io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v4alpha

Interface JwtProviderOrBuilder

All Superinterfaces:

com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder

All Known Implementing Classes:

JwtProvider, JwtProvider.Builder

public interface JwtProviderOrBuilder
extends com.google.protobuf.MessageOrBuilder

Method Summary

Modifier and Type	Method and Description
String	getAudiences(int index) The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
com.google.protobuf.ByteString	getAudiencesBytes(int index) The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
int	getAudiencesCount() The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
List<String>	getAudiencesList() The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
int	getClockSkewSeconds() Specify the clock skew in seconds when verifying JWT time constraint, such as `exp`, and `nbf`.
boolean	getForward() If false, the JWT is removed in the request after a success verification.
String	getForwardPayloadHeader() This field specifies the header name to forward a successfully verified JWT payload to the backend.
com.google.protobuf.ByteString	getForwardPayloadHeaderBytes() This field specifies the header name to forward a successfully verified JWT payload to the backend.
JwtHeader	getFromHeaders(int index) Two fields below define where to extract the JWT from an HTTP request.
int	getFromHeadersCount() Two fields below define where to extract the JWT from an HTTP request.
List<JwtHeader>	getFromHeadersList() Two fields below define where to extract the JWT from an HTTP request.
JwtHeaderOrBuilder	getFromHeadersOrBuilder(int index) Two fields below define where to extract the JWT from an HTTP request.
List<? extends JwtHeaderOrBuilder>	getFromHeadersOrBuilderList() Two fields below define where to extract the JWT from an HTTP request.
String	getFromParams(int index) JWT is sent in a query parameter.
com.google.protobuf.ByteString	getFromParamsBytes(int index) JWT is sent in a query parameter.
int	getFromParamsCount() JWT is sent in a query parameter.
List<String>	getFromParamsList() JWT is sent in a query parameter.
String	getIssuer() Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.
com.google.protobuf.ByteString	getIssuerBytes() Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.
JwtProvider.JwksSourceSpecifierCase	getJwksSourceSpecifierCase()
DataSource	getLocalJwks() JWKS is in local data source.
DataSourceOrBuilder	getLocalJwksOrBuilder() JWKS is in local data source.
String	getPayloadInMetadata() If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** The value is the *protobuf::Struct*.
com.google.protobuf.ByteString	getPayloadInMetadataBytes() If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** The value is the *protobuf::Struct*.
RemoteJwks	getRemoteJwks() JWKS can be fetched from remote server via HTTP/HTTPS.
RemoteJwksOrBuilder	getRemoteJwksOrBuilder() JWKS can be fetched from remote server via HTTP/HTTPS.
boolean	hasLocalJwks() JWKS is in local data source.
boolean	hasRemoteJwks() JWKS can be fetched from remote server via HTTP/HTTPS.

Methods inherited from interface com.google.protobuf.MessageOrBuilder

findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder

isInitialized

Method Detail

getIssuer

String getIssuer()

 Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.
 It is optional. If specified, it has to match the *iss* field in JWT.
 If a JWT has *iss* field and this field is specified, they have to match, otherwise the
 JWT *iss* field is not checked.
 Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
 and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
 are implemented differently than other *JwtRequirements*. Hence the usage of this field
 is different as follows if *allow_missing* or *allow_missing_or_failed* is used:
 * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*.
 * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty.
 * Multiple *JwtProviders* should not have same value in this field.
 Example: https://securetoken.google.com
 Example: 1234567-compute@developer.gserviceaccount.com
 

string issuer = 1;

getIssuerBytes

com.google.protobuf.ByteString getIssuerBytes()

 Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.
 It is optional. If specified, it has to match the *iss* field in JWT.
 If a JWT has *iss* field and this field is specified, they have to match, otherwise the
 JWT *iss* field is not checked.
 Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
 and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
 are implemented differently than other *JwtRequirements*. Hence the usage of this field
 is different as follows if *allow_missing* or *allow_missing_or_failed* is used:
 * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*.
 * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty.
 * Multiple *JwtProviders* should not have same value in this field.
 Example: https://securetoken.google.com
 Example: 1234567-compute@developer.gserviceaccount.com
 

string issuer = 1;

getAudiencesList

List<String> getAudiencesList()

 The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
 

repeated string audiences = 2;

getAudiencesCount

int getAudiencesCount()

 The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
 

repeated string audiences = 2;

getAudiences

String getAudiences(int index)

 The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
 

repeated string audiences = 2;

getAudiencesBytes

com.google.protobuf.ByteString getAudiencesBytes(int index)

 The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
 

repeated string audiences = 2;

hasRemoteJwks

boolean hasRemoteJwks()

 JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
 

.envoy.extensions.filters.http.jwt_authn.v4alpha.RemoteJwks remote_jwks = 3;

getRemoteJwks

RemoteJwks getRemoteJwks()

 JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
 

.envoy.extensions.filters.http.jwt_authn.v4alpha.RemoteJwks remote_jwks = 3;

getRemoteJwksOrBuilder

RemoteJwksOrBuilder getRemoteJwksOrBuilder()

 JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
 

.envoy.extensions.filters.http.jwt_authn.v4alpha.RemoteJwks remote_jwks = 3;

hasLocalJwks

boolean hasLocalJwks()

 JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
 

.envoy.config.core.v4alpha.DataSource local_jwks = 4;

getLocalJwks

DataSource getLocalJwks()

 JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
 

.envoy.config.core.v4alpha.DataSource local_jwks = 4;

getLocalJwksOrBuilder

DataSourceOrBuilder getLocalJwksOrBuilder()

 JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
 

.envoy.config.core.v4alpha.DataSource local_jwks = 4;

getForward

boolean getForward()

 If false, the JWT is removed in the request after a success verification. If true, the JWT is
 not removed in the request. Default value is false.
 

bool forward = 5;

getFromHeadersList

List<JwtHeader> getFromHeadersList()

 Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
 

repeated .envoy.extensions.filters.http.jwt_authn.v4alpha.JwtHeader from_headers = 6;

getFromHeaders

JwtHeader getFromHeaders(int index)

 Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
 

repeated .envoy.extensions.filters.http.jwt_authn.v4alpha.JwtHeader from_headers = 6;

getFromHeadersCount

int getFromHeadersCount()

 Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
 

repeated .envoy.extensions.filters.http.jwt_authn.v4alpha.JwtHeader from_headers = 6;

getFromHeadersOrBuilderList

List<? extends JwtHeaderOrBuilder> getFromHeadersOrBuilderList()

 Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
 

repeated .envoy.extensions.filters.http.jwt_authn.v4alpha.JwtHeader from_headers = 6;

getFromHeadersOrBuilder

JwtHeaderOrBuilder getFromHeadersOrBuilder(int index)

 Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
 

repeated .envoy.extensions.filters.http.jwt_authn.v4alpha.JwtHeader from_headers = 6;

getFromParamsList

List<String> getFromParamsList()

 JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
 

repeated string from_params = 7;

getFromParamsCount

int getFromParamsCount()

 JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
 

repeated string from_params = 7;

getFromParams

String getFromParams(int index)

 JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
 

repeated string from_params = 7;

getFromParamsBytes

com.google.protobuf.ByteString getFromParamsBytes(int index)

 JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
 

repeated string from_params = 7;

getForwardPayloadHeader

String getForwardPayloadHeader()

 This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::
    base64url_encoded(jwt_payload_in_JSON)
 If it is not specified, the payload will not be forwarded.
 

string forward_payload_header = 8 [(.validate.rules) = { ... }

getForwardPayloadHeaderBytes

com.google.protobuf.ByteString getForwardPayloadHeaderBytes()

 This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::
    base64url_encoded(jwt_payload_in_JSON)
 If it is not specified, the payload will not be forwarded.
 

string forward_payload_header = 8 [(.validate.rules) = { ... }

getPayloadInMetadata

String getPayloadInMetadata()

 If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
 The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
 and the value is the *protobuf::Struct* converted from JWT JSON payload.
 For example, if payload_in_metadata is *my_payload*:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
 

string payload_in_metadata = 9;

getPayloadInMetadataBytes

com.google.protobuf.ByteString getPayloadInMetadataBytes()

 If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
 The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
 and the value is the *protobuf::Struct* converted from JWT JSON payload.
 For example, if payload_in_metadata is *my_payload*:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
 

string payload_in_metadata = 9;

getClockSkewSeconds

int getClockSkewSeconds()

 Specify the clock skew in seconds when verifying JWT time constraint,
 such as `exp`, and `nbf`. If not specified, default is 60 seconds.
 

uint32 clock_skew_seconds = 10;

getJwksSourceSpecifierCase

JwtProvider.JwksSourceSpecifierCase getJwksSourceSpecifierCase()