Package io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3

Interface JwtRequirementOrBuilder

All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
All Known Implementing Classes:
JwtRequirement, JwtRequirement.Builder
public interface JwtRequirementOrBuilder extends com.google.protobuf.MessageOrBuilder

  • Method Details

    • hasProviderName

      boolean hasProviderName()
       Specify a required provider name.
      string provider_name = 1;
      Returns:
      Whether the providerName field is set.

    • getProviderName

      String getProviderName()
       Specify a required provider name.
      string provider_name = 1;
      Returns:
      The providerName.

    • getProviderNameBytes

      com.google.protobuf.ByteString getProviderNameBytes()
       Specify a required provider name.
      string provider_name = 1;
      Returns:
      The bytes for providerName.

    • hasProviderAndAudiences

      boolean hasProviderAndAudiences()
       Specify a required provider with audiences.
      .envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences provider_and_audiences = 2;
      Returns:
      Whether the providerAndAudiences field is set.

    • getProviderAndAudiences

      ProviderWithAudiences getProviderAndAudiences()
       Specify a required provider with audiences.
      .envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences provider_and_audiences = 2;
      Returns:
      The providerAndAudiences.

    • getProviderAndAudiencesOrBuilder

      ProviderWithAudiencesOrBuilder getProviderAndAudiencesOrBuilder()
       Specify a required provider with audiences.
      .envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences provider_and_audiences = 2;

    • hasRequiresAny

      boolean hasRequiresAny()
       Specify list of JwtRequirement. Their results are OR-ed.
 If any one of them passes, the result is passed.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList requires_any = 3;
      Returns:
      Whether the requiresAny field is set.

    • getRequiresAny

      JwtRequirementOrList getRequiresAny()
       Specify list of JwtRequirement. Their results are OR-ed.
 If any one of them passes, the result is passed.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList requires_any = 3;
      Returns:
      The requiresAny.

    • getRequiresAnyOrBuilder

      JwtRequirementOrListOrBuilder getRequiresAnyOrBuilder()
       Specify list of JwtRequirement. Their results are OR-ed.
 If any one of them passes, the result is passed.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList requires_any = 3;

    • hasRequiresAll

      boolean hasRequiresAll()
       Specify list of JwtRequirement. Their results are AND-ed.
 All of them must pass, if one of them fails or missing, it fails.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList requires_all = 4;
      Returns:
      Whether the requiresAll field is set.

    • getRequiresAll

      JwtRequirementAndList getRequiresAll()
       Specify list of JwtRequirement. Their results are AND-ed.
 All of them must pass, if one of them fails or missing, it fails.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList requires_all = 4;
      Returns:
      The requiresAll.

    • getRequiresAllOrBuilder

      JwtRequirementAndListOrBuilder getRequiresAllOrBuilder()
       Specify list of JwtRequirement. Their results are AND-ed.
 All of them must pass, if one of them fails or missing, it fails.
      .envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList requires_all = 4;

    • hasAllowMissingOrFailed

      boolean hasAllowMissingOrFailed()
       The requirement is always satisfied even if JWT is missing or the JWT
 verification fails. A typical usage is: this filter is used to only verify
 JWTs and pass the verified JWT payloads to another filter, the other filter
 will make decision. In this mode, all JWTs will be verified.
      .google.protobuf.Empty allow_missing_or_failed = 5;
      Returns:
      Whether the allowMissingOrFailed field is set.

    • getAllowMissingOrFailed

      com.google.protobuf.Empty getAllowMissingOrFailed()
       The requirement is always satisfied even if JWT is missing or the JWT
 verification fails. A typical usage is: this filter is used to only verify
 JWTs and pass the verified JWT payloads to another filter, the other filter
 will make decision. In this mode, all JWTs will be verified.
      .google.protobuf.Empty allow_missing_or_failed = 5;
      Returns:
      The allowMissingOrFailed.

    • getAllowMissingOrFailedOrBuilder

      com.google.protobuf.EmptyOrBuilder getAllowMissingOrFailedOrBuilder()
       The requirement is always satisfied even if JWT is missing or the JWT
 verification fails. A typical usage is: this filter is used to only verify
 JWTs and pass the verified JWT payloads to another filter, the other filter
 will make decision. In this mode, all JWTs will be verified.
      .google.protobuf.Empty allow_missing_or_failed = 5;

    • hasAllowMissing

      boolean hasAllowMissing()
       The requirement is satisfied if JWT is missing, but failed if JWT is
 presented but invalid. Similar to allow_missing_or_failed, this is used
 to only verify JWTs and pass the verified payload to another filter. The
 different is this mode will reject requests with invalid tokens.
      .google.protobuf.Empty allow_missing = 6;
      Returns:
      Whether the allowMissing field is set.

    • getAllowMissing

      com.google.protobuf.Empty getAllowMissing()
       The requirement is satisfied if JWT is missing, but failed if JWT is
 presented but invalid. Similar to allow_missing_or_failed, this is used
 to only verify JWTs and pass the verified payload to another filter. The
 different is this mode will reject requests with invalid tokens.
      .google.protobuf.Empty allow_missing = 6;
      Returns:
      The allowMissing.

    • getAllowMissingOrBuilder

      com.google.protobuf.EmptyOrBuilder getAllowMissingOrBuilder()
       The requirement is satisfied if JWT is missing, but failed if JWT is
 presented but invalid. Similar to allow_missing_or_failed, this is used
 to only verify JWTs and pass the verified payload to another filter. The
 different is this mode will reject requests with invalid tokens.
      .google.protobuf.Empty allow_missing = 6;

    • hasExtractOnlyWithoutValidation

      boolean hasExtractOnlyWithoutValidation()
       Extract JWT claims without performing signature validation.
 This mode will decode the JWT, extract claims, and forward them as
 configured (via claim_to_headers, forward_payload_header, etc.) but
 will NOT verify the JWT signature against JWKS.

 .. warning::

    This mode does not verify JWT authenticity. Use only in scenarios where:

    - JWTs come from a trusted source (e.g., internal service mesh)
    - Signature verification is performed elsewhere in the request path
    - You are in a testing period and the token issuer doesn't support JWKS yet

 This mode will:

 * Decode the JWT header and payload
 * Extract claims and forward them as headers
 * Always return success (Status::Ok) regardless of JWT validity
 * Log when extraction occurs

 This mode will NOT:

 * Verify the JWT signature
 * Validate the (issuer) claim
 * Validate the (audience) claim
 * Check not-before time (nbf claim)
      .envoy.extensions.filters.http.jwt_authn.v3.ExtractOnlyWithoutValidation extract_only_without_validation = 7;
      Returns:
      Whether the extractOnlyWithoutValidation field is set.

    • getExtractOnlyWithoutValidation

      ExtractOnlyWithoutValidation getExtractOnlyWithoutValidation()
       Extract JWT claims without performing signature validation.
 This mode will decode the JWT, extract claims, and forward them as
 configured (via claim_to_headers, forward_payload_header, etc.) but
 will NOT verify the JWT signature against JWKS.

 .. warning::

    This mode does not verify JWT authenticity. Use only in scenarios where:

    - JWTs come from a trusted source (e.g., internal service mesh)
    - Signature verification is performed elsewhere in the request path
    - You are in a testing period and the token issuer doesn't support JWKS yet

 This mode will:

 * Decode the JWT header and payload
 * Extract claims and forward them as headers
 * Always return success (Status::Ok) regardless of JWT validity
 * Log when extraction occurs

 This mode will NOT:

 * Verify the JWT signature
 * Validate the (issuer) claim
 * Validate the (audience) claim
 * Check not-before time (nbf claim)
      .envoy.extensions.filters.http.jwt_authn.v3.ExtractOnlyWithoutValidation extract_only_without_validation = 7;
      Returns:
      The extractOnlyWithoutValidation.

    • getExtractOnlyWithoutValidationOrBuilder

      ExtractOnlyWithoutValidationOrBuilder getExtractOnlyWithoutValidationOrBuilder()
       Extract JWT claims without performing signature validation.
 This mode will decode the JWT, extract claims, and forward them as
 configured (via claim_to_headers, forward_payload_header, etc.) but
 will NOT verify the JWT signature against JWKS.

 .. warning::

    This mode does not verify JWT authenticity. Use only in scenarios where:

    - JWTs come from a trusted source (e.g., internal service mesh)
    - Signature verification is performed elsewhere in the request path
    - You are in a testing period and the token issuer doesn't support JWKS yet

 This mode will:

 * Decode the JWT header and payload
 * Extract claims and forward them as headers
 * Always return success (Status::Ok) regardless of JWT validity
 * Log when extraction occurs

 This mode will NOT:

 * Verify the JWT signature
 * Validate the (issuer) claim
 * Validate the (audience) claim
 * Check not-before time (nbf claim)
      .envoy.extensions.filters.http.jwt_authn.v3.ExtractOnlyWithoutValidation extract_only_without_validation = 7;

    • getRequiresTypeCase

      JwtRequirement.RequiresTypeCase getRequiresTypeCase()