code-block:: yaml

   from_cookies:
   - auth-token

 Then JWT will be extracted from ``auth-token`` cookie in the request.
      repeated string from_cookies = 13;
      Parameters:
      value - The bytes of the fromCookies to add.
      Returns:
      This builder for chaining.

    • getForwardPayloadHeader

      public String getForwardPayloadHeader()
       This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::

    base64url_encoded(jwt_payload_in_JSON)

 If it is not specified, the payload will not be forwarded.
      string forward_payload_header = 8 [(.validate.rules) = { ... }
      Specified by:
      getForwardPayloadHeader in interface JwtProviderOrBuilder
      Returns:
      The forwardPayloadHeader.

    • getForwardPayloadHeaderBytes

      public com.google.protobuf.ByteString getForwardPayloadHeaderBytes()
       This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::

    base64url_encoded(jwt_payload_in_JSON)

 If it is not specified, the payload will not be forwarded.
      string forward_payload_header = 8 [(.validate.rules) = { ... }
      Specified by:
      getForwardPayloadHeaderBytes in interface JwtProviderOrBuilder
      Returns:
      The bytes for forwardPayloadHeader.

    • setForwardPayloadHeader

      public JwtProvider.Builder setForwardPayloadHeader(String value)
       This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::

    base64url_encoded(jwt_payload_in_JSON)

 If it is not specified, the payload will not be forwarded.
      string forward_payload_header = 8 [(.validate.rules) = { ... }
      Parameters:
      value - The forwardPayloadHeader to set.
      Returns:
      This builder for chaining.

    • clearForwardPayloadHeader

      public JwtProvider.Builder clearForwardPayloadHeader()
       This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::

    base64url_encoded(jwt_payload_in_JSON)

 If it is not specified, the payload will not be forwarded.
      string forward_payload_header = 8 [(.validate.rules) = { ... }
      Returns:
      This builder for chaining.

    • setForwardPayloadHeaderBytes

      public JwtProvider.Builder setForwardPayloadHeaderBytes(com.google.protobuf.ByteString value)
       This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::

    base64url_encoded(jwt_payload_in_JSON)

 If it is not specified, the payload will not be forwarded.
      string forward_payload_header = 8 [(.validate.rules) = { ... }
      Parameters:
      value - The bytes for forwardPayloadHeader to set.
      Returns:
      This builder for chaining.

    • getPadForwardPayloadHeader

      public boolean getPadForwardPayloadHeader()
       When :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
 is specified, the base64 encoded payload will be added to the headers.
 Normally JWT based64 encode doesn't add padding. If this field is true,
 the header will be padded.

 This field is only relevant if :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
 is specified.
      bool pad_forward_payload_header = 11;
      Specified by:
      getPadForwardPayloadHeader in interface JwtProviderOrBuilder
      Returns:
      The padForwardPayloadHeader.

    • setPadForwardPayloadHeader

      public JwtProvider.Builder setPadForwardPayloadHeader(boolean value)
       When :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
 is specified, the base64 encoded payload will be added to the headers.
 Normally JWT based64 encode doesn't add padding. If this field is true,
 the header will be padded.

 This field is only relevant if :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
 is specified.
      bool pad_forward_payload_header = 11;
      Parameters:
      value - The padForwardPayloadHeader to set.
      Returns:
      This builder for chaining.

    • clearPadForwardPayloadHeader

      public JwtProvider.Builder clearPadForwardPayloadHeader()
       When :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
 is specified, the base64 encoded payload will be added to the headers.
 Normally JWT based64 encode doesn't add padding. If this field is true,
 the header will be padded.

 This field is only relevant if :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
 is specified.
      bool pad_forward_payload_header = 11;
      Returns:
      This builder for chaining.

    • getPayloadInMetadata

      public String getPayloadInMetadata()
       If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn````
 The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields``
 and the value is the ``protobuf::Struct`` converted from JWT JSON payload.

 For example, if payload_in_metadata is ``my_payload``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
      string payload_in_metadata = 9;
      Specified by:
      getPayloadInMetadata in interface JwtProviderOrBuilder
      Returns:
      The payloadInMetadata.

    • getPayloadInMetadataBytes

      public com.google.protobuf.ByteString getPayloadInMetadataBytes()
       If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn````
 The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields``
 and the value is the ``protobuf::Struct`` converted from JWT JSON payload.

 For example, if payload_in_metadata is ``my_payload``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
      string payload_in_metadata = 9;
      Specified by:
      getPayloadInMetadataBytes in interface JwtProviderOrBuilder
      Returns:
      The bytes for payloadInMetadata.

    • setPayloadInMetadata

      public JwtProvider.Builder setPayloadInMetadata(String value)
       If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn````
 The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields``
 and the value is the ``protobuf::Struct`` converted from JWT JSON payload.

 For example, if payload_in_metadata is ``my_payload``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
      string payload_in_metadata = 9;
      Parameters:
      value - The payloadInMetadata to set.
      Returns:
      This builder for chaining.

    • clearPayloadInMetadata

      public JwtProvider.Builder clearPayloadInMetadata()
       If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn````
 The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields``
 and the value is the ``protobuf::Struct`` converted from JWT JSON payload.

 For example, if payload_in_metadata is ``my_payload``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
      string payload_in_metadata = 9;
      Returns:
      This builder for chaining.

    • setPayloadInMetadataBytes

      public JwtProvider.Builder setPayloadInMetadataBytes(com.google.protobuf.ByteString value)
       If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn````
 The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields``
 and the value is the ``protobuf::Struct`` converted from JWT JSON payload.

 For example, if payload_in_metadata is ``my_payload``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
      string payload_in_metadata = 9;
      Parameters:
      value - The bytes for payloadInMetadata to set.
      Returns:
      This builder for chaining.

    • hasNormalizePayloadInMetadata

      public boolean hasNormalizePayloadInMetadata()
       Normalizes the payload representation in the request metadata.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.NormalizePayload normalize_payload_in_metadata = 18;
      Specified by:
      hasNormalizePayloadInMetadata in interface JwtProviderOrBuilder
      Returns:
      Whether the normalizePayloadInMetadata field is set.

    • getNormalizePayloadInMetadata

      public JwtProvider.NormalizePayload getNormalizePayloadInMetadata()
       Normalizes the payload representation in the request metadata.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.NormalizePayload normalize_payload_in_metadata = 18;
      Specified by:
      getNormalizePayloadInMetadata in interface JwtProviderOrBuilder
      Returns:
      The normalizePayloadInMetadata.

    • setNormalizePayloadInMetadata

      public JwtProvider.Builder setNormalizePayloadInMetadata(JwtProvider.NormalizePayload value)
       Normalizes the payload representation in the request metadata.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.NormalizePayload normalize_payload_in_metadata = 18;

    • setNormalizePayloadInMetadata

      public JwtProvider.Builder setNormalizePayloadInMetadata(JwtProvider.NormalizePayload.Builder builderForValue)
       Normalizes the payload representation in the request metadata.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.NormalizePayload normalize_payload_in_metadata = 18;

    • mergeNormalizePayloadInMetadata

      public JwtProvider.Builder mergeNormalizePayloadInMetadata(JwtProvider.NormalizePayload value)
       Normalizes the payload representation in the request metadata.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.NormalizePayload normalize_payload_in_metadata = 18;

    • clearNormalizePayloadInMetadata

      public JwtProvider.Builder clearNormalizePayloadInMetadata()
       Normalizes the payload representation in the request metadata.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.NormalizePayload normalize_payload_in_metadata = 18;

    • getNormalizePayloadInMetadataBuilder

      public JwtProvider.NormalizePayload.Builder getNormalizePayloadInMetadataBuilder()
       Normalizes the payload representation in the request metadata.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.NormalizePayload normalize_payload_in_metadata = 18;

    • getNormalizePayloadInMetadataOrBuilder

      public JwtProvider.NormalizePayloadOrBuilder getNormalizePayloadInMetadataOrBuilder()
       Normalizes the payload representation in the request metadata.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.NormalizePayload normalize_payload_in_metadata = 18;
      Specified by:
      getNormalizePayloadInMetadataOrBuilder in interface JwtProviderOrBuilder

    • getHeaderInMetadata

      public String getHeaderInMetadata()
       If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
 a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
 as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the
 value of this field as the key.

 For example, if ``header_in_metadata`` is ``my_header``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256

 When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if
 :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
 is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256

 .. warning::
   Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   is not suggested due to potential override of existing entry, while it is not enforced during
   config validation.
      string header_in_metadata = 14;
      Specified by:
      getHeaderInMetadata in interface JwtProviderOrBuilder
      Returns:
      The headerInMetadata.

    • getHeaderInMetadataBytes

      public com.google.protobuf.ByteString getHeaderInMetadataBytes()
       If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
 a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
 as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the
 value of this field as the key.

 For example, if ``header_in_metadata`` is ``my_header``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256

 When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if
 :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
 is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256

 .. warning::
   Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   is not suggested due to potential override of existing entry, while it is not enforced during
   config validation.
      string header_in_metadata = 14;
      Specified by:
      getHeaderInMetadataBytes in interface JwtProviderOrBuilder
      Returns:
      The bytes for headerInMetadata.

    • setHeaderInMetadata

      public JwtProvider.Builder setHeaderInMetadata(String value)
       If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
 a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
 as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the
 value of this field as the key.

 For example, if ``header_in_metadata`` is ``my_header``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256

 When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if
 :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
 is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256

 .. warning::
   Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   is not suggested due to potential override of existing entry, while it is not enforced during
   config validation.
      string header_in_metadata = 14;
      Parameters:
      value - The headerInMetadata to set.
      Returns:
      This builder for chaining.

    • clearHeaderInMetadata

      public JwtProvider.Builder clearHeaderInMetadata()
       If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
 a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
 as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the
 value of this field as the key.

 For example, if ``header_in_metadata`` is ``my_header``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256

 When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if
 :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
 is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256

 .. warning::
   Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   is not suggested due to potential override of existing entry, while it is not enforced during
   config validation.
      string header_in_metadata = 14;
      Returns:
      This builder for chaining.

    • setHeaderInMetadataBytes

      public JwtProvider.Builder setHeaderInMetadataBytes(com.google.protobuf.ByteString value)
       If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
 a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
 as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the
 value of this field as the key.

 For example, if ``header_in_metadata`` is ``my_header``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256

 When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if
 :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
 is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256

 .. warning::
   Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   is not suggested due to potential override of existing entry, while it is not enforced during
   config validation.
      string header_in_metadata = 14;
      Parameters:
      value - The bytes for headerInMetadata to set.
      Returns:
      This builder for chaining.

    • getFailedStatusInMetadata

      public String getFailedStatusInMetadata()
       If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn``
 The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message``
 and they will contain the JWT authentication failure status code and a message describing the failure.

 For example, if failed_status_in_metadata is ``my_auth_failure_status``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_auth_failure_status:
       code: 3
       message: Jwt expired
      string failed_status_in_metadata = 16;
      Specified by:
      getFailedStatusInMetadata in interface JwtProviderOrBuilder
      Returns:
      The failedStatusInMetadata.

    • getFailedStatusInMetadataBytes

      public com.google.protobuf.ByteString getFailedStatusInMetadataBytes()
       If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn``
 The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message``
 and they will contain the JWT authentication failure status code and a message describing the failure.

 For example, if failed_status_in_metadata is ``my_auth_failure_status``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_auth_failure_status:
       code: 3
       message: Jwt expired
      string failed_status_in_metadata = 16;
      Specified by:
      getFailedStatusInMetadataBytes in interface JwtProviderOrBuilder
      Returns:
      The bytes for failedStatusInMetadata.

    • setFailedStatusInMetadata

      public JwtProvider.Builder setFailedStatusInMetadata(String value)
       If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn``
 The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message``
 and they will contain the JWT authentication failure status code and a message describing the failure.

 For example, if failed_status_in_metadata is ``my_auth_failure_status``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_auth_failure_status:
       code: 3
       message: Jwt expired
      string failed_status_in_metadata = 16;
      Parameters:
      value - The failedStatusInMetadata to set.
      Returns:
      This builder for chaining.

    • clearFailedStatusInMetadata

      public JwtProvider.Builder clearFailedStatusInMetadata()
       If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn``
 The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message``
 and they will contain the JWT authentication failure status code and a message describing the failure.

 For example, if failed_status_in_metadata is ``my_auth_failure_status``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_auth_failure_status:
       code: 3
       message: Jwt expired
      string failed_status_in_metadata = 16;
      Returns:
      This builder for chaining.

    • setFailedStatusInMetadataBytes

      public JwtProvider.Builder setFailedStatusInMetadataBytes(com.google.protobuf.ByteString value)
       If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn``
 The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message``
 and they will contain the JWT authentication failure status code and a message describing the failure.

 For example, if failed_status_in_metadata is ``my_auth_failure_status``:

 .. code-block:: yaml

   envoy.filters.http.jwt_authn:
     my_auth_failure_status:
       code: 3
       message: Jwt expired
      string failed_status_in_metadata = 16;
      Parameters:
      value - The bytes for failedStatusInMetadata to set.
      Returns:
      This builder for chaining.

    • getClockSkewSeconds

      public int getClockSkewSeconds()
       Specify the clock skew in seconds when verifying JWT time constraint,
 such as ``exp``, and ``nbf``. If not specified, default is 60 seconds.
      uint32 clock_skew_seconds = 10;
      Specified by:
      getClockSkewSeconds in interface JwtProviderOrBuilder
      Returns:
      The clockSkewSeconds.

    • setClockSkewSeconds

      public JwtProvider.Builder setClockSkewSeconds(int value)
       Specify the clock skew in seconds when verifying JWT time constraint,
 such as ``exp``, and ``nbf``. If not specified, default is 60 seconds.
      uint32 clock_skew_seconds = 10;
      Parameters:
      value - The clockSkewSeconds to set.
      Returns:
      This builder for chaining.

    • clearClockSkewSeconds

      public JwtProvider.Builder clearClockSkewSeconds()
       Specify the clock skew in seconds when verifying JWT time constraint,
 such as ``exp``, and ``nbf``. If not specified, default is 60 seconds.
      uint32 clock_skew_seconds = 10;
      Returns:
      This builder for chaining.

    • hasJwtCacheConfig

      public boolean hasJwtCacheConfig()
       Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWTs are cached.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;
      Specified by:
      hasJwtCacheConfig in interface JwtProviderOrBuilder
      Returns:
      Whether the jwtCacheConfig field is set.

    • getJwtCacheConfig

      public JwtCacheConfig getJwtCacheConfig()
       Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWTs are cached.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;
      Specified by:
      getJwtCacheConfig in interface JwtProviderOrBuilder
      Returns:
      The jwtCacheConfig.

    • setJwtCacheConfig

      public JwtProvider.Builder setJwtCacheConfig(JwtCacheConfig value)
       Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWTs are cached.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;

    • setJwtCacheConfig

      public JwtProvider.Builder setJwtCacheConfig(JwtCacheConfig.Builder builderForValue)
       Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWTs are cached.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;

    • mergeJwtCacheConfig

      public JwtProvider.Builder mergeJwtCacheConfig(JwtCacheConfig value)
       Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWTs are cached.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;

    • clearJwtCacheConfig

      public JwtProvider.Builder clearJwtCacheConfig()
       Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWTs are cached.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;

    • getJwtCacheConfigBuilder

      public JwtCacheConfig.Builder getJwtCacheConfigBuilder()
       Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWTs are cached.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;

    • getJwtCacheConfigOrBuilder

      public JwtCacheConfigOrBuilder getJwtCacheConfigOrBuilder()
       Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWTs are cached.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;
      Specified by:
      getJwtCacheConfigOrBuilder in interface JwtProviderOrBuilder

    • getClaimToHeadersList

      public List<JwtClaimToHeader> getClaimToHeadersList()
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;
      Specified by:
      getClaimToHeadersList in interface JwtProviderOrBuilder

    • getClaimToHeadersCount

      public int getClaimToHeadersCount()
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;
      Specified by:
      getClaimToHeadersCount in interface JwtProviderOrBuilder

    • getClaimToHeaders

      public JwtClaimToHeader getClaimToHeaders(int index)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;
      Specified by:
      getClaimToHeaders in interface JwtProviderOrBuilder

    • setClaimToHeaders

      public JwtProvider.Builder setClaimToHeaders(int index, JwtClaimToHeader value)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • setClaimToHeaders

      public JwtProvider.Builder setClaimToHeaders(int index, JwtClaimToHeader.Builder builderForValue)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • addClaimToHeaders

      public JwtProvider.Builder addClaimToHeaders(JwtClaimToHeader value)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • addClaimToHeaders

      public JwtProvider.Builder addClaimToHeaders(int index, JwtClaimToHeader value)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • addClaimToHeaders

      public JwtProvider.Builder addClaimToHeaders(JwtClaimToHeader.Builder builderForValue)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • addClaimToHeaders

      public JwtProvider.Builder addClaimToHeaders(int index, JwtClaimToHeader.Builder builderForValue)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • addAllClaimToHeaders

      public JwtProvider.Builder addAllClaimToHeaders(Iterable<? extends JwtClaimToHeader> values)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • clearClaimToHeaders

      public JwtProvider.Builder clearClaimToHeaders()
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • removeClaimToHeaders

      public JwtProvider.Builder removeClaimToHeaders(int index)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • getClaimToHeadersBuilder

      public JwtClaimToHeader.Builder getClaimToHeadersBuilder(int index)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • getClaimToHeadersOrBuilder

      public JwtClaimToHeaderOrBuilder getClaimToHeadersOrBuilder(int index)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;
      Specified by:
      getClaimToHeadersOrBuilder in interface JwtProviderOrBuilder

    • getClaimToHeadersOrBuilderList

      public List<? extends JwtClaimToHeaderOrBuilder> getClaimToHeadersOrBuilderList()
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;
      Specified by:
      getClaimToHeadersOrBuilderList in interface JwtProviderOrBuilder

    • addClaimToHeadersBuilder

      public JwtClaimToHeader.Builder addClaimToHeadersBuilder()
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • addClaimToHeadersBuilder

      public JwtClaimToHeader.Builder addClaimToHeadersBuilder(int index)
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • getClaimToHeadersBuilderList

      public List<JwtClaimToHeader.Builder> getClaimToHeadersBuilderList()
       Add JWT claim to HTTP Header
 Specify the claim name you want to copy in which HTTP header. For examples, following config:
 The claim must be of type; string, int, double, bool. Array type claims are not supported

 .. literalinclude:: /_configs/repo/jwt_authn.yaml
    :language: yaml
    :lines: 44-48
    :linenos:
    :lineno-start: 44
    :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`

 This header is only reserved for jwt claim; any other value will be overwritten.
      repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15;

    • getClearRouteCache

      public boolean getClearRouteCache()
       Clears route cache in order to allow the JWT to correctly affect
 routing decisions. Filter clears all cached routes when:

 1. The field is set to ``true``.

 2. At least one ``claim_to_headers`` header is added to the request OR
    if ``payload_in_metadata`` is set.
      bool clear_route_cache = 17;
      Specified by:
      getClearRouteCache in interface JwtProviderOrBuilder
      Returns:
      The clearRouteCache.

    • setClearRouteCache

      public JwtProvider.Builder setClearRouteCache(boolean value)
       Clears route cache in order to allow the JWT to correctly affect
 routing decisions. Filter clears all cached routes when:

 1. The field is set to ``true``.

 2. At least one ``claim_to_headers`` header is added to the request OR
    if ``payload_in_metadata`` is set.
      bool clear_route_cache = 17;
      Parameters:
      value - The clearRouteCache to set.
      Returns:
      This builder for chaining.

    • clearClearRouteCache

      public JwtProvider.Builder clearClearRouteCache()
       Clears route cache in order to allow the JWT to correctly affect
 routing decisions. Filter clears all cached routes when:

 1. The field is set to ``true``.

 2. At least one ``claim_to_headers`` header is added to the request OR
    if ``payload_in_metadata`` is set.
      bool clear_route_cache = 17;
      Returns:
      This builder for chaining.

    • setUnknownFields

      public final JwtProvider.Builder setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      setUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      setUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>

    • mergeUnknownFields

      public final JwtProvider.Builder mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      mergeUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>