JwtProvider (api 0.1.28 API)

java.lang.Object
- com.google.protobuf.AbstractMessageLite
- - com.google.protobuf.AbstractMessage
  - - com.google.protobuf.GeneratedMessageV3
    - - io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v4alpha.JwtProvider

All Implemented Interfaces:: com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, JwtProviderOrBuilder, Serializable

public final class JwtProvider
extends com.google.protobuf.GeneratedMessageV3
implements JwtProviderOrBuilder

 Please see following for JWT authentication flow:
 * `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_
 * `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_
 * `OpenID Connect <http://openid.net/connect>`_
 A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:
 * issuer: the principal that issues the JWT. If specified, it has to match the *iss* field in JWT.
 * allowed audiences: the ones in the token have to be listed here.
 * how to fetch public key JWKS to verify the token signature.
 * how to extract JWT token in the request.
 * how to pass successfully verified token payload.
 Example:
 .. code-block:: yaml
     issuer: https://example.com
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
     remote_jwks:
       http_uri:
         uri: https://example.com/.well-known/jwks.json
         cluster: example_jwks_cluster
         timeout: 1s
       cache_duration:
         seconds: 300
 [#next-free-field: 11]

Protobuf type envoy.extensions.filters.http.jwt_authn.v4alpha.JwtProvider

See Also:: Serialized Form

Nested Class Summary

Nested Classes
Modifier and Type	Class and Description
`static class`	`JwtProvider.Builder` Please see following for JWT authentication flow: * `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_ * `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_ * `OpenID Connect <http://openid.net/connect>`_ A JwtProvider message specifies how a JSON Web Token (JWT) can be verified.
`static class`	`JwtProvider.JwksSourceSpecifierCase`

Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessageV3
com.google.protobuf.GeneratedMessageV3.BuilderParent, com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage,BuilderType extends com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType,BuilderType>>, com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.ExtendableMessageOrBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.FieldAccessorTable, com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter

Field Summary

Fields
Modifier and Type	Field and Description
`static int`	`AUDIENCES_FIELD_NUMBER`
`static int`	`CLOCK_SKEW_SECONDS_FIELD_NUMBER`
`static int`	`FORWARD_FIELD_NUMBER`
`static int`	`FORWARD_PAYLOAD_HEADER_FIELD_NUMBER`
`static int`	`FROM_HEADERS_FIELD_NUMBER`
`static int`	`FROM_PARAMS_FIELD_NUMBER`
`static int`	`ISSUER_FIELD_NUMBER`
`static int`	`LOCAL_JWKS_FIELD_NUMBER`
`static int`	`PAYLOAD_IN_METADATA_FIELD_NUMBER`
`static int`	`REMOTE_JWKS_FIELD_NUMBER`

Fields inherited from class com.google.protobuf.GeneratedMessageV3
alwaysUseFieldBuilders, unknownFields

Fields inherited from class com.google.protobuf.AbstractMessage
memoizedSize

Fields inherited from class com.google.protobuf.AbstractMessageLite
memoizedHashCode

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`boolean`	`equals(Object obj)`
`String`	`getAudiences(int index)` The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
`com.google.protobuf.ByteString`	`getAudiencesBytes(int index)` The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
`int`	`getAudiencesCount()` The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
`com.google.protobuf.ProtocolStringList`	`getAudiencesList()` The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
`int`	`getClockSkewSeconds()` Specify the clock skew in seconds when verifying JWT time constraint, such as `exp`, and `nbf`.
`static JwtProvider`	`getDefaultInstance()`
`JwtProvider`	`getDefaultInstanceForType()`
`static com.google.protobuf.Descriptors.Descriptor`	`getDescriptor()`
`boolean`	`getForward()` If false, the JWT is removed in the request after a success verification.
`String`	`getForwardPayloadHeader()` This field specifies the header name to forward a successfully verified JWT payload to the backend.
`com.google.protobuf.ByteString`	`getForwardPayloadHeaderBytes()` This field specifies the header name to forward a successfully verified JWT payload to the backend.
`JwtHeader`	`getFromHeaders(int index)` Two fields below define where to extract the JWT from an HTTP request.
`int`	`getFromHeadersCount()` Two fields below define where to extract the JWT from an HTTP request.
`List<JwtHeader>`	`getFromHeadersList()` Two fields below define where to extract the JWT from an HTTP request.
`JwtHeaderOrBuilder`	`getFromHeadersOrBuilder(int index)` Two fields below define where to extract the JWT from an HTTP request.
`List<? extends JwtHeaderOrBuilder>`	`getFromHeadersOrBuilderList()` Two fields below define where to extract the JWT from an HTTP request.
`String`	`getFromParams(int index)` JWT is sent in a query parameter.
`com.google.protobuf.ByteString`	`getFromParamsBytes(int index)` JWT is sent in a query parameter.
`int`	`getFromParamsCount()` JWT is sent in a query parameter.
`com.google.protobuf.ProtocolStringList`	`getFromParamsList()` JWT is sent in a query parameter.
`String`	`getIssuer()` Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.
`com.google.protobuf.ByteString`	`getIssuerBytes()` Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.
`JwtProvider.JwksSourceSpecifierCase`	`getJwksSourceSpecifierCase()`
`DataSource`	`getLocalJwks()` JWKS is in local data source.
`DataSourceOrBuilder`	`getLocalJwksOrBuilder()` JWKS is in local data source.
`com.google.protobuf.Parser<JwtProvider>`	`getParserForType()`
`String`	`getPayloadInMetadata()` If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: namespace is the jwt_authn filter name as envoy.filters.http.jwt_authn The value is the protobuf::Struct.
`com.google.protobuf.ByteString`	`getPayloadInMetadataBytes()` If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: namespace is the jwt_authn filter name as envoy.filters.http.jwt_authn The value is the protobuf::Struct.
`RemoteJwks`	`getRemoteJwks()` JWKS can be fetched from remote server via HTTP/HTTPS.
`RemoteJwksOrBuilder`	`getRemoteJwksOrBuilder()` JWKS can be fetched from remote server via HTTP/HTTPS.
`int`	`getSerializedSize()`
`com.google.protobuf.UnknownFieldSet`	`getUnknownFields()`
`int`	`hashCode()`
`boolean`	`hasLocalJwks()` JWKS is in local data source.
`boolean`	`hasRemoteJwks()` JWKS can be fetched from remote server via HTTP/HTTPS.
`protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable`	`internalGetFieldAccessorTable()`
`boolean`	`isInitialized()`
`static JwtProvider.Builder`	`newBuilder()`
`static JwtProvider.Builder`	`newBuilder(JwtProvider prototype)`
`JwtProvider.Builder`	`newBuilderForType()`
`protected JwtProvider.Builder`	`newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)`
`protected Object`	`newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)`
`static JwtProvider`	`parseDelimitedFrom(InputStream input)`
`static JwtProvider`	`parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)`
`static JwtProvider`	`parseFrom(byte[] data)`
`static JwtProvider`	`parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)`
`static JwtProvider`	`parseFrom(ByteBuffer data)`
`static JwtProvider`	`parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)`
`static JwtProvider`	`parseFrom(com.google.protobuf.ByteString data)`
`static JwtProvider`	`parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)`
`static JwtProvider`	`parseFrom(com.google.protobuf.CodedInputStream input)`
`static JwtProvider`	`parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)`
`static JwtProvider`	`parseFrom(InputStream input)`
`static JwtProvider`	`parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)`
`static com.google.protobuf.Parser<JwtProvider>`	`parser()`
`JwtProvider.Builder`	`toBuilder()`
`void`	`writeTo(com.google.protobuf.CodedOutputStream output)`

Methods inherited from class com.google.protobuf.GeneratedMessageV3
canUseUnsafe, computeStringSize, computeStringSizeNoTag, emptyBooleanList, emptyDoubleList, emptyFloatList, emptyIntList, emptyLongList, getAllFields, getDescriptorForType, getField, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, hasField, hasOneof, internalGetMapField, makeExtensionsImmutable, mergeFromAndMakeImmutableInternal, mutableCopy, mutableCopy, mutableCopy, mutableCopy, mutableCopy, newBooleanList, newBuilderForType, newDoubleList, newFloatList, newIntList, newLongList, parseDelimitedWithIOException, parseDelimitedWithIOException, parseUnknownField, parseUnknownFieldProto3, parseWithIOException, parseWithIOException, parseWithIOException, parseWithIOException, serializeBooleanMapTo, serializeIntegerMapTo, serializeLongMapTo, serializeStringMapTo, writeReplace, writeString, writeStringNoTag

Methods inherited from class com.google.protobuf.AbstractMessage
findInitializationErrors, getInitializationErrorString, hashBoolean, hashEnum, hashEnumList, hashFields, hashLong, toString

Methods inherited from class com.google.protobuf.AbstractMessageLite
addAll, addAll, checkByteStringIsUtf8, toByteArray, toByteString, writeDelimitedTo, writeTo

Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Methods inherited from interface com.google.protobuf.MessageOrBuilder
findInitializationErrors, getAllFields, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, hasField, hasOneof

Methods inherited from interface com.google.protobuf.MessageLite
toByteArray, toByteString, writeDelimitedTo, writeTo

Field Detail
- ISSUER_FIELD_NUMBER
```
public static final int ISSUER_FIELD_NUMBER
```
  See Also:
  
  Constant Field Values
- AUDIENCES_FIELD_NUMBER
```
public static final int AUDIENCES_FIELD_NUMBER
```
  See Also:
  
  Constant Field Values
- REMOTE_JWKS_FIELD_NUMBER
```
public static final int REMOTE_JWKS_FIELD_NUMBER
```
  See Also:
  
  Constant Field Values
- LOCAL_JWKS_FIELD_NUMBER
```
public static final int LOCAL_JWKS_FIELD_NUMBER
```
  See Also:
  
  Constant Field Values
- FORWARD_FIELD_NUMBER
```
public static final int FORWARD_FIELD_NUMBER
```
  See Also:
  
  Constant Field Values
- FROM_HEADERS_FIELD_NUMBER
```
public static final int FROM_HEADERS_FIELD_NUMBER
```
  See Also:
  
  Constant Field Values
- FROM_PARAMS_FIELD_NUMBER
```
public static final int FROM_PARAMS_FIELD_NUMBER
```
  See Also:
  
  Constant Field Values
- FORWARD_PAYLOAD_HEADER_FIELD_NUMBER
```
public static final int FORWARD_PAYLOAD_HEADER_FIELD_NUMBER
```
  See Also:
  
  Constant Field Values
- PAYLOAD_IN_METADATA_FIELD_NUMBER
```
public static final int PAYLOAD_IN_METADATA_FIELD_NUMBER
```
  See Also:
  
  Constant Field Values
- CLOCK_SKEW_SECONDS_FIELD_NUMBER
```
public static final int CLOCK_SKEW_SECONDS_FIELD_NUMBER
```
  See Also:
  
  Constant Field Values

Method Detail

newInstance

protected Object newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)

Overrides:: newInstance in class com.google.protobuf.GeneratedMessageV3

getUnknownFields
```
public final com.google.protobuf.UnknownFieldSet getUnknownFields()
```
Specified by:

getUnknownFields in interface com.google.protobuf.MessageOrBuilder

Overrides:

getUnknownFields in class com.google.protobuf.GeneratedMessageV3

getDescriptor

public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

internalGetFieldAccessorTable
```
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
```
Specified by:

internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

getJwksSourceSpecifierCase
```
public JwtProvider.JwksSourceSpecifierCase getJwksSourceSpecifierCase()
```
Specified by:

getJwksSourceSpecifierCase in interface JwtProviderOrBuilder

getIssuer

public String getIssuer()

 Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.
 It is optional. If specified, it has to match the *iss* field in JWT.
 If a JWT has *iss* field and this field is specified, they have to match, otherwise the
 JWT *iss* field is not checked.
 Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
 and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
 are implemented differently than other *JwtRequirements*. Hence the usage of this field
 is different as follows if *allow_missing* or *allow_missing_or_failed* is used:
 * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*.
 * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty.
 * Multiple *JwtProviders* should not have same value in this field.
 Example: https://securetoken.google.com
 Example: 1234567-compute@developer.gserviceaccount.com

string issuer = 1;

Specified by:: getIssuer in interface JwtProviderOrBuilder

getIssuerBytes

public com.google.protobuf.ByteString getIssuerBytes()

 Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.
 It is optional. If specified, it has to match the *iss* field in JWT.
 If a JWT has *iss* field and this field is specified, they have to match, otherwise the
 JWT *iss* field is not checked.
 Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
 and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
 are implemented differently than other *JwtRequirements*. Hence the usage of this field
 is different as follows if *allow_missing* or *allow_missing_or_failed* is used:
 * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*.
 * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty.
 * Multiple *JwtProviders* should not have same value in this field.
 Example: https://securetoken.google.com
 Example: 1234567-compute@developer.gserviceaccount.com

string issuer = 1;

Specified by:: getIssuerBytes in interface JwtProviderOrBuilder

getAudiencesList

public com.google.protobuf.ProtocolStringList getAudiencesList()

 The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com

repeated string audiences = 2;

Specified by:: getAudiencesList in interface JwtProviderOrBuilder

getAudiencesCount

public int getAudiencesCount()

 The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com

repeated string audiences = 2;

Specified by:: getAudiencesCount in interface JwtProviderOrBuilder

getAudiences

public String getAudiences(int index)

 The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com

repeated string audiences = 2;

Specified by:: getAudiences in interface JwtProviderOrBuilder

getAudiencesBytes

public com.google.protobuf.ByteString getAudiencesBytes(int index)

 The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com

repeated string audiences = 2;

Specified by:: getAudiencesBytes in interface JwtProviderOrBuilder

hasRemoteJwks

public boolean hasRemoteJwks()

 JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300

.envoy.extensions.filters.http.jwt_authn.v4alpha.RemoteJwks remote_jwks = 3;

Specified by:: hasRemoteJwks in interface JwtProviderOrBuilder

getRemoteJwks

public RemoteJwks getRemoteJwks()

 JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300

.envoy.extensions.filters.http.jwt_authn.v4alpha.RemoteJwks remote_jwks = 3;

Specified by:: getRemoteJwks in interface JwtProviderOrBuilder

getRemoteJwksOrBuilder

public RemoteJwksOrBuilder getRemoteJwksOrBuilder()

 JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300

.envoy.extensions.filters.http.jwt_authn.v4alpha.RemoteJwks remote_jwks = 3;

Specified by:: getRemoteJwksOrBuilder in interface JwtProviderOrBuilder

hasLocalJwks

public boolean hasLocalJwks()

 JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA

.envoy.config.core.v4alpha.DataSource local_jwks = 4;

Specified by:: hasLocalJwks in interface JwtProviderOrBuilder

getLocalJwks

public DataSource getLocalJwks()

 JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA

.envoy.config.core.v4alpha.DataSource local_jwks = 4;

Specified by:: getLocalJwks in interface JwtProviderOrBuilder

getLocalJwksOrBuilder

public DataSourceOrBuilder getLocalJwksOrBuilder()

 JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA

.envoy.config.core.v4alpha.DataSource local_jwks = 4;

Specified by:: getLocalJwksOrBuilder in interface JwtProviderOrBuilder

getForward

public boolean getForward()

 If false, the JWT is removed in the request after a success verification. If true, the JWT is
 not removed in the request. Default value is false.

bool forward = 5;

Specified by:: getForward in interface JwtProviderOrBuilder