Package io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3

Class JwtRequirement

java.lang.Object
com.google.protobuf.AbstractMessageLite
com.google.protobuf.AbstractMessage
com.google.protobuf.GeneratedMessageV3
io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement
All Implemented Interfaces:
com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, JwtRequirementOrBuilder, Serializable
public final class JwtRequirement extends com.google.protobuf.GeneratedMessageV3 implements JwtRequirementOrBuilder
 This message specifies a Jwt requirement. An empty message means JWT verification is not
 required. Here are some config examples:

 .. code-block:: yaml

  # Example 1: not required with an empty message

  # Example 2: require A
  provider_name: provider-A

  # Example 3: require A or B
  requires_any:
    requirements:
      - provider_name: provider-A
      - provider_name: provider-B

  # Example 4: require A and B
  requires_all:
    requirements:
      - provider_name: provider-A
      - provider_name: provider-B

  # Example 5: require A and (B or C)
  requires_all:
    requirements:
      - provider_name: provider-A
      - requires_any:
        requirements:
          - provider_name: provider-B
          - provider_name: provider-C

  # Example 6: require A or (B and C)
  requires_any:
    requirements:
      - provider_name: provider-A
      - requires_all:
        requirements:
          - provider_name: provider-B
          - provider_name: provider-C

  # Example 7: A is optional (if token from A is provided, it must be valid, but also allows
  missing token.)
  requires_any:
    requirements:
    - provider_name: provider-A
    - allow_missing: {}

  # Example 8: A is optional and B is required.
  requires_all:
    requirements:
    - requires_any:
        requirements:
        - provider_name: provider-A
        - allow_missing: {}
    - provider_name: provider-B

 [#next-free-field: 8]
Protobuf type envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement
See Also:

  • Field Details

    • PROVIDER_NAME_FIELD_NUMBER

      public static final int PROVIDER_NAME_FIELD_NUMBER
      See Also:

    • PROVIDER_AND_AUDIENCES_FIELD_NUMBER

      public static final int PROVIDER_AND_AUDIENCES_FIELD_NUMBER
      See Also:

    • REQUIRES_ANY_FIELD_NUMBER

      public static final int REQUIRES_ANY_FIELD_NUMBER
      See Also:

    • REQUIRES_ALL_FIELD_NUMBER

      public static final int REQUIRES_ALL_FIELD_NUMBER
      See Also:

    • ALLOW_MISSING_OR_FAILED_FIELD_NUMBER

      public static final int ALLOW_MISSING_OR_FAILED_FIELD_NUMBER
      See Also:

    • ALLOW_MISSING_FIELD_NUMBER

      public static final int ALLOW_MISSING_FIELD_NUMBER
      See Also:

    • EXTRACT_ONLY_WITHOUT_VALIDATION_FIELD_NUMBER

      public static final int EXTRACT_ONLY_WITHOUT_VALIDATION_FIELD_NUMBER
      See Also:

  • Method Details

    • newInstance

      protected Object newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
      Overrides:
      newInstance in class com.google.protobuf.GeneratedMessageV3

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

    • getRequiresTypeCase

      public JwtRequirement.RequiresTypeCase getRequiresTypeCase()
      Specified by:
      getRequiresTypeCase in interface JwtRequirementOrBuilder

    • hasProviderName

      public boolean hasProviderName()
       Specify a required provider name.
      string provider_name = 1;
      Specified by:
      hasProviderName in interface JwtRequirementOrBuilder
      Returns:
      Whether the providerName field is set.

    • getProviderName

      public String getProviderName()
       Specify a required provider name.
      string provider_name = 1;
      Specified by:
      getProviderName in interface JwtRequirementOrBuilder
      Returns:
      The providerName.

    • getProviderNameBytes

      public com.google.protobuf.ByteString getProviderNameBytes()
       Specify a required provider name.
      string provider_name = 1;
      Specified by:
      getProviderNameBytes in interface JwtRequirementOrBuilder
      Returns:
      The bytes for providerName.

    • hasProviderAndAudiences

      public boolean hasProviderAndAudiences()
       Specify a required provider with audiences.
      .envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences provider_and_audiences = 2;
      Specified by:
      hasProviderAndAudiences in interface JwtRequirementOrBuilder
      Returns:
      Whether the providerAndAudiences field is set.

    • getProviderAndAudiences

      public ProviderWithAudiences getProviderAndAudiences()
       Specify a required provider with audiences.
      .envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences provider_and_audiences = 2;
      Specified by:
      getProviderAndAudiences in interface JwtRequirementOrBuilder
      Returns:
      The providerAndAudiences.

    • getProviderAndAudiencesOrBuilder

      public ProviderWithAudiencesOrBuilder getProviderAndAudiencesOrBuilder()
       Specify a required provider with audiences.
      .envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences provider_and_audiences = 2;
      Specified by:
      getProviderAndAudiencesOrBuilder in interface JwtRequirementOrBuilder

    • hasRequiresAny

      public boolean hasRequiresAny()
       Specify list of JwtRequirement. Their results are OR-ed.
 If any one of them passes, the result is passed.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList requires_any = 3;
      Specified by:
      hasRequiresAny in interface JwtRequirementOrBuilder
      Returns:
      Whether the requiresAny field is set.

    • getRequiresAny

      public JwtRequirementOrList getRequiresAny()
       Specify list of JwtRequirement. Their results are OR-ed.
 If any one of them passes, the result is passed.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList requires_any = 3;
      Specified by:
      getRequiresAny in interface JwtRequirementOrBuilder
      Returns:
      The requiresAny.

    • getRequiresAnyOrBuilder

      public JwtRequirementOrListOrBuilder getRequiresAnyOrBuilder()
       Specify list of JwtRequirement. Their results are OR-ed.
 If any one of them passes, the result is passed.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList requires_any = 3;
      Specified by:
      getRequiresAnyOrBuilder in interface JwtRequirementOrBuilder

    • hasRequiresAll

      public boolean hasRequiresAll()
       Specify list of JwtRequirement. Their results are AND-ed.
 All of them must pass, if one of them fails or missing, it fails.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList requires_all = 4;
      Specified by:
      hasRequiresAll in interface JwtRequirementOrBuilder
      Returns:
      Whether the requiresAll field is set.

    • getRequiresAll

      public JwtRequirementAndList getRequiresAll()
       Specify list of JwtRequirement. Their results are AND-ed.
 All of them must pass, if one of them fails or missing, it fails.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList requires_all = 4;
      Specified by:
      getRequiresAll in interface JwtRequirementOrBuilder
      Returns:
      The requiresAll.

    • getRequiresAllOrBuilder

      public JwtRequirementAndListOrBuilder getRequiresAllOrBuilder()
       Specify list of JwtRequirement. Their results are AND-ed.
 All of them must pass, if one of them fails or missing, it fails.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList requires_all = 4;
      Specified by:
      getRequiresAllOrBuilder in interface JwtRequirementOrBuilder

    • hasAllowMissingOrFailed

      public boolean hasAllowMissingOrFailed()
       The requirement is always satisfied even if JWT is missing or the JWT
 verification fails. A typical usage is: this filter is used to only verify
 JWTs and pass the verified JWT payloads to another filter, the other filter
 will make decision. In this mode, all JWTs will be verified.
      .google.protobuf.Empty allow_missing_or_failed = 5;
      Specified by:
      hasAllowMissingOrFailed in interface JwtRequirementOrBuilder
      Returns:
      Whether the allowMissingOrFailed field is set.

    • getAllowMissingOrFailed

      public com.google.protobuf.Empty getAllowMissingOrFailed()
       The requirement is always satisfied even if JWT is missing or the JWT
 verification fails. A typical usage is: this filter is used to only verify
 JWTs and pass the verified JWT payloads to another filter, the other filter
 will make decision. In this mode, all JWTs will be verified.
      .google.protobuf.Empty allow_missing_or_failed = 5;
      Specified by:
      getAllowMissingOrFailed in interface JwtRequirementOrBuilder
      Returns:
      The allowMissingOrFailed.

    • getAllowMissingOrFailedOrBuilder

      public com.google.protobuf.EmptyOrBuilder getAllowMissingOrFailedOrBuilder()
       The requirement is always satisfied even if JWT is missing or the JWT
 verification fails. A typical usage is: this filter is used to only verify
 JWTs and pass the verified JWT payloads to another filter, the other filter
 will make decision. In this mode, all JWTs will be verified.
      .google.protobuf.Empty allow_missing_or_failed = 5;
      Specified by:
      getAllowMissingOrFailedOrBuilder in interface JwtRequirementOrBuilder

    • hasAllowMissing

      public boolean hasAllowMissing()
       The requirement is satisfied if JWT is missing, but failed if JWT is
 presented but invalid. Similar to allow_missing_or_failed, this is used
 to only verify JWTs and pass the verified payload to another filter. The
 different is this mode will reject requests with invalid tokens.
      .google.protobuf.Empty allow_missing = 6;
      Specified by:
      hasAllowMissing in interface JwtRequirementOrBuilder
      Returns:
      Whether the allowMissing field is set.

    • getAllowMissing

      public com.google.protobuf.Empty getAllowMissing()
       The requirement is satisfied if JWT is missing, but failed if JWT is
 presented but invalid. Similar to allow_missing_or_failed, this is used
 to only verify JWTs and pass the verified payload to another filter. The
 different is this mode will reject requests with invalid tokens.
      .google.protobuf.Empty allow_missing = 6;
      Specified by:
      getAllowMissing in interface JwtRequirementOrBuilder
      Returns:
      The allowMissing.

    • getAllowMissingOrBuilder

      public com.google.protobuf.EmptyOrBuilder getAllowMissingOrBuilder()
       The requirement is satisfied if JWT is missing, but failed if JWT is
 presented but invalid. Similar to allow_missing_or_failed, this is used
 to only verify JWTs and pass the verified payload to another filter. The
 different is this mode will reject requests with invalid tokens.
      .google.protobuf.Empty allow_missing = 6;
      Specified by:
      getAllowMissingOrBuilder in interface JwtRequirementOrBuilder

    • hasExtractOnlyWithoutValidation

      public boolean hasExtractOnlyWithoutValidation()
       Extract JWT claims without performing signature validation.
 This mode will decode the JWT, extract claims, and forward them as
 configured (via claim_to_headers, forward_payload_header, etc.) but
 will NOT verify the JWT signature against JWKS.

 .. warning::

    This mode does not verify JWT authenticity. Use only in scenarios where:

    - JWTs come from a trusted source (e.g., internal service mesh)
    - Signature verification is performed elsewhere in the request path
    - You are in a testing period and the token issuer doesn't support JWKS yet

 This mode will:

 * Decode the JWT header and payload
 * Extract claims and forward them as headers
 * Always return success (Status::Ok) regardless of JWT validity
 * Log when extraction occurs

 This mode will NOT:

 * Verify the JWT signature
 * Validate the (issuer) claim
 * Validate the (audience) claim
 * Check not-before time (nbf claim)
      .envoy.extensions.filters.http.jwt_authn.v3.ExtractOnlyWithoutValidation extract_only_without_validation = 7;
      Specified by:
      hasExtractOnlyWithoutValidation in interface JwtRequirementOrBuilder
      Returns:
      Whether the extractOnlyWithoutValidation field is set.

    • getExtractOnlyWithoutValidation

      public ExtractOnlyWithoutValidation getExtractOnlyWithoutValidation()
       Extract JWT claims without performing signature validation.
 This mode will decode the JWT, extract claims, and forward them as
 configured (via claim_to_headers, forward_payload_header, etc.) but
 will NOT verify the JWT signature against JWKS.

 .. warning::

    This mode does not verify JWT authenticity. Use only in scenarios where:

    - JWTs come from a trusted source (e.g., internal service mesh)
    - Signature verification is performed elsewhere in the request path
    - You are in a testing period and the token issuer doesn't support JWKS yet

 This mode will:

 * Decode the JWT header and payload
 * Extract claims and forward them as headers
 * Always return success (Status::Ok) regardless of JWT validity
 * Log when extraction occurs

 This mode will NOT:

 * Verify the JWT signature
 * Validate the (issuer) claim
 * Validate the (audience) claim
 * Check not-before time (nbf claim)
      .envoy.extensions.filters.http.jwt_authn.v3.ExtractOnlyWithoutValidation extract_only_without_validation = 7;
      Specified by:
      getExtractOnlyWithoutValidation in interface JwtRequirementOrBuilder
      Returns:
      The extractOnlyWithoutValidation.

    • getExtractOnlyWithoutValidationOrBuilder

      public ExtractOnlyWithoutValidationOrBuilder getExtractOnlyWithoutValidationOrBuilder()
       Extract JWT claims without performing signature validation.
 This mode will decode the JWT, extract claims, and forward them as
 configured (via claim_to_headers, forward_payload_header, etc.) but
 will NOT verify the JWT signature against JWKS.

 .. warning::

    This mode does not verify JWT authenticity. Use only in scenarios where:

    - JWTs come from a trusted source (e.g., internal service mesh)
    - Signature verification is performed elsewhere in the request path
    - You are in a testing period and the token issuer doesn't support JWKS yet

 This mode will:

 * Decode the JWT header and payload
 * Extract claims and forward them as headers
 * Always return success (Status::Ok) regardless of JWT validity
 * Log when extraction occurs

 This mode will NOT:

 * Verify the JWT signature
 * Validate the (issuer) claim
 * Validate the (audience) claim
 * Check not-before time (nbf claim)
      .envoy.extensions.filters.http.jwt_authn.v3.ExtractOnlyWithoutValidation extract_only_without_validation = 7;
      Specified by:
      getExtractOnlyWithoutValidationOrBuilder in interface JwtRequirementOrBuilder

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessageV3

    • writeTo

      public void writeTo(com.google.protobuf.CodedOutputStream output) throws IOException
      Specified by:
      writeTo in interface com.google.protobuf.MessageLite
      Overrides:
      writeTo in class com.google.protobuf.GeneratedMessageV3
      Throws:
      IOException

    • getSerializedSize

      public int getSerializedSize()
      Specified by:
      getSerializedSize in interface com.google.protobuf.MessageLite
      Overrides:
      getSerializedSize in class com.google.protobuf.GeneratedMessageV3

    • equals

      public boolean equals(Object obj)
      Specified by:
      equals in interface com.google.protobuf.Message
      Overrides:
      equals in class com.google.protobuf.AbstractMessage

    • hashCode

      public int hashCode()
      Specified by:
      hashCode in interface com.google.protobuf.Message
      Overrides:
      hashCode in class com.google.protobuf.AbstractMessage

    • parseFrom

      public static JwtRequirement parseFrom(ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static JwtRequirement parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static JwtRequirement parseFrom(com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static JwtRequirement parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static JwtRequirement parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static JwtRequirement parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static JwtRequirement parseFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static JwtRequirement parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static JwtRequirement parseDelimitedFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static JwtRequirement parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseFrom

      public static JwtRequirement parseFrom(com.google.protobuf.CodedInputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static JwtRequirement parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • newBuilderForType

      public JwtRequirement.Builder newBuilderForType()
      Specified by:
      newBuilderForType in interface com.google.protobuf.Message
      Specified by:
      newBuilderForType in interface com.google.protobuf.MessageLite

    • newBuilder

      public static JwtRequirement.Builder newBuilder()

    • newBuilder

      public static JwtRequirement.Builder newBuilder(JwtRequirement prototype)

    • toBuilder

      public JwtRequirement.Builder toBuilder()
      Specified by:
      toBuilder in interface com.google.protobuf.Message
      Specified by:
      toBuilder in interface com.google.protobuf.MessageLite

    • newBuilderForType

      protected JwtRequirement.Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
      Specified by:
      newBuilderForType in class com.google.protobuf.GeneratedMessageV3

    • getDefaultInstance

      public static JwtRequirement getDefaultInstance()

    • parser

      public static com.google.protobuf.Parser<JwtRequirement> parser()

    • getParserForType

      public com.google.protobuf.Parser<JwtRequirement> getParserForType()
      Specified by:
      getParserForType in interface com.google.protobuf.Message
      Specified by:
      getParserForType in interface com.google.protobuf.MessageLite
      Overrides:
      getParserForType in class com.google.protobuf.GeneratedMessageV3

    • getDefaultInstanceForType

      public JwtRequirement getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder