Package io.envoyproxy.envoy.extensions.filters.http.oauth2.v3

Interface OAuth2ConfigOrBuilder

All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
All Known Implementing Classes:
OAuth2Config, OAuth2Config.Builder
public interface OAuth2ConfigOrBuilder extends com.google.protobuf.MessageOrBuilder

  • Method Details

    • hasTokenEndpoint

      boolean hasTokenEndpoint()
       Endpoint on the authorization server to retrieve the access token from.
      .envoy.config.core.v3.HttpUri token_endpoint = 1;
      Returns:
      Whether the tokenEndpoint field is set.

    • getTokenEndpoint

      HttpUri getTokenEndpoint()
       Endpoint on the authorization server to retrieve the access token from.
      .envoy.config.core.v3.HttpUri token_endpoint = 1;
      Returns:
      The tokenEndpoint.

    • getTokenEndpointOrBuilder

      HttpUriOrBuilder getTokenEndpointOrBuilder()
       Endpoint on the authorization server to retrieve the access token from.
      .envoy.config.core.v3.HttpUri token_endpoint = 1;

    • hasRetryPolicy

      boolean hasRetryPolicy()
       Specifies the retry policy for requests to the OAuth server. If not specified, then no retries will be performed.
      .envoy.config.core.v3.RetryPolicy retry_policy = 18;
      Returns:
      Whether the retryPolicy field is set.

    • getRetryPolicy

      RetryPolicy getRetryPolicy()
       Specifies the retry policy for requests to the OAuth server. If not specified, then no retries will be performed.
      .envoy.config.core.v3.RetryPolicy retry_policy = 18;
      Returns:
      The retryPolicy.

    • getRetryPolicyOrBuilder

      RetryPolicyOrBuilder getRetryPolicyOrBuilder()
       Specifies the retry policy for requests to the OAuth server. If not specified, then no retries will be performed.
      .envoy.config.core.v3.RetryPolicy retry_policy = 18;

    • getAuthorizationEndpoint

      String getAuthorizationEndpoint()
       The endpoint redirect to for authorization in response to unauthorized requests.
      string authorization_endpoint = 2 [(.validate.rules) = { ... }
      Returns:
      The authorizationEndpoint.

    • getAuthorizationEndpointBytes

      com.google.protobuf.ByteString getAuthorizationEndpointBytes()
       The endpoint redirect to for authorization in response to unauthorized requests.
      string authorization_endpoint = 2 [(.validate.rules) = { ... }
      Returns:
      The bytes for authorizationEndpoint.

    • getEndSessionEndpoint

      String getEndSessionEndpoint()
       The endpoint at the authorization server to request the user be logged out of the Authorization server.
 This field is optional and should be set only if openid is in the auth_scopes and the authorization server
 supports the OpenID Connect RP-Initiated Logout specification.
 For more information, see https://openid.net/specs/openid-connect-rpinitiated-1_0.html

 If configured, the OAuth2 filter will redirect users to this endpoint when they access the signout_path.
      string end_session_endpoint = 23;
      Returns:
      The endSessionEndpoint.

    • getEndSessionEndpointBytes

      com.google.protobuf.ByteString getEndSessionEndpointBytes()
       The endpoint at the authorization server to request the user be logged out of the Authorization server.
 This field is optional and should be set only if openid is in the auth_scopes and the authorization server
 supports the OpenID Connect RP-Initiated Logout specification.
 For more information, see https://openid.net/specs/openid-connect-rpinitiated-1_0.html

 If configured, the OAuth2 filter will redirect users to this endpoint when they access the signout_path.
      string end_session_endpoint = 23;
      Returns:
      The bytes for endSessionEndpoint.

    • hasCredentials

      boolean hasCredentials()
       Credentials used for OAuth.
      .envoy.extensions.filters.http.oauth2.v3.OAuth2Credentials credentials = 3 [(.validate.rules) = { ... }
      Returns:
      Whether the credentials field is set.

    • getCredentials

      OAuth2Credentials getCredentials()
       Credentials used for OAuth.
      .envoy.extensions.filters.http.oauth2.v3.OAuth2Credentials credentials = 3 [(.validate.rules) = { ... }
      Returns:
      The credentials.

    • getCredentialsOrBuilder

      OAuth2CredentialsOrBuilder getCredentialsOrBuilder()
       Credentials used for OAuth.
      .envoy.extensions.filters.http.oauth2.v3.OAuth2Credentials credentials = 3 [(.validate.rules) = { ... }

    • getRedirectUri

      String getRedirectUri()
       The redirect URI passed to the authorization endpoint. Supports header formatting
 tokens. For more information, including details on header value syntax, see the
 documentation on :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`.

 This URI should not contain any query parameters.
      string redirect_uri = 4 [(.validate.rules) = { ... }
      Returns:
      The redirectUri.

    • getRedirectUriBytes

      com.google.protobuf.ByteString getRedirectUriBytes()
       The redirect URI passed to the authorization endpoint. Supports header formatting
 tokens. For more information, including details on header value syntax, see the
 documentation on :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`.

 This URI should not contain any query parameters.
      string redirect_uri = 4 [(.validate.rules) = { ... }
      Returns:
      The bytes for redirectUri.

    • hasRedirectPathMatcher

      boolean hasRedirectPathMatcher()
       Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.
      .envoy.type.matcher.v3.PathMatcher redirect_path_matcher = 5 [(.validate.rules) = { ... }
      Returns:
      Whether the redirectPathMatcher field is set.

    • getRedirectPathMatcher

      PathMatcher getRedirectPathMatcher()
       Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.
      .envoy.type.matcher.v3.PathMatcher redirect_path_matcher = 5 [(.validate.rules) = { ... }
      Returns:
      The redirectPathMatcher.

    • getRedirectPathMatcherOrBuilder

      PathMatcherOrBuilder getRedirectPathMatcherOrBuilder()
       Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.
      .envoy.type.matcher.v3.PathMatcher redirect_path_matcher = 5 [(.validate.rules) = { ... }

    • hasSignoutPath

      boolean hasSignoutPath()
       The path to sign a user out, clearing their credential cookies.
      .envoy.type.matcher.v3.PathMatcher signout_path = 6 [(.validate.rules) = { ... }
      Returns:
      Whether the signoutPath field is set.

    • getSignoutPath

      PathMatcher getSignoutPath()
       The path to sign a user out, clearing their credential cookies.
      .envoy.type.matcher.v3.PathMatcher signout_path = 6 [(.validate.rules) = { ... }
      Returns:
      The signoutPath.

    • getSignoutPathOrBuilder

      PathMatcherOrBuilder getSignoutPathOrBuilder()
       The path to sign a user out, clearing their credential cookies.
      .envoy.type.matcher.v3.PathMatcher signout_path = 6 [(.validate.rules) = { ... }

    • getForwardBearerToken

      boolean getForwardBearerToken()
       Forward the OAuth token as a Bearer to upstream web service.
      bool forward_bearer_token = 7;
      Returns:
      The forwardBearerToken.

    • getPreserveAuthorizationHeader

      boolean getPreserveAuthorizationHeader()
       If set to true, preserve the existing authorization header.
 By default the client strips the existing authorization header before forwarding upstream.
 Can not be set to true if forward_bearer_token is already set to true.
 Default value is false.
      bool preserve_authorization_header = 16;
      Returns:
      The preserveAuthorizationHeader.

    • getPassThroughMatcherList

      List<HeaderMatcher> getPassThroughMatcherList()
       Any request that matches any of the provided matchers will be passed through without OAuth validation.
      repeated .envoy.config.route.v3.HeaderMatcher pass_through_matcher = 8;

    • getPassThroughMatcher

      HeaderMatcher getPassThroughMatcher(int index)
       Any request that matches any of the provided matchers will be passed through without OAuth validation.
      repeated .envoy.config.route.v3.HeaderMatcher pass_through_matcher = 8;

    • getPassThroughMatcherCount

      int getPassThroughMatcherCount()
       Any request that matches any of the provided matchers will be passed through without OAuth validation.
      repeated .envoy.config.route.v3.HeaderMatcher pass_through_matcher = 8;

    • getPassThroughMatcherOrBuilderList

      List<? extends HeaderMatcherOrBuilder> getPassThroughMatcherOrBuilderList()
       Any request that matches any of the provided matchers will be passed through without OAuth validation.
      repeated .envoy.config.route.v3.HeaderMatcher pass_through_matcher = 8;

    • getPassThroughMatcherOrBuilder

      HeaderMatcherOrBuilder getPassThroughMatcherOrBuilder(int index)
       Any request that matches any of the provided matchers will be passed through without OAuth validation.
      repeated .envoy.config.route.v3.HeaderMatcher pass_through_matcher = 8;

    • getAuthScopesList

      List<String> getAuthScopesList()
       Optional list of OAuth scopes to be claimed in the authorization request. If not specified,
 defaults to "user" scope.
 OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3
      repeated string auth_scopes = 9;
      Returns:
      A list containing the authScopes.

    • getAuthScopesCount

      int getAuthScopesCount()
       Optional list of OAuth scopes to be claimed in the authorization request. If not specified,
 defaults to "user" scope.
 OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3
      repeated string auth_scopes = 9;
      Returns:
      The count of authScopes.

    • getAuthScopes

      String getAuthScopes(int index)
       Optional list of OAuth scopes to be claimed in the authorization request. If not specified,
 defaults to "user" scope.
 OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3
      repeated string auth_scopes = 9;
      Parameters:
      index - The index of the element to return.
      Returns:
      The authScopes at the given index.

    • getAuthScopesBytes

      com.google.protobuf.ByteString getAuthScopesBytes(int index)
       Optional list of OAuth scopes to be claimed in the authorization request. If not specified,
 defaults to "user" scope.
 OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3
      repeated string auth_scopes = 9;
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the authScopes at the given index.

    • getResourcesList

      List<String> getResourcesList()
       Optional resource parameter for authorization request
 RFC: https://tools.ietf.org/html/rfc8707
      repeated string resources = 10;
      Returns:
      A list containing the resources.

    • getResourcesCount

      int getResourcesCount()
       Optional resource parameter for authorization request
 RFC: https://tools.ietf.org/html/rfc8707
      repeated string resources = 10;
      Returns:
      The count of resources.

    • getResources

      String getResources(int index)
       Optional resource parameter for authorization request
 RFC: https://tools.ietf.org/html/rfc8707
      repeated string resources = 10;
      Parameters:
      index - The index of the element to return.
      Returns:
      The resources at the given index.

    • getResourcesBytes

      com.google.protobuf.ByteString getResourcesBytes(int index)
       Optional resource parameter for authorization request
 RFC: https://tools.ietf.org/html/rfc8707
      repeated string resources = 10;
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the resources at the given index.

    • getAuthTypeValue

      int getAuthTypeValue()
       Defines how ``client_id`` and ``client_secret`` are sent in OAuth client to OAuth server requests.
 RFC https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
      .envoy.extensions.filters.http.oauth2.v3.OAuth2Config.AuthType auth_type = 11 [(.validate.rules) = { ... }
      Returns:
      The enum numeric value on the wire for authType.

    • getAuthType

      OAuth2Config.AuthType getAuthType()
       Defines how ``client_id`` and ``client_secret`` are sent in OAuth client to OAuth server requests.
 RFC https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
      .envoy.extensions.filters.http.oauth2.v3.OAuth2Config.AuthType auth_type = 11 [(.validate.rules) = { ... }
      Returns:
      The authType.

    • hasUseRefreshToken

      boolean hasUseRefreshToken()
       If set to true, allows automatic access token refresh using the associated refresh token (see
 `RFC 6749 section 6 <https://datatracker.ietf.org/doc/html/rfc6749#section-6>`_), provided that the OAuth server supports that.
 Default value is true.
      .google.protobuf.BoolValue use_refresh_token = 12;
      Returns:
      Whether the useRefreshToken field is set.

    • getUseRefreshToken

      com.google.protobuf.BoolValue getUseRefreshToken()
       If set to true, allows automatic access token refresh using the associated refresh token (see
 `RFC 6749 section 6 <https://datatracker.ietf.org/doc/html/rfc6749#section-6>`_), provided that the OAuth server supports that.
 Default value is true.
      .google.protobuf.BoolValue use_refresh_token = 12;
      Returns:
      The useRefreshToken.

    • getUseRefreshTokenOrBuilder

      com.google.protobuf.BoolValueOrBuilder getUseRefreshTokenOrBuilder()
       If set to true, allows automatic access token refresh using the associated refresh token (see
 `RFC 6749 section 6 <https://datatracker.ietf.org/doc/html/rfc6749#section-6>`_), provided that the OAuth server supports that.
 Default value is true.
      .google.protobuf.BoolValue use_refresh_token = 12;

    • hasDefaultExpiresIn

      boolean hasDefaultExpiresIn()
       The default lifetime in seconds of the access token, if omitted by the authorization server.

 If this value is not set, it will default to ``0s``. In this case, the expiry must be set by
 the authorization server or the OAuth flow will fail.
      .google.protobuf.Duration default_expires_in = 13;
      Returns:
      Whether the defaultExpiresIn field is set.

    • getDefaultExpiresIn

      com.google.protobuf.Duration getDefaultExpiresIn()
       The default lifetime in seconds of the access token, if omitted by the authorization server.

 If this value is not set, it will default to ``0s``. In this case, the expiry must be set by
 the authorization server or the OAuth flow will fail.
      .google.protobuf.Duration default_expires_in = 13;
      Returns:
      The defaultExpiresIn.

    • getDefaultExpiresInOrBuilder

      com.google.protobuf.DurationOrBuilder getDefaultExpiresInOrBuilder()
       The default lifetime in seconds of the access token, if omitted by the authorization server.

 If this value is not set, it will default to ``0s``. In this case, the expiry must be set by
 the authorization server or the OAuth flow will fail.
      .google.protobuf.Duration default_expires_in = 13;

    • getDenyRedirectMatcherList

      List<HeaderMatcher> getDenyRedirectMatcherList()
       Any request that matches any of the provided matchers won't be redirected to OAuth server when tokens are not valid.
 Automatic access token refresh will be performed for these requests, if enabled.
 This behavior can be useful for AJAX requests.
      repeated .envoy.config.route.v3.HeaderMatcher deny_redirect_matcher = 14;

    • getDenyRedirectMatcher

      HeaderMatcher getDenyRedirectMatcher(int index)
       Any request that matches any of the provided matchers won't be redirected to OAuth server when tokens are not valid.
 Automatic access token refresh will be performed for these requests, if enabled.
 This behavior can be useful for AJAX requests.
      repeated .envoy.config.route.v3.HeaderMatcher deny_redirect_matcher = 14;

    • getDenyRedirectMatcherCount

      int getDenyRedirectMatcherCount()
       Any request that matches any of the provided matchers won't be redirected to OAuth server when tokens are not valid.
 Automatic access token refresh will be performed for these requests, if enabled.
 This behavior can be useful for AJAX requests.
      repeated .envoy.config.route.v3.HeaderMatcher deny_redirect_matcher = 14;

    • getDenyRedirectMatcherOrBuilderList

      List<? extends HeaderMatcherOrBuilder> getDenyRedirectMatcherOrBuilderList()
       Any request that matches any of the provided matchers won't be redirected to OAuth server when tokens are not valid.
 Automatic access token refresh will be performed for these requests, if enabled.
 This behavior can be useful for AJAX requests.
      repeated .envoy.config.route.v3.HeaderMatcher deny_redirect_matcher = 14;

    • getDenyRedirectMatcherOrBuilder

      HeaderMatcherOrBuilder getDenyRedirectMatcherOrBuilder(int index)
       Any request that matches any of the provided matchers won't be redirected to OAuth server when tokens are not valid.
 Automatic access token refresh will be performed for these requests, if enabled.
 This behavior can be useful for AJAX requests.
      repeated .envoy.config.route.v3.HeaderMatcher deny_redirect_matcher = 14;

    • hasDefaultRefreshTokenExpiresIn

      boolean hasDefaultRefreshTokenExpiresIn()
       The default lifetime in seconds of the refresh token, if the exp (expiration time) claim is omitted in the refresh token or the refresh token is not JWT.

 If this value is not set, it will default to ``604800s``. In this case, the cookie with the refresh token will be expired
 in a week.
 This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``default_expires_in`` is used.
      .google.protobuf.Duration default_refresh_token_expires_in = 15;
      Returns:
      Whether the defaultRefreshTokenExpiresIn field is set.

    • getDefaultRefreshTokenExpiresIn

      com.google.protobuf.Duration getDefaultRefreshTokenExpiresIn()
       The default lifetime in seconds of the refresh token, if the exp (expiration time) claim is omitted in the refresh token or the refresh token is not JWT.

 If this value is not set, it will default to ``604800s``. In this case, the cookie with the refresh token will be expired
 in a week.
 This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``default_expires_in`` is used.
      .google.protobuf.Duration default_refresh_token_expires_in = 15;
      Returns:
      The defaultRefreshTokenExpiresIn.

    • getDefaultRefreshTokenExpiresInOrBuilder

      com.google.protobuf.DurationOrBuilder getDefaultRefreshTokenExpiresInOrBuilder()
       The default lifetime in seconds of the refresh token, if the exp (expiration time) claim is omitted in the refresh token or the refresh token is not JWT.

 If this value is not set, it will default to ``604800s``. In this case, the cookie with the refresh token will be expired
 in a week.
 This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``default_expires_in`` is used.
      .google.protobuf.Duration default_refresh_token_expires_in = 15;

    • getDisableIdTokenSetCookie

      boolean getDisableIdTokenSetCookie()
       If set to true, the client will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID
 Token is too large for HTTP cookies (longer than 4096 characters). Enabling this option will only disable setting the cookie response header, the filter
 will still process incoming ID Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
 sessions would not set the IdToken cookie header.
      bool disable_id_token_set_cookie = 17;
      Returns:
      The disableIdTokenSetCookie.

    • getDisableAccessTokenSetCookie

      boolean getDisableAccessTokenSetCookie()
       If set to true, the client will not set a cookie for Access Token even if one is received from the Identity Provider.
 Enabling this option will only disable setting the cookie response header, the filter
 will still process incoming Access Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
 sessions would not set the Access Token cookie header.
      bool disable_access_token_set_cookie = 19;
      Returns:
      The disableAccessTokenSetCookie.

    • getDisableRefreshTokenSetCookie

      boolean getDisableRefreshTokenSetCookie()
       If set to true, the client will not set a cookie for Refresh Token even if one is received from the Identity Provider.
 Enabling this option will only disable setting the cookie response header, the filter
 will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
 sessions would not set the Refresh Token cookie header.
      bool disable_refresh_token_set_cookie = 20;
      Returns:
      The disableRefreshTokenSetCookie.

    • hasCookieConfigs

      boolean hasCookieConfigs()
       Controls for attributes that can be set on the cookies.
      .envoy.extensions.filters.http.oauth2.v3.CookieConfigs cookie_configs = 21;
      Returns:
      Whether the cookieConfigs field is set.

    • getCookieConfigs

      CookieConfigs getCookieConfigs()
       Controls for attributes that can be set on the cookies.
      .envoy.extensions.filters.http.oauth2.v3.CookieConfigs cookie_configs = 21;
      Returns:
      The cookieConfigs.

    • getCookieConfigsOrBuilder

      CookieConfigsOrBuilder getCookieConfigsOrBuilder()
       Controls for attributes that can be set on the cookies.
      .envoy.extensions.filters.http.oauth2.v3.CookieConfigs cookie_configs = 21;

    • getStatPrefix

      String getStatPrefix()
       Optional additional prefix to use when emitting statistics.
      string stat_prefix = 22;
      Returns:
      The statPrefix.

    • getStatPrefixBytes

      com.google.protobuf.ByteString getStatPrefixBytes()
       Optional additional prefix to use when emitting statistics.
      string stat_prefix = 22;
      Returns:
      The bytes for statPrefix.

    • hasCsrfTokenExpiresIn

      boolean hasCsrfTokenExpiresIn()
       Optional expiration time for the CSRF protection token cookie.
 The CSRF token prevents cross-site request forgery attacks during the OAuth2 flow.
 If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time
 for users to complete the OAuth2 authorization flow.
      .google.protobuf.Duration csrf_token_expires_in = 24;
      Returns:
      Whether the csrfTokenExpiresIn field is set.

    • getCsrfTokenExpiresIn

      com.google.protobuf.Duration getCsrfTokenExpiresIn()
       Optional expiration time for the CSRF protection token cookie.
 The CSRF token prevents cross-site request forgery attacks during the OAuth2 flow.
 If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time
 for users to complete the OAuth2 authorization flow.
      .google.protobuf.Duration csrf_token_expires_in = 24;
      Returns:
      The csrfTokenExpiresIn.

    • getCsrfTokenExpiresInOrBuilder

      com.google.protobuf.DurationOrBuilder getCsrfTokenExpiresInOrBuilder()
       Optional expiration time for the CSRF protection token cookie.
 The CSRF token prevents cross-site request forgery attacks during the OAuth2 flow.
 If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time
 for users to complete the OAuth2 authorization flow.
      .google.protobuf.Duration csrf_token_expires_in = 24;

    • hasCodeVerifierTokenExpiresIn

      boolean hasCodeVerifierTokenExpiresIn()
       Optional expiration time for the code verifier cookie.
 The code verifier is stored in a secure, HTTP-only cookie during the OAuth2 authorization process.
 If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time
 for users to complete the OAuth2 authorization flow.
      .google.protobuf.Duration code_verifier_token_expires_in = 25;
      Returns:
      Whether the codeVerifierTokenExpiresIn field is set.

    • getCodeVerifierTokenExpiresIn

      com.google.protobuf.Duration getCodeVerifierTokenExpiresIn()
       Optional expiration time for the code verifier cookie.
 The code verifier is stored in a secure, HTTP-only cookie during the OAuth2 authorization process.
 If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time
 for users to complete the OAuth2 authorization flow.
      .google.protobuf.Duration code_verifier_token_expires_in = 25;
      Returns:
      The codeVerifierTokenExpiresIn.

    • getCodeVerifierTokenExpiresInOrBuilder

      com.google.protobuf.DurationOrBuilder getCodeVerifierTokenExpiresInOrBuilder()
       Optional expiration time for the code verifier cookie.
 The code verifier is stored in a secure, HTTP-only cookie during the OAuth2 authorization process.
 If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time
 for users to complete the OAuth2 authorization flow.
      .google.protobuf.Duration code_verifier_token_expires_in = 25;

    • getDisableTokenEncryption

      boolean getDisableTokenEncryption()
       Disable token encryption. When set to true, both the access token and the ID token will be stored in plain text.
 This option should only be used in secure environments where token encryption is not required.
 Default is false (tokens are encrypted).
      bool disable_token_encryption = 26;
      Returns:
      The disableTokenEncryption.