Interface JwtProviderOrBuilder
- All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder,com.google.protobuf.MessageOrBuilder
- All Known Implementing Classes:
JwtProvider,JwtProvider.Builder
public interface JwtProviderOrBuilder
extends com.google.protobuf.MessageOrBuilder
-
Method Summary
Modifier and TypeMethodDescriptiongetAudiences(int index) The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.com.google.protobuf.ByteStringgetAudiencesBytes(int index) The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.intThe list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.getClaimToHeaders(int index) Add JWT claim to HTTP Header Specify the claim name you want to copy in which HTTP header.intAdd JWT claim to HTTP Header Specify the claim name you want to copy in which HTTP header.Add JWT claim to HTTP Header Specify the claim name you want to copy in which HTTP header.getClaimToHeadersOrBuilder(int index) Add JWT claim to HTTP Header Specify the claim name you want to copy in which HTTP header.List<? extends JwtClaimToHeaderOrBuilder>Add JWT claim to HTTP Header Specify the claim name you want to copy in which HTTP header.booleanClears route cache in order to allow the JWT to correctly affect routing decisions.intSpecify the clock skew in seconds when verifying JWT time constraint, such as ``exp``, and ``nbf``.If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn`` The value is the ``protobuf::Struct``.com.google.protobuf.ByteStringIf non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn`` The value is the ``protobuf::Struct``.booleanIf false, the JWT is removed in the request after a success verification.This field specifies the header name to forward a successfully verified JWT payload to the backend.com.google.protobuf.ByteStringThis field specifies the header name to forward a successfully verified JWT payload to the backend.getFromCookies(int index) JWT is sent in a cookie.com.google.protobuf.ByteStringgetFromCookiesBytes(int index) JWT is sent in a cookie.intJWT is sent in a cookie.JWT is sent in a cookie.getFromHeaders(int index) Two fields below define where to extract the JWT from an HTTP request.intTwo fields below define where to extract the JWT from an HTTP request.Two fields below define where to extract the JWT from an HTTP request.getFromHeadersOrBuilder(int index) Two fields below define where to extract the JWT from an HTTP request.List<? extends JwtHeaderOrBuilder>Two fields below define where to extract the JWT from an HTTP request.getFromParams(int index) JWT is sent in a query parameter.com.google.protobuf.ByteStringgetFromParamsBytes(int index) JWT is sent in a query parameter.intJWT is sent in a query parameter.JWT is sent in a query parameter.If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`, a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>` as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the value of this field as the key.com.google.protobuf.ByteStringIf not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`, a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>` as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the value of this field as the key.Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.com.google.protobuf.ByteStringSpecify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.Enables JWT cache, its size is specified by ``jwt_cache_size``.Enables JWT cache, its size is specified by ``jwt_cache_size``.JWKS is in local data source.JWKS is in local data source.com.google.protobuf.DurationRestrict the maximum remaining lifetime of a credential from the JwtProvider.com.google.protobuf.DurationOrBuilderRestrict the maximum remaining lifetime of a credential from the JwtProvider.Normalizes the payload representation in the request metadata.Normalizes the payload representation in the request metadata.booleanWhen :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>` is specified, the base64 encoded payload will be added to the headers.If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn```` The value is the ``protobuf::Struct``.com.google.protobuf.ByteStringIf non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn```` The value is the ``protobuf::Struct``.JWKS can be fetched from remote server via HTTP/HTTPS.JWKS can be fetched from remote server via HTTP/HTTPS.booleanRequires that the credential contains an `expiration <https://tools.ietf.org/html/rfc7519#section-4.1.4>`_.Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_ that the JwtProvider can assert.Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_ that the JwtProvider can assert.booleanEnables JWT cache, its size is specified by ``jwt_cache_size``.booleanJWKS is in local data source.booleanRestrict the maximum remaining lifetime of a credential from the JwtProvider.booleanNormalizes the payload representation in the request metadata.booleanJWKS can be fetched from remote server via HTTP/HTTPS.booleanRestrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_ that the JwtProvider can assert.Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder
isInitializedMethods inherited from interface com.google.protobuf.MessageOrBuilder
findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof
-
Method Details
-
getIssuer
String getIssuer()Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address. It is optional. If specified, it has to match the ``iss`` field in JWT, otherwise the JWT ``iss`` field is not checked. .. note:: ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>` and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>` are implemented differently than other ``JwtRequirements``. Hence the usage of this field is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used: * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``. * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty. * Multiple ``JwtProviders`` should not have same value in this field. Examples: * https://securetoken.google.com * Example: 1234567-compute@developer.gserviceaccount.comstring issuer = 1;- Returns:
- The issuer.
-
getIssuerBytes
com.google.protobuf.ByteString getIssuerBytes()Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address. It is optional. If specified, it has to match the ``iss`` field in JWT, otherwise the JWT ``iss`` field is not checked. .. note:: ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>` and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>` are implemented differently than other ``JwtRequirements``. Hence the usage of this field is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used: * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``. * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty. * Multiple ``JwtProviders`` should not have same value in this field. Examples: * https://securetoken.google.com * Example: 1234567-compute@developer.gserviceaccount.comstring issuer = 1;- Returns:
- The bytes for issuer.
-
getAudiencesList
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access. A JWT containing any of these audiences will be accepted. If not specified, will not check audiences in the token. Example: .. code-block:: yaml audiences: - bookstore_android.apps.googleusercontent.com - bookstore_web.apps.googleusercontent.comrepeated string audiences = 2;- Returns:
- A list containing the audiences.
-
getAudiencesCount
int getAudiencesCount()The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access. A JWT containing any of these audiences will be accepted. If not specified, will not check audiences in the token. Example: .. code-block:: yaml audiences: - bookstore_android.apps.googleusercontent.com - bookstore_web.apps.googleusercontent.comrepeated string audiences = 2;- Returns:
- The count of audiences.
-
getAudiences
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access. A JWT containing any of these audiences will be accepted. If not specified, will not check audiences in the token. Example: .. code-block:: yaml audiences: - bookstore_android.apps.googleusercontent.com - bookstore_web.apps.googleusercontent.comrepeated string audiences = 2;- Parameters:
index- The index of the element to return.- Returns:
- The audiences at the given index.
-
getAudiencesBytes
com.google.protobuf.ByteString getAudiencesBytes(int index) The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access. A JWT containing any of these audiences will be accepted. If not specified, will not check audiences in the token. Example: .. code-block:: yaml audiences: - bookstore_android.apps.googleusercontent.com - bookstore_web.apps.googleusercontent.comrepeated string audiences = 2;- Parameters:
index- The index of the value to return.- Returns:
- The bytes of the audiences at the given index.
-
hasSubjects
boolean hasSubjects()Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_ that the JwtProvider can assert. For instance, this could implement JWT-SVID `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_. If not specified, will not check subjects in the token. Example: .. code-block:: yaml subjects: prefix: spiffe://spiffe.example.com/.envoy.type.matcher.v3.StringMatcher subjects = 19;- Returns:
- Whether the subjects field is set.
-
getSubjects
StringMatcher getSubjects()Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_ that the JwtProvider can assert. For instance, this could implement JWT-SVID `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_. If not specified, will not check subjects in the token. Example: .. code-block:: yaml subjects: prefix: spiffe://spiffe.example.com/.envoy.type.matcher.v3.StringMatcher subjects = 19;- Returns:
- The subjects.
-
getSubjectsOrBuilder
StringMatcherOrBuilder getSubjectsOrBuilder()Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_ that the JwtProvider can assert. For instance, this could implement JWT-SVID `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_. If not specified, will not check subjects in the token. Example: .. code-block:: yaml subjects: prefix: spiffe://spiffe.example.com/.envoy.type.matcher.v3.StringMatcher subjects = 19; -
getRequireExpiration
boolean getRequireExpiration()Requires that the credential contains an `expiration <https://tools.ietf.org/html/rfc7519#section-4.1.4>`_. For instance, this could implement JWT-SVID `expiration restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#33-expiration-time>`_. Unlike ``max_lifetime``, this only requires that expiration is present, where ``max_lifetime`` also checks the value. Example: .. code-block:: yaml require_expiration: truebool require_expiration = 20;- Returns:
- The requireExpiration.
-
hasMaxLifetime
boolean hasMaxLifetime()Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime is the difference between the current time and the expiration of the credential. For instance, the following example will reject credentials that have a lifetime longer than 24 hours. If not set, expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence over ``require_expiration``. Example: .. code-block:: yaml max_lifetime: seconds: 86400.google.protobuf.Duration max_lifetime = 21;- Returns:
- Whether the maxLifetime field is set.
-
getMaxLifetime
com.google.protobuf.Duration getMaxLifetime()Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime is the difference between the current time and the expiration of the credential. For instance, the following example will reject credentials that have a lifetime longer than 24 hours. If not set, expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence over ``require_expiration``. Example: .. code-block:: yaml max_lifetime: seconds: 86400.google.protobuf.Duration max_lifetime = 21;- Returns:
- The maxLifetime.
-
getMaxLifetimeOrBuilder
com.google.protobuf.DurationOrBuilder getMaxLifetimeOrBuilder()Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime is the difference between the current time and the expiration of the credential. For instance, the following example will reject credentials that have a lifetime longer than 24 hours. If not set, expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence over ``require_expiration``. Example: .. code-block:: yaml max_lifetime: seconds: 86400.google.protobuf.Duration max_lifetime = 21; -
hasRemoteJwks
boolean hasRemoteJwks()JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP URI and how the fetched JWKS should be cached. Example: .. code-block:: yaml remote_jwks: http_uri: uri: https://www.googleapis.com/oauth2/v1/certs cluster: jwt.www.googleapis.com|443 timeout: 1s cache_duration: seconds: 300.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;- Returns:
- Whether the remoteJwks field is set.
-
getRemoteJwks
RemoteJwks getRemoteJwks()JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP URI and how the fetched JWKS should be cached. Example: .. code-block:: yaml remote_jwks: http_uri: uri: https://www.googleapis.com/oauth2/v1/certs cluster: jwt.www.googleapis.com|443 timeout: 1s cache_duration: seconds: 300.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;- Returns:
- The remoteJwks.
-
getRemoteJwksOrBuilder
RemoteJwksOrBuilder getRemoteJwksOrBuilder()JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP URI and how the fetched JWKS should be cached. Example: .. code-block:: yaml remote_jwks: http_uri: uri: https://www.googleapis.com/oauth2/v1/certs cluster: jwt.www.googleapis.com|443 timeout: 1s cache_duration: seconds: 300.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3; -
hasLocalJwks
boolean hasLocalJwks()JWKS is in local data source. It could be either in a local file or embedded in the inline_string. Example: local file .. code-block:: yaml local_jwks: filename: /etc/envoy/jwks/jwks1.txt Example: inline_string .. code-block:: yaml local_jwks: inline_string: ACADADADADA.envoy.config.core.v3.DataSource local_jwks = 4;- Returns:
- Whether the localJwks field is set.
-
getLocalJwks
DataSource getLocalJwks()JWKS is in local data source. It could be either in a local file or embedded in the inline_string. Example: local file .. code-block:: yaml local_jwks: filename: /etc/envoy/jwks/jwks1.txt Example: inline_string .. code-block:: yaml local_jwks: inline_string: ACADADADADA.envoy.config.core.v3.DataSource local_jwks = 4;- Returns:
- The localJwks.
-
getLocalJwksOrBuilder
DataSourceOrBuilder getLocalJwksOrBuilder()JWKS is in local data source. It could be either in a local file or embedded in the inline_string. Example: local file .. code-block:: yaml local_jwks: filename: /etc/envoy/jwks/jwks1.txt Example: inline_string .. code-block:: yaml local_jwks: inline_string: ACADADADADA.envoy.config.core.v3.DataSource local_jwks = 4; -
getForward
boolean getForward()If false, the JWT is removed in the request after a success verification. If true, the JWT is not removed in the request. Default value is false. caveat: only works for from_header/from_params & has no effect for JWTs extracted through from_cookies.
bool forward = 5;- Returns:
- The forward.
-
getFromHeadersList
Two fields below define where to extract the JWT from an HTTP request. If no explicit location is specified, the following default locations are tried in order: 1. The Authorization header using the `Bearer schema <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example:: Authorization: Bearer <token>. 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter. Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations its provider specified or from the default locations. Specify the HTTP headers to extract the JWT. For examples, following config: .. code-block:: yaml from_headers: - name: x-goog-iap-jwt-assertion can be used to extract token from header:: ``x-goog-iap-jwt-assertion: <JWT>``.repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6; -
getFromHeaders
Two fields below define where to extract the JWT from an HTTP request. If no explicit location is specified, the following default locations are tried in order: 1. The Authorization header using the `Bearer schema <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example:: Authorization: Bearer <token>. 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter. Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations its provider specified or from the default locations. Specify the HTTP headers to extract the JWT. For examples, following config: .. code-block:: yaml from_headers: - name: x-goog-iap-jwt-assertion can be used to extract token from header:: ``x-goog-iap-jwt-assertion: <JWT>``.repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6; -
getFromHeadersCount
int getFromHeadersCount()Two fields below define where to extract the JWT from an HTTP request. If no explicit location is specified, the following default locations are tried in order: 1. The Authorization header using the `Bearer schema <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example:: Authorization: Bearer <token>. 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter. Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations its provider specified or from the default locations. Specify the HTTP headers to extract the JWT. For examples, following config: .. code-block:: yaml from_headers: - name: x-goog-iap-jwt-assertion can be used to extract token from header:: ``x-goog-iap-jwt-assertion: <JWT>``.repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6; -
getFromHeadersOrBuilderList
List<? extends JwtHeaderOrBuilder> getFromHeadersOrBuilderList()Two fields below define where to extract the JWT from an HTTP request. If no explicit location is specified, the following default locations are tried in order: 1. The Authorization header using the `Bearer schema <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example:: Authorization: Bearer <token>. 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter. Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations its provider specified or from the default locations. Specify the HTTP headers to extract the JWT. For examples, following config: .. code-block:: yaml from_headers: - name: x-goog-iap-jwt-assertion can be used to extract token from header:: ``x-goog-iap-jwt-assertion: <JWT>``.repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6; -
getFromHeadersOrBuilder
Two fields below define where to extract the JWT from an HTTP request. If no explicit location is specified, the following default locations are tried in order: 1. The Authorization header using the `Bearer schema <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example:: Authorization: Bearer <token>. 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter. Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations its provider specified or from the default locations. Specify the HTTP headers to extract the JWT. For examples, following config: .. code-block:: yaml from_headers: - name: x-goog-iap-jwt-assertion can be used to extract token from header:: ``x-goog-iap-jwt-assertion: <JWT>``.repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6; -
getFromParamsList
JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names. For example, if config is: .. code-block:: yaml from_params: - jwt_token The JWT format in query parameter is:: /path?jwt_token=<JWT>repeated string from_params = 7;- Returns:
- A list containing the fromParams.
-
getFromParamsCount
int getFromParamsCount()JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names. For example, if config is: .. code-block:: yaml from_params: - jwt_token The JWT format in query parameter is:: /path?jwt_token=<JWT>repeated string from_params = 7;- Returns:
- The count of fromParams.
-
getFromParams
JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names. For example, if config is: .. code-block:: yaml from_params: - jwt_token The JWT format in query parameter is:: /path?jwt_token=<JWT>repeated string from_params = 7;- Parameters:
index- The index of the element to return.- Returns:
- The fromParams at the given index.
-
getFromParamsBytes
com.google.protobuf.ByteString getFromParamsBytes(int index) JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names. For example, if config is: .. code-block:: yaml from_params: - jwt_token The JWT format in query parameter is:: /path?jwt_token=<JWT>repeated string from_params = 7;- Parameters:
index- The index of the value to return.- Returns:
- The bytes of the fromParams at the given index.
-
getFromCookiesList
JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from. For example, if config is: .. code-block:: yaml from_cookies: - auth-token Then JWT will be extracted from ``auth-token`` cookie in the request.
repeated string from_cookies = 13;- Returns:
- A list containing the fromCookies.
-
getFromCookiesCount
int getFromCookiesCount()JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from. For example, if config is: .. code-block:: yaml from_cookies: - auth-token Then JWT will be extracted from ``auth-token`` cookie in the request.
repeated string from_cookies = 13;- Returns:
- The count of fromCookies.
-
getFromCookies
JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from. For example, if config is: .. code-block:: yaml from_cookies: - auth-token Then JWT will be extracted from ``auth-token`` cookie in the request.
repeated string from_cookies = 13;- Parameters:
index- The index of the element to return.- Returns:
- The fromCookies at the given index.
-
getFromCookiesBytes
com.google.protobuf.ByteString getFromCookiesBytes(int index) JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from. For example, if config is: .. code-block:: yaml from_cookies: - auth-token Then JWT will be extracted from ``auth-token`` cookie in the request.
repeated string from_cookies = 13;- Parameters:
index- The index of the value to return.- Returns:
- The bytes of the fromCookies at the given index.
-
getForwardPayloadHeader
String getForwardPayloadHeader()This field specifies the header name to forward a successfully verified JWT payload to the backend. The forwarded data is:: base64url_encoded(jwt_payload_in_JSON) If it is not specified, the payload will not be forwarded.string forward_payload_header = 8 [(.validate.rules) = { ... }- Returns:
- The forwardPayloadHeader.
-
getForwardPayloadHeaderBytes
com.google.protobuf.ByteString getForwardPayloadHeaderBytes()This field specifies the header name to forward a successfully verified JWT payload to the backend. The forwarded data is:: base64url_encoded(jwt_payload_in_JSON) If it is not specified, the payload will not be forwarded.string forward_payload_header = 8 [(.validate.rules) = { ... }- Returns:
- The bytes for forwardPayloadHeader.
-
getPadForwardPayloadHeader
boolean getPadForwardPayloadHeader()When :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>` is specified, the base64 encoded payload will be added to the headers. Normally JWT based64 encode doesn't add padding. If this field is true, the header will be padded. This field is only relevant if :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>` is specified.
bool pad_forward_payload_header = 11;- Returns:
- The padForwardPayloadHeader.
-
getPayloadInMetadata
String getPayloadInMetadata()If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn```` The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields`` and the value is the ``protobuf::Struct`` converted from JWT JSON payload. For example, if payload_in_metadata is ``my_payload``: .. code-block:: yaml envoy.filters.http.jwt_authn: my_payload: iss: https://example.com sub: test@example.com aud: https://example.com exp: 1501281058string payload_in_metadata = 9;- Returns:
- The payloadInMetadata.
-
getPayloadInMetadataBytes
com.google.protobuf.ByteString getPayloadInMetadataBytes()If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn```` The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields`` and the value is the ``protobuf::Struct`` converted from JWT JSON payload. For example, if payload_in_metadata is ``my_payload``: .. code-block:: yaml envoy.filters.http.jwt_authn: my_payload: iss: https://example.com sub: test@example.com aud: https://example.com exp: 1501281058string payload_in_metadata = 9;- Returns:
- The bytes for payloadInMetadata.
-
hasNormalizePayloadInMetadata
boolean hasNormalizePayloadInMetadata()Normalizes the payload representation in the request metadata.
.envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.NormalizePayload normalize_payload_in_metadata = 18;- Returns:
- Whether the normalizePayloadInMetadata field is set.
-
getNormalizePayloadInMetadata
JwtProvider.NormalizePayload getNormalizePayloadInMetadata()Normalizes the payload representation in the request metadata.
.envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.NormalizePayload normalize_payload_in_metadata = 18;- Returns:
- The normalizePayloadInMetadata.
-
getNormalizePayloadInMetadataOrBuilder
JwtProvider.NormalizePayloadOrBuilder getNormalizePayloadInMetadataOrBuilder()Normalizes the payload representation in the request metadata.
.envoy.extensions.filters.http.jwt_authn.v3.JwtProvider.NormalizePayload normalize_payload_in_metadata = 18; -
getHeaderInMetadata
String getHeaderInMetadata()If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`, a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>` as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the value of this field as the key. For example, if ``header_in_metadata`` is ``my_header``: .. code-block:: yaml envoy.filters.http.jwt_authn: my_header: alg: JWT kid: EF71iSaosbC5C4tC6Syq1Gm647M alg: PS256 When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below: .. code-block:: yaml envoy.filters.http.jwt_authn: my_payload: iss: https://example.com sub: test@example.com aud: https://example.com exp: 1501281058 my_header: alg: JWT kid: EF71iSaosbC5C4tC6Syq1Gm647M alg: PS256 .. warning:: Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is not suggested due to potential override of existing entry, while it is not enforced during config validation.string header_in_metadata = 14;- Returns:
- The headerInMetadata.
-
getHeaderInMetadataBytes
com.google.protobuf.ByteString getHeaderInMetadataBytes()If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`, a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>` as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the value of this field as the key. For example, if ``header_in_metadata`` is ``my_header``: .. code-block:: yaml envoy.filters.http.jwt_authn: my_header: alg: JWT kid: EF71iSaosbC5C4tC6Syq1Gm647M alg: PS256 When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below: .. code-block:: yaml envoy.filters.http.jwt_authn: my_payload: iss: https://example.com sub: test@example.com aud: https://example.com exp: 1501281058 my_header: alg: JWT kid: EF71iSaosbC5C4tC6Syq1Gm647M alg: PS256 .. warning:: Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is not suggested due to potential override of existing entry, while it is not enforced during config validation.string header_in_metadata = 14;- Returns:
- The bytes for headerInMetadata.
-
getFailedStatusInMetadata
String getFailedStatusInMetadata()If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn`` The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message`` and they will contain the JWT authentication failure status code and a message describing the failure. For example, if failed_status_in_metadata is ``my_auth_failure_status``: .. code-block:: yaml envoy.filters.http.jwt_authn: my_auth_failure_status: code: 3 message: Jwt expiredstring failed_status_in_metadata = 16;- Returns:
- The failedStatusInMetadata.
-
getFailedStatusInMetadataBytes
com.google.protobuf.ByteString getFailedStatusInMetadataBytes()If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn`` The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message`` and they will contain the JWT authentication failure status code and a message describing the failure. For example, if failed_status_in_metadata is ``my_auth_failure_status``: .. code-block:: yaml envoy.filters.http.jwt_authn: my_auth_failure_status: code: 3 message: Jwt expiredstring failed_status_in_metadata = 16;- Returns:
- The bytes for failedStatusInMetadata.
-
getClockSkewSeconds
int getClockSkewSeconds()Specify the clock skew in seconds when verifying JWT time constraint, such as ``exp``, and ``nbf``. If not specified, default is 60 seconds.
uint32 clock_skew_seconds = 10;- Returns:
- The clockSkewSeconds.
-
hasJwtCacheConfig
boolean hasJwtCacheConfig()Enables JWT cache, its size is specified by ``jwt_cache_size``. Only valid JWTs are cached.
.envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;- Returns:
- Whether the jwtCacheConfig field is set.
-
getJwtCacheConfig
JwtCacheConfig getJwtCacheConfig()Enables JWT cache, its size is specified by ``jwt_cache_size``. Only valid JWTs are cached.
.envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;- Returns:
- The jwtCacheConfig.
-
getJwtCacheConfigOrBuilder
JwtCacheConfigOrBuilder getJwtCacheConfigOrBuilder()Enables JWT cache, its size is specified by ``jwt_cache_size``. Only valid JWTs are cached.
.envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12; -
getClaimToHeadersList
List<JwtClaimToHeader> getClaimToHeadersList()Add JWT claim to HTTP Header Specify the claim name you want to copy in which HTTP header. For examples, following config: The claim must be of type; string, int, double, bool. Array type claims are not supported .. literalinclude:: /_configs/repo/jwt_authn.yaml :language: yaml :lines: 44-48 :linenos: :lineno-start: 44 :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>` This header is only reserved for jwt claim; any other value will be overwritten.repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15; -
getClaimToHeaders
Add JWT claim to HTTP Header Specify the claim name you want to copy in which HTTP header. For examples, following config: The claim must be of type; string, int, double, bool. Array type claims are not supported .. literalinclude:: /_configs/repo/jwt_authn.yaml :language: yaml :lines: 44-48 :linenos: :lineno-start: 44 :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>` This header is only reserved for jwt claim; any other value will be overwritten.repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15; -
getClaimToHeadersCount
int getClaimToHeadersCount()Add JWT claim to HTTP Header Specify the claim name you want to copy in which HTTP header. For examples, following config: The claim must be of type; string, int, double, bool. Array type claims are not supported .. literalinclude:: /_configs/repo/jwt_authn.yaml :language: yaml :lines: 44-48 :linenos: :lineno-start: 44 :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>` This header is only reserved for jwt claim; any other value will be overwritten.repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15; -
getClaimToHeadersOrBuilderList
List<? extends JwtClaimToHeaderOrBuilder> getClaimToHeadersOrBuilderList()Add JWT claim to HTTP Header Specify the claim name you want to copy in which HTTP header. For examples, following config: The claim must be of type; string, int, double, bool. Array type claims are not supported .. literalinclude:: /_configs/repo/jwt_authn.yaml :language: yaml :lines: 44-48 :linenos: :lineno-start: 44 :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>` This header is only reserved for jwt claim; any other value will be overwritten.repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15; -
getClaimToHeadersOrBuilder
Add JWT claim to HTTP Header Specify the claim name you want to copy in which HTTP header. For examples, following config: The claim must be of type; string, int, double, bool. Array type claims are not supported .. literalinclude:: /_configs/repo/jwt_authn.yaml :language: yaml :lines: 44-48 :linenos: :lineno-start: 44 :caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>` This header is only reserved for jwt claim; any other value will be overwritten.repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader claim_to_headers = 15; -
getClearRouteCache
boolean getClearRouteCache()Clears route cache in order to allow the JWT to correctly affect routing decisions. Filter clears all cached routes when: 1. The field is set to ``true``. 2. At least one ``claim_to_headers`` header is added to the request OR if ``payload_in_metadata`` is set.bool clear_route_cache = 17;- Returns:
- The clearRouteCache.
-
getJwksSourceSpecifierCase
JwtProvider.JwksSourceSpecifierCase getJwksSourceSpecifierCase()
-