public static final class JwtProvider.Builder extends com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder> implements JwtProviderOrBuilder
Please see following for JWT authentication flow:
* `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_
* `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_
* `OpenID Connect <http://openid.net/connect>`_
A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:
* issuer: the principal that issues the JWT. If specified, it has to match the *iss* field in JWT.
* allowed audiences: the ones in the token have to be listed here.
* how to fetch public key JWKS to verify the token signature.
* how to extract JWT token in the request.
* how to pass successfully verified token payload.
Example:
.. code-block:: yaml
issuer: https://example.com
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
remote_jwks:
http_uri:
uri: https://example.com/.well-known/jwks.json
cluster: example_jwks_cluster
timeout: 1s
cache_duration:
seconds: 300
[#next-free-field: 11]
Protobuf type envoy.extensions.filters.http.jwt_authn.v3.JwtProvider| Modifier and Type | Method and Description |
|---|---|
JwtProvider.Builder |
addAllAudiences(Iterable<String> values)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access.
|
JwtProvider.Builder |
addAllFromHeaders(Iterable<? extends JwtHeader> values)
Two fields below define where to extract the JWT from an HTTP request.
|
JwtProvider.Builder |
addAllFromParams(Iterable<String> values)
JWT is sent in a query parameter.
|
JwtProvider.Builder |
addAudiences(String value)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access.
|
JwtProvider.Builder |
addAudiencesBytes(com.google.protobuf.ByteString value)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access.
|
JwtProvider.Builder |
addFromHeaders(int index,
JwtHeader.Builder builderForValue)
Two fields below define where to extract the JWT from an HTTP request.
|
JwtProvider.Builder |
addFromHeaders(int index,
JwtHeader value)
Two fields below define where to extract the JWT from an HTTP request.
|
JwtProvider.Builder |
addFromHeaders(JwtHeader.Builder builderForValue)
Two fields below define where to extract the JWT from an HTTP request.
|
JwtProvider.Builder |
addFromHeaders(JwtHeader value)
Two fields below define where to extract the JWT from an HTTP request.
|
JwtHeader.Builder |
addFromHeadersBuilder()
Two fields below define where to extract the JWT from an HTTP request.
|
JwtHeader.Builder |
addFromHeadersBuilder(int index)
Two fields below define where to extract the JWT from an HTTP request.
|
JwtProvider.Builder |
addFromParams(String value)
JWT is sent in a query parameter.
|
JwtProvider.Builder |
addFromParamsBytes(com.google.protobuf.ByteString value)
JWT is sent in a query parameter.
|
JwtProvider.Builder |
addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field,
Object value) |
JwtProvider |
build() |
JwtProvider |
buildPartial() |
JwtProvider.Builder |
clear() |
JwtProvider.Builder |
clearAudiences()
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access.
|
JwtProvider.Builder |
clearClockSkewSeconds()
Specify the clock skew in seconds when verifying JWT time constraint,
such as `exp`, and `nbf`.
|
JwtProvider.Builder |
clearField(com.google.protobuf.Descriptors.FieldDescriptor field) |
JwtProvider.Builder |
clearForward()
If false, the JWT is removed in the request after a success verification.
|
JwtProvider.Builder |
clearForwardPayloadHeader()
This field specifies the header name to forward a successfully verified JWT payload to the
backend.
|
JwtProvider.Builder |
clearFromHeaders()
Two fields below define where to extract the JWT from an HTTP request.
|
JwtProvider.Builder |
clearFromParams()
JWT is sent in a query parameter.
|
JwtProvider.Builder |
clearIssuer()
Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
the JWT, usually a URL or an email address.
|
JwtProvider.Builder |
clearJwksSourceSpecifier() |
JwtProvider.Builder |
clearLocalJwks()
JWKS is in local data source.
|
JwtProvider.Builder |
clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof) |
JwtProvider.Builder |
clearPayloadInMetadata()
If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
The value is the *protobuf::Struct*.
|
JwtProvider.Builder |
clearRemoteJwks()
JWKS can be fetched from remote server via HTTP/HTTPS.
|
JwtProvider.Builder |
clone() |
String |
getAudiences(int index)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access.
|
com.google.protobuf.ByteString |
getAudiencesBytes(int index)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access.
|
int |
getAudiencesCount()
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access.
|
com.google.protobuf.ProtocolStringList |
getAudiencesList()
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access.
|
int |
getClockSkewSeconds()
Specify the clock skew in seconds when verifying JWT time constraint,
such as `exp`, and `nbf`.
|
JwtProvider |
getDefaultInstanceForType() |
static com.google.protobuf.Descriptors.Descriptor |
getDescriptor() |
com.google.protobuf.Descriptors.Descriptor |
getDescriptorForType() |
boolean |
getForward()
If false, the JWT is removed in the request after a success verification.
|
String |
getForwardPayloadHeader()
This field specifies the header name to forward a successfully verified JWT payload to the
backend.
|
com.google.protobuf.ByteString |
getForwardPayloadHeaderBytes()
This field specifies the header name to forward a successfully verified JWT payload to the
backend.
|
JwtHeader |
getFromHeaders(int index)
Two fields below define where to extract the JWT from an HTTP request.
|
JwtHeader.Builder |
getFromHeadersBuilder(int index)
Two fields below define where to extract the JWT from an HTTP request.
|
List<JwtHeader.Builder> |
getFromHeadersBuilderList()
Two fields below define where to extract the JWT from an HTTP request.
|
int |
getFromHeadersCount()
Two fields below define where to extract the JWT from an HTTP request.
|
List<JwtHeader> |
getFromHeadersList()
Two fields below define where to extract the JWT from an HTTP request.
|
JwtHeaderOrBuilder |
getFromHeadersOrBuilder(int index)
Two fields below define where to extract the JWT from an HTTP request.
|
List<? extends JwtHeaderOrBuilder> |
getFromHeadersOrBuilderList()
Two fields below define where to extract the JWT from an HTTP request.
|
String |
getFromParams(int index)
JWT is sent in a query parameter.
|
com.google.protobuf.ByteString |
getFromParamsBytes(int index)
JWT is sent in a query parameter.
|
int |
getFromParamsCount()
JWT is sent in a query parameter.
|
com.google.protobuf.ProtocolStringList |
getFromParamsList()
JWT is sent in a query parameter.
|
String |
getIssuer()
Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
the JWT, usually a URL or an email address.
|
com.google.protobuf.ByteString |
getIssuerBytes()
Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
the JWT, usually a URL or an email address.
|
JwtProvider.JwksSourceSpecifierCase |
getJwksSourceSpecifierCase() |
DataSource |
getLocalJwks()
JWKS is in local data source.
|
DataSource.Builder |
getLocalJwksBuilder()
JWKS is in local data source.
|
DataSourceOrBuilder |
getLocalJwksOrBuilder()
JWKS is in local data source.
|
String |
getPayloadInMetadata()
If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
The value is the *protobuf::Struct*.
|
com.google.protobuf.ByteString |
getPayloadInMetadataBytes()
If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
The value is the *protobuf::Struct*.
|
RemoteJwks |
getRemoteJwks()
JWKS can be fetched from remote server via HTTP/HTTPS.
|
RemoteJwks.Builder |
getRemoteJwksBuilder()
JWKS can be fetched from remote server via HTTP/HTTPS.
|
RemoteJwksOrBuilder |
getRemoteJwksOrBuilder()
JWKS can be fetched from remote server via HTTP/HTTPS.
|
boolean |
hasLocalJwks()
JWKS is in local data source.
|
boolean |
hasRemoteJwks()
JWKS can be fetched from remote server via HTTP/HTTPS.
|
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable |
internalGetFieldAccessorTable() |
boolean |
isInitialized() |
JwtProvider.Builder |
mergeFrom(com.google.protobuf.CodedInputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry) |
JwtProvider.Builder |
mergeFrom(JwtProvider other) |
JwtProvider.Builder |
mergeFrom(com.google.protobuf.Message other) |
JwtProvider.Builder |
mergeLocalJwks(DataSource value)
JWKS is in local data source.
|
JwtProvider.Builder |
mergeRemoteJwks(RemoteJwks value)
JWKS can be fetched from remote server via HTTP/HTTPS.
|
JwtProvider.Builder |
mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields) |
JwtProvider.Builder |
removeFromHeaders(int index)
Two fields below define where to extract the JWT from an HTTP request.
|
JwtProvider.Builder |
setAudiences(int index,
String value)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access.
|
JwtProvider.Builder |
setClockSkewSeconds(int value)
Specify the clock skew in seconds when verifying JWT time constraint,
such as `exp`, and `nbf`.
|
JwtProvider.Builder |
setField(com.google.protobuf.Descriptors.FieldDescriptor field,
Object value) |
JwtProvider.Builder |
setForward(boolean value)
If false, the JWT is removed in the request after a success verification.
|
JwtProvider.Builder |
setForwardPayloadHeader(String value)
This field specifies the header name to forward a successfully verified JWT payload to the
backend.
|
JwtProvider.Builder |
setForwardPayloadHeaderBytes(com.google.protobuf.ByteString value)
This field specifies the header name to forward a successfully verified JWT payload to the
backend.
|
JwtProvider.Builder |
setFromHeaders(int index,
JwtHeader.Builder builderForValue)
Two fields below define where to extract the JWT from an HTTP request.
|
JwtProvider.Builder |
setFromHeaders(int index,
JwtHeader value)
Two fields below define where to extract the JWT from an HTTP request.
|
JwtProvider.Builder |
setFromParams(int index,
String value)
JWT is sent in a query parameter.
|
JwtProvider.Builder |
setIssuer(String value)
Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
the JWT, usually a URL or an email address.
|
JwtProvider.Builder |
setIssuerBytes(com.google.protobuf.ByteString value)
Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
the JWT, usually a URL or an email address.
|
JwtProvider.Builder |
setLocalJwks(DataSource.Builder builderForValue)
JWKS is in local data source.
|
JwtProvider.Builder |
setLocalJwks(DataSource value)
JWKS is in local data source.
|
JwtProvider.Builder |
setPayloadInMetadata(String value)
If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
The value is the *protobuf::Struct*.
|
JwtProvider.Builder |
setPayloadInMetadataBytes(com.google.protobuf.ByteString value)
If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
The value is the *protobuf::Struct*.
|
JwtProvider.Builder |
setRemoteJwks(RemoteJwks.Builder builderForValue)
JWKS can be fetched from remote server via HTTP/HTTPS.
|
JwtProvider.Builder |
setRemoteJwks(RemoteJwks value)
JWKS can be fetched from remote server via HTTP/HTTPS.
|
JwtProvider.Builder |
setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field,
int index,
Object value) |
JwtProvider.Builder |
setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields) |
getAllFields, getField, getFieldBuilder, getOneofFieldDescriptor, getParentForChildren, getRepeatedField, getRepeatedFieldBuilder, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof, internalGetMapField, internalGetMutableMapField, isClean, markClean, newBuilderForField, onBuilt, onChanged, setUnknownFieldsProto3findInitializationErrors, getInitializationErrorString, internalMergeFrom, mergeDelimitedFrom, mergeDelimitedFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, newUninitializedMessageException, toStringaddAll, addAll, mergeFrom, newUninitializedMessageExceptionequals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, waitpublic static final com.google.protobuf.Descriptors.Descriptor getDescriptor()
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>public JwtProvider.Builder clear()
clear in interface com.google.protobuf.Message.Builderclear in interface com.google.protobuf.MessageLite.Builderclear in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
getDescriptorForType in interface com.google.protobuf.Message.BuildergetDescriptorForType in interface com.google.protobuf.MessageOrBuildergetDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>public JwtProvider getDefaultInstanceForType()
getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuildergetDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilderpublic JwtProvider build()
build in interface com.google.protobuf.Message.Builderbuild in interface com.google.protobuf.MessageLite.Builderpublic JwtProvider buildPartial()
buildPartial in interface com.google.protobuf.Message.BuilderbuildPartial in interface com.google.protobuf.MessageLite.Builderpublic JwtProvider.Builder clone()
clone in interface com.google.protobuf.Message.Builderclone in interface com.google.protobuf.MessageLite.Builderclone in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>public JwtProvider.Builder setField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
setField in interface com.google.protobuf.Message.BuildersetField in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>public JwtProvider.Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field)
clearField in interface com.google.protobuf.Message.BuilderclearField in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>public JwtProvider.Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof)
clearOneof in interface com.google.protobuf.Message.BuilderclearOneof in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>public JwtProvider.Builder setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, int index, Object value)
setRepeatedField in interface com.google.protobuf.Message.BuildersetRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>public JwtProvider.Builder addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
addRepeatedField in interface com.google.protobuf.Message.BuilderaddRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>public JwtProvider.Builder mergeFrom(com.google.protobuf.Message other)
mergeFrom in interface com.google.protobuf.Message.BuildermergeFrom in class com.google.protobuf.AbstractMessage.Builder<JwtProvider.Builder>public JwtProvider.Builder mergeFrom(JwtProvider other)
public final boolean isInitialized()
isInitialized in interface com.google.protobuf.MessageLiteOrBuilderisInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>public JwtProvider.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
mergeFrom in interface com.google.protobuf.Message.BuildermergeFrom in interface com.google.protobuf.MessageLite.BuildermergeFrom in class com.google.protobuf.AbstractMessage.Builder<JwtProvider.Builder>IOExceptionpublic JwtProvider.JwksSourceSpecifierCase getJwksSourceSpecifierCase()
getJwksSourceSpecifierCase in interface JwtProviderOrBuilderpublic JwtProvider.Builder clearJwksSourceSpecifier()
public String getIssuer()
Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address. It is optional. If specified, it has to match the *iss* field in JWT. If a JWT has *iss* field and this field is specified, they have to match, otherwise the JWT *iss* field is not checked. Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>` and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>` are implemented differently than other *JwtRequirements*. Hence the usage of this field is different as follows if *allow_missing* or *allow_missing_or_failed* is used: * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*. * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty. * Multiple *JwtProviders* should not have same value in this field. Example: https://securetoken.google.com Example: 1234567-compute@developer.gserviceaccount.com
string issuer = 1;getIssuer in interface JwtProviderOrBuilderpublic com.google.protobuf.ByteString getIssuerBytes()
Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address. It is optional. If specified, it has to match the *iss* field in JWT. If a JWT has *iss* field and this field is specified, they have to match, otherwise the JWT *iss* field is not checked. Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>` and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>` are implemented differently than other *JwtRequirements*. Hence the usage of this field is different as follows if *allow_missing* or *allow_missing_or_failed* is used: * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*. * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty. * Multiple *JwtProviders* should not have same value in this field. Example: https://securetoken.google.com Example: 1234567-compute@developer.gserviceaccount.com
string issuer = 1;getIssuerBytes in interface JwtProviderOrBuilderpublic JwtProvider.Builder setIssuer(String value)
Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address. It is optional. If specified, it has to match the *iss* field in JWT. If a JWT has *iss* field and this field is specified, they have to match, otherwise the JWT *iss* field is not checked. Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>` and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>` are implemented differently than other *JwtRequirements*. Hence the usage of this field is different as follows if *allow_missing* or *allow_missing_or_failed* is used: * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*. * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty. * Multiple *JwtProviders* should not have same value in this field. Example: https://securetoken.google.com Example: 1234567-compute@developer.gserviceaccount.com
string issuer = 1;public JwtProvider.Builder clearIssuer()
Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address. It is optional. If specified, it has to match the *iss* field in JWT. If a JWT has *iss* field and this field is specified, they have to match, otherwise the JWT *iss* field is not checked. Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>` and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>` are implemented differently than other *JwtRequirements*. Hence the usage of this field is different as follows if *allow_missing* or *allow_missing_or_failed* is used: * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*. * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty. * Multiple *JwtProviders* should not have same value in this field. Example: https://securetoken.google.com Example: 1234567-compute@developer.gserviceaccount.com
string issuer = 1;public JwtProvider.Builder setIssuerBytes(com.google.protobuf.ByteString value)
Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address. It is optional. If specified, it has to match the *iss* field in JWT. If a JWT has *iss* field and this field is specified, they have to match, otherwise the JWT *iss* field is not checked. Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>` and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>` are implemented differently than other *JwtRequirements*. Hence the usage of this field is different as follows if *allow_missing* or *allow_missing_or_failed* is used: * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*. * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty. * Multiple *JwtProviders* should not have same value in this field. Example: https://securetoken.google.com Example: 1234567-compute@developer.gserviceaccount.com
string issuer = 1;public com.google.protobuf.ProtocolStringList getAudiencesList()
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
will not check audiences in the token.
Example:
.. code-block:: yaml
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
repeated string audiences = 2;getAudiencesList in interface JwtProviderOrBuilderpublic int getAudiencesCount()
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
will not check audiences in the token.
Example:
.. code-block:: yaml
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
repeated string audiences = 2;getAudiencesCount in interface JwtProviderOrBuilderpublic String getAudiences(int index)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
will not check audiences in the token.
Example:
.. code-block:: yaml
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
repeated string audiences = 2;getAudiences in interface JwtProviderOrBuilderpublic com.google.protobuf.ByteString getAudiencesBytes(int index)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
will not check audiences in the token.
Example:
.. code-block:: yaml
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
repeated string audiences = 2;getAudiencesBytes in interface JwtProviderOrBuilderpublic JwtProvider.Builder setAudiences(int index, String value)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
will not check audiences in the token.
Example:
.. code-block:: yaml
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
repeated string audiences = 2;public JwtProvider.Builder addAudiences(String value)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
will not check audiences in the token.
Example:
.. code-block:: yaml
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
repeated string audiences = 2;public JwtProvider.Builder addAllAudiences(Iterable<String> values)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
will not check audiences in the token.
Example:
.. code-block:: yaml
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
repeated string audiences = 2;public JwtProvider.Builder clearAudiences()
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
will not check audiences in the token.
Example:
.. code-block:: yaml
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
repeated string audiences = 2;public JwtProvider.Builder addAudiencesBytes(com.google.protobuf.ByteString value)
The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
will not check audiences in the token.
Example:
.. code-block:: yaml
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
repeated string audiences = 2;public boolean hasRemoteJwks()
JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
URI and how the fetched JWKS should be cached.
Example:
.. code-block:: yaml
remote_jwks:
http_uri:
uri: https://www.googleapis.com/oauth2/v1/certs
cluster: jwt.www.googleapis.com|443
timeout: 1s
cache_duration:
seconds: 300
.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;hasRemoteJwks in interface JwtProviderOrBuilderpublic RemoteJwks getRemoteJwks()
JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
URI and how the fetched JWKS should be cached.
Example:
.. code-block:: yaml
remote_jwks:
http_uri:
uri: https://www.googleapis.com/oauth2/v1/certs
cluster: jwt.www.googleapis.com|443
timeout: 1s
cache_duration:
seconds: 300
.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;getRemoteJwks in interface JwtProviderOrBuilderpublic JwtProvider.Builder setRemoteJwks(RemoteJwks value)
JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
URI and how the fetched JWKS should be cached.
Example:
.. code-block:: yaml
remote_jwks:
http_uri:
uri: https://www.googleapis.com/oauth2/v1/certs
cluster: jwt.www.googleapis.com|443
timeout: 1s
cache_duration:
seconds: 300
.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;public JwtProvider.Builder setRemoteJwks(RemoteJwks.Builder builderForValue)
JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
URI and how the fetched JWKS should be cached.
Example:
.. code-block:: yaml
remote_jwks:
http_uri:
uri: https://www.googleapis.com/oauth2/v1/certs
cluster: jwt.www.googleapis.com|443
timeout: 1s
cache_duration:
seconds: 300
.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;public JwtProvider.Builder mergeRemoteJwks(RemoteJwks value)
JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
URI and how the fetched JWKS should be cached.
Example:
.. code-block:: yaml
remote_jwks:
http_uri:
uri: https://www.googleapis.com/oauth2/v1/certs
cluster: jwt.www.googleapis.com|443
timeout: 1s
cache_duration:
seconds: 300
.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;public JwtProvider.Builder clearRemoteJwks()
JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
URI and how the fetched JWKS should be cached.
Example:
.. code-block:: yaml
remote_jwks:
http_uri:
uri: https://www.googleapis.com/oauth2/v1/certs
cluster: jwt.www.googleapis.com|443
timeout: 1s
cache_duration:
seconds: 300
.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;public RemoteJwks.Builder getRemoteJwksBuilder()
JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
URI and how the fetched JWKS should be cached.
Example:
.. code-block:: yaml
remote_jwks:
http_uri:
uri: https://www.googleapis.com/oauth2/v1/certs
cluster: jwt.www.googleapis.com|443
timeout: 1s
cache_duration:
seconds: 300
.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;public RemoteJwksOrBuilder getRemoteJwksOrBuilder()
JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
URI and how the fetched JWKS should be cached.
Example:
.. code-block:: yaml
remote_jwks:
http_uri:
uri: https://www.googleapis.com/oauth2/v1/certs
cluster: jwt.www.googleapis.com|443
timeout: 1s
cache_duration:
seconds: 300
.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;getRemoteJwksOrBuilder in interface JwtProviderOrBuilderpublic boolean hasLocalJwks()
JWKS is in local data source. It could be either in a local file or embedded in the
inline_string.
Example: local file
.. code-block:: yaml
local_jwks:
filename: /etc/envoy/jwks/jwks1.txt
Example: inline_string
.. code-block:: yaml
local_jwks:
inline_string: ACADADADADA
.envoy.config.core.v3.DataSource local_jwks = 4;hasLocalJwks in interface JwtProviderOrBuilderpublic DataSource getLocalJwks()
JWKS is in local data source. It could be either in a local file or embedded in the
inline_string.
Example: local file
.. code-block:: yaml
local_jwks:
filename: /etc/envoy/jwks/jwks1.txt
Example: inline_string
.. code-block:: yaml
local_jwks:
inline_string: ACADADADADA
.envoy.config.core.v3.DataSource local_jwks = 4;getLocalJwks in interface JwtProviderOrBuilderpublic JwtProvider.Builder setLocalJwks(DataSource value)
JWKS is in local data source. It could be either in a local file or embedded in the
inline_string.
Example: local file
.. code-block:: yaml
local_jwks:
filename: /etc/envoy/jwks/jwks1.txt
Example: inline_string
.. code-block:: yaml
local_jwks:
inline_string: ACADADADADA
.envoy.config.core.v3.DataSource local_jwks = 4;public JwtProvider.Builder setLocalJwks(DataSource.Builder builderForValue)
JWKS is in local data source. It could be either in a local file or embedded in the
inline_string.
Example: local file
.. code-block:: yaml
local_jwks:
filename: /etc/envoy/jwks/jwks1.txt
Example: inline_string
.. code-block:: yaml
local_jwks:
inline_string: ACADADADADA
.envoy.config.core.v3.DataSource local_jwks = 4;public JwtProvider.Builder mergeLocalJwks(DataSource value)
JWKS is in local data source. It could be either in a local file or embedded in the
inline_string.
Example: local file
.. code-block:: yaml
local_jwks:
filename: /etc/envoy/jwks/jwks1.txt
Example: inline_string
.. code-block:: yaml
local_jwks:
inline_string: ACADADADADA
.envoy.config.core.v3.DataSource local_jwks = 4;public JwtProvider.Builder clearLocalJwks()
JWKS is in local data source. It could be either in a local file or embedded in the
inline_string.
Example: local file
.. code-block:: yaml
local_jwks:
filename: /etc/envoy/jwks/jwks1.txt
Example: inline_string
.. code-block:: yaml
local_jwks:
inline_string: ACADADADADA
.envoy.config.core.v3.DataSource local_jwks = 4;public DataSource.Builder getLocalJwksBuilder()
JWKS is in local data source. It could be either in a local file or embedded in the
inline_string.
Example: local file
.. code-block:: yaml
local_jwks:
filename: /etc/envoy/jwks/jwks1.txt
Example: inline_string
.. code-block:: yaml
local_jwks:
inline_string: ACADADADADA
.envoy.config.core.v3.DataSource local_jwks = 4;public DataSourceOrBuilder getLocalJwksOrBuilder()
JWKS is in local data source. It could be either in a local file or embedded in the
inline_string.
Example: local file
.. code-block:: yaml
local_jwks:
filename: /etc/envoy/jwks/jwks1.txt
Example: inline_string
.. code-block:: yaml
local_jwks:
inline_string: ACADADADADA
.envoy.config.core.v3.DataSource local_jwks = 4;getLocalJwksOrBuilder in interface JwtProviderOrBuilderpublic boolean getForward()
If false, the JWT is removed in the request after a success verification. If true, the JWT is not removed in the request. Default value is false.
bool forward = 5;getForward in interface JwtProviderOrBuilderpublic JwtProvider.Builder setForward(boolean value)
If false, the JWT is removed in the request after a success verification. If true, the JWT is not removed in the request. Default value is false.
bool forward = 5;public JwtProvider.Builder clearForward()
If false, the JWT is removed in the request after a success verification. If true, the JWT is not removed in the request. Default value is false.
bool forward = 5;public List<JwtHeader> getFromHeadersList()
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;getFromHeadersList in interface JwtProviderOrBuilderpublic int getFromHeadersCount()
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;getFromHeadersCount in interface JwtProviderOrBuilderpublic JwtHeader getFromHeaders(int index)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;getFromHeaders in interface JwtProviderOrBuilderpublic JwtProvider.Builder setFromHeaders(int index, JwtHeader value)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public JwtProvider.Builder setFromHeaders(int index, JwtHeader.Builder builderForValue)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public JwtProvider.Builder addFromHeaders(JwtHeader value)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public JwtProvider.Builder addFromHeaders(int index, JwtHeader value)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public JwtProvider.Builder addFromHeaders(JwtHeader.Builder builderForValue)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public JwtProvider.Builder addFromHeaders(int index, JwtHeader.Builder builderForValue)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public JwtProvider.Builder addAllFromHeaders(Iterable<? extends JwtHeader> values)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public JwtProvider.Builder clearFromHeaders()
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public JwtProvider.Builder removeFromHeaders(int index)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public JwtHeader.Builder getFromHeadersBuilder(int index)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public JwtHeaderOrBuilder getFromHeadersOrBuilder(int index)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;getFromHeadersOrBuilder in interface JwtProviderOrBuilderpublic List<? extends JwtHeaderOrBuilder> getFromHeadersOrBuilderList()
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;getFromHeadersOrBuilderList in interface JwtProviderOrBuilderpublic JwtHeader.Builder addFromHeadersBuilder()
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public JwtHeader.Builder addFromHeadersBuilder(int index)
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public List<JwtHeader.Builder> getFromHeadersBuilderList()
Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the `Bearer schema
<https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
Authorization: Bearer <token>.
2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers:
- name: x-goog-iap-jwt-assertion
can be used to extract token from header::
``x-goog-iap-jwt-assertion: <JWT>``.
repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;public com.google.protobuf.ProtocolStringList getFromParamsList()
JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
For example, if config is:
.. code-block:: yaml
from_params:
- jwt_token
The JWT format in query parameter is::
/path?jwt_token=<JWT>
repeated string from_params = 7;getFromParamsList in interface JwtProviderOrBuilderpublic int getFromParamsCount()
JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
For example, if config is:
.. code-block:: yaml
from_params:
- jwt_token
The JWT format in query parameter is::
/path?jwt_token=<JWT>
repeated string from_params = 7;getFromParamsCount in interface JwtProviderOrBuilderpublic String getFromParams(int index)
JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
For example, if config is:
.. code-block:: yaml
from_params:
- jwt_token
The JWT format in query parameter is::
/path?jwt_token=<JWT>
repeated string from_params = 7;getFromParams in interface JwtProviderOrBuilderpublic com.google.protobuf.ByteString getFromParamsBytes(int index)
JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
For example, if config is:
.. code-block:: yaml
from_params:
- jwt_token
The JWT format in query parameter is::
/path?jwt_token=<JWT>
repeated string from_params = 7;getFromParamsBytes in interface JwtProviderOrBuilderpublic JwtProvider.Builder setFromParams(int index, String value)
JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
For example, if config is:
.. code-block:: yaml
from_params:
- jwt_token
The JWT format in query parameter is::
/path?jwt_token=<JWT>
repeated string from_params = 7;public JwtProvider.Builder addFromParams(String value)
JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
For example, if config is:
.. code-block:: yaml
from_params:
- jwt_token
The JWT format in query parameter is::
/path?jwt_token=<JWT>
repeated string from_params = 7;public JwtProvider.Builder addAllFromParams(Iterable<String> values)
JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
For example, if config is:
.. code-block:: yaml
from_params:
- jwt_token
The JWT format in query parameter is::
/path?jwt_token=<JWT>
repeated string from_params = 7;public JwtProvider.Builder clearFromParams()
JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
For example, if config is:
.. code-block:: yaml
from_params:
- jwt_token
The JWT format in query parameter is::
/path?jwt_token=<JWT>
repeated string from_params = 7;public JwtProvider.Builder addFromParamsBytes(com.google.protobuf.ByteString value)
JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
For example, if config is:
.. code-block:: yaml
from_params:
- jwt_token
The JWT format in query parameter is::
/path?jwt_token=<JWT>
repeated string from_params = 7;public String getForwardPayloadHeader()
This field specifies the header name to forward a successfully verified JWT payload to the
backend. The forwarded data is::
base64url_encoded(jwt_payload_in_JSON)
If it is not specified, the payload will not be forwarded.
string forward_payload_header = 8 [(.validate.rules) = { ... }getForwardPayloadHeader in interface JwtProviderOrBuilderpublic com.google.protobuf.ByteString getForwardPayloadHeaderBytes()
This field specifies the header name to forward a successfully verified JWT payload to the
backend. The forwarded data is::
base64url_encoded(jwt_payload_in_JSON)
If it is not specified, the payload will not be forwarded.
string forward_payload_header = 8 [(.validate.rules) = { ... }getForwardPayloadHeaderBytes in interface JwtProviderOrBuilderpublic JwtProvider.Builder setForwardPayloadHeader(String value)
This field specifies the header name to forward a successfully verified JWT payload to the
backend. The forwarded data is::
base64url_encoded(jwt_payload_in_JSON)
If it is not specified, the payload will not be forwarded.
string forward_payload_header = 8 [(.validate.rules) = { ... }public JwtProvider.Builder clearForwardPayloadHeader()
This field specifies the header name to forward a successfully verified JWT payload to the
backend. The forwarded data is::
base64url_encoded(jwt_payload_in_JSON)
If it is not specified, the payload will not be forwarded.
string forward_payload_header = 8 [(.validate.rules) = { ... }public JwtProvider.Builder setForwardPayloadHeaderBytes(com.google.protobuf.ByteString value)
This field specifies the header name to forward a successfully verified JWT payload to the
backend. The forwarded data is::
base64url_encoded(jwt_payload_in_JSON)
If it is not specified, the payload will not be forwarded.
string forward_payload_header = 8 [(.validate.rules) = { ... }public String getPayloadInMetadata()
If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
and the value is the *protobuf::Struct* converted from JWT JSON payload.
For example, if payload_in_metadata is *my_payload*:
.. code-block:: yaml
envoy.filters.http.jwt_authn:
my_payload:
iss: https://example.com
sub: test@example.com
aud: https://example.com
exp: 1501281058
string payload_in_metadata = 9;getPayloadInMetadata in interface JwtProviderOrBuilderpublic com.google.protobuf.ByteString getPayloadInMetadataBytes()
If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
and the value is the *protobuf::Struct* converted from JWT JSON payload.
For example, if payload_in_metadata is *my_payload*:
.. code-block:: yaml
envoy.filters.http.jwt_authn:
my_payload:
iss: https://example.com
sub: test@example.com
aud: https://example.com
exp: 1501281058
string payload_in_metadata = 9;getPayloadInMetadataBytes in interface JwtProviderOrBuilderpublic JwtProvider.Builder setPayloadInMetadata(String value)
If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
and the value is the *protobuf::Struct* converted from JWT JSON payload.
For example, if payload_in_metadata is *my_payload*:
.. code-block:: yaml
envoy.filters.http.jwt_authn:
my_payload:
iss: https://example.com
sub: test@example.com
aud: https://example.com
exp: 1501281058
string payload_in_metadata = 9;public JwtProvider.Builder clearPayloadInMetadata()
If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
and the value is the *protobuf::Struct* converted from JWT JSON payload.
For example, if payload_in_metadata is *my_payload*:
.. code-block:: yaml
envoy.filters.http.jwt_authn:
my_payload:
iss: https://example.com
sub: test@example.com
aud: https://example.com
exp: 1501281058
string payload_in_metadata = 9;public JwtProvider.Builder setPayloadInMetadataBytes(com.google.protobuf.ByteString value)
If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
and the value is the *protobuf::Struct* converted from JWT JSON payload.
For example, if payload_in_metadata is *my_payload*:
.. code-block:: yaml
envoy.filters.http.jwt_authn:
my_payload:
iss: https://example.com
sub: test@example.com
aud: https://example.com
exp: 1501281058
string payload_in_metadata = 9;public int getClockSkewSeconds()
Specify the clock skew in seconds when verifying JWT time constraint, such as `exp`, and `nbf`. If not specified, default is 60 seconds.
uint32 clock_skew_seconds = 10;getClockSkewSeconds in interface JwtProviderOrBuilderpublic JwtProvider.Builder setClockSkewSeconds(int value)
Specify the clock skew in seconds when verifying JWT time constraint, such as `exp`, and `nbf`. If not specified, default is 60 seconds.
uint32 clock_skew_seconds = 10;public JwtProvider.Builder clearClockSkewSeconds()
Specify the clock skew in seconds when verifying JWT time constraint, such as `exp`, and `nbf`. If not specified, default is 60 seconds.
uint32 clock_skew_seconds = 10;public final JwtProvider.Builder setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
setUnknownFields in interface com.google.protobuf.Message.BuildersetUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>public final JwtProvider.Builder mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
mergeUnknownFields in interface com.google.protobuf.Message.BuildermergeUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<JwtProvider.Builder>Copyright © 2018–2021 The Envoy Project. All rights reserved.