Package io.envoyproxy.envoy.config.filter.http.jwt_authn.v2alpha

Interface JwtProviderOrBuilder

  • All Superinterfaces:
    com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
    All Known Implementing Classes:
    JwtProvider, JwtProvider.Builder
    public interface JwtProviderOrBuilder
extends com.google.protobuf.MessageOrBuilder

    • Method Summary

      All Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      String getAudiences​(int index)
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      com.google.protobuf.ByteString getAudiencesBytes​(int index)
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      int getAudiencesCount()
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      List<String> getAudiencesList()
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      boolean getForward()
      If false, the JWT is removed in the request after a success verification.
      String getForwardPayloadHeader()
      This field specifies the header name to forward a successfully verified JWT payload to the backend.
      com.google.protobuf.ByteString getForwardPayloadHeaderBytes()
      This field specifies the header name to forward a successfully verified JWT payload to the backend.
      JwtHeader getFromHeaders​(int index)
      Two fields below define where to extract the JWT from an HTTP request.
      int getFromHeadersCount()
      Two fields below define where to extract the JWT from an HTTP request.
      List<JwtHeader> getFromHeadersList()
      Two fields below define where to extract the JWT from an HTTP request.
      JwtHeaderOrBuilder getFromHeadersOrBuilder​(int index)
      Two fields below define where to extract the JWT from an HTTP request.
      List<? extends JwtHeaderOrBuilder> getFromHeadersOrBuilderList()
      Two fields below define where to extract the JWT from an HTTP request.
      String getFromParams​(int index)
      JWT is sent in a query parameter.
      com.google.protobuf.ByteString getFromParamsBytes​(int index)
      JWT is sent in a query parameter.
      int getFromParamsCount()
      JWT is sent in a query parameter.
      List<String> getFromParamsList()
      JWT is sent in a query parameter.
      String getIssuer()
      Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.
      com.google.protobuf.ByteString getIssuerBytes()
      Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.
      JwtProvider.JwksSourceSpecifierCase getJwksSourceSpecifierCase()  
      DataSource getLocalJwks()
      JWKS is in local data source.
      DataSourceOrBuilder getLocalJwksOrBuilder()
      JWKS is in local data source.
      String getPayloadInMetadata()
      If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** The value is the *protobuf::Struct*.
      com.google.protobuf.ByteString getPayloadInMetadataBytes()
      If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** The value is the *protobuf::Struct*.
      RemoteJwks getRemoteJwks()
      JWKS can be fetched from remote server via HTTP/HTTPS.
      RemoteJwksOrBuilder getRemoteJwksOrBuilder()
      JWKS can be fetched from remote server via HTTP/HTTPS.
      boolean hasLocalJwks()
      JWKS is in local data source.
      boolean hasRemoteJwks()
      JWKS can be fetched from remote server via HTTP/HTTPS.

      • Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder

        isInitialized

      • Methods inherited from interface com.google.protobuf.MessageOrBuilder

        findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

    • Method Detail

      • getIssuer

        String getIssuer()
         Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.
 Example: https://securetoken.google.com
 Example: 1234567-compute@developer.gserviceaccount.com
        string issuer = 1 [(.validate.rules) = { ... }
        Returns:
        The issuer.

      • getIssuerBytes

        com.google.protobuf.ByteString getIssuerBytes()
         Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.
 Example: https://securetoken.google.com
 Example: 1234567-compute@developer.gserviceaccount.com
        string issuer = 1 [(.validate.rules) = { ... }
        Returns:
        The bytes for issuer.

      • getAudiencesList

        List<String> getAudiencesList()
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Returns:
        A list containing the audiences.

      • getAudiencesCount

        int getAudiencesCount()
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Returns:
        The count of audiences.

      • getAudiences

        String getAudiences​(int index)
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Parameters:
        index - The index of the element to return.
        Returns:
        The audiences at the given index.

      • getAudiencesBytes

        com.google.protobuf.ByteString getAudiencesBytes​(int index)
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the audiences at the given index.

      • hasRemoteJwks

        boolean hasRemoteJwks()
         JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
      cache_duration:
        seconds: 300
        .envoy.config.filter.http.jwt_authn.v2alpha.RemoteJwks remote_jwks = 3;
        Returns:
        Whether the remoteJwks field is set.

      • getRemoteJwks

        RemoteJwks getRemoteJwks()
         JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
      cache_duration:
        seconds: 300
        .envoy.config.filter.http.jwt_authn.v2alpha.RemoteJwks remote_jwks = 3;
        Returns:
        The remoteJwks.

      • getRemoteJwksOrBuilder

        RemoteJwksOrBuilder getRemoteJwksOrBuilder()
         JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
      cache_duration:
        seconds: 300
        .envoy.config.filter.http.jwt_authn.v2alpha.RemoteJwks remote_jwks = 3;

      • hasLocalJwks

        boolean hasLocalJwks()
         JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
        .envoy.api.v2.core.DataSource local_jwks = 4;
        Returns:
        Whether the localJwks field is set.

      • getLocalJwks

        DataSource getLocalJwks()
         JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
        .envoy.api.v2.core.DataSource local_jwks = 4;
        Returns:
        The localJwks.

      • getLocalJwksOrBuilder

        DataSourceOrBuilder getLocalJwksOrBuilder()
         JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
        .envoy.api.v2.core.DataSource local_jwks = 4;

      • getForward

        boolean getForward()
         If false, the JWT is removed in the request after a success verification. If true, the JWT is
 not removed in the request. Default value is false.
        bool forward = 5;
        Returns:
        The forward.

      • getFromHeadersList

        List<JwtHeader> getFromHeadersList()
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.config.filter.http.jwt_authn.v2alpha.JwtHeader from_headers = 6;

      • getFromHeaders

        JwtHeader getFromHeaders​(int index)
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.config.filter.http.jwt_authn.v2alpha.JwtHeader from_headers = 6;

      • getFromHeadersCount

        int getFromHeadersCount()
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.config.filter.http.jwt_authn.v2alpha.JwtHeader from_headers = 6;

      • getFromHeadersOrBuilderList

        List<? extends JwtHeaderOrBuilder> getFromHeadersOrBuilderList()
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.config.filter.http.jwt_authn.v2alpha.JwtHeader from_headers = 6;

      • getFromHeadersOrBuilder

        JwtHeaderOrBuilder getFromHeadersOrBuilder​(int index)
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.config.filter.http.jwt_authn.v2alpha.JwtHeader from_headers = 6;

      • getFromParamsList

        List<String> getFromParamsList()
         JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Returns:
        A list containing the fromParams.

      • getFromParamsCount

        int getFromParamsCount()
         JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Returns:
        The count of fromParams.

      • getFromParams

        String getFromParams​(int index)
         JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Parameters:
        index - The index of the element to return.
        Returns:
        The fromParams at the given index.

      • getFromParamsBytes

        com.google.protobuf.ByteString getFromParamsBytes​(int index)
         JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the fromParams at the given index.

      • getForwardPayloadHeader

        String getForwardPayloadHeader()
         This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::
    base64url_encoded(jwt_payload_in_JSON)
 If it is not specified, the payload will not be forwarded.
        string forward_payload_header = 8;
        Returns:
        The forwardPayloadHeader.

      • getForwardPayloadHeaderBytes

        com.google.protobuf.ByteString getForwardPayloadHeaderBytes()
         This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::
    base64url_encoded(jwt_payload_in_JSON)
 If it is not specified, the payload will not be forwarded.
        string forward_payload_header = 8;
        Returns:
        The bytes for forwardPayloadHeader.

      • getPayloadInMetadata

        String getPayloadInMetadata()
         If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
 The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
 and the value is the *protobuf::Struct* converted from JWT JSON payload.
 For example, if payload_in_metadata is *my_payload*:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
        string payload_in_metadata = 9;
        Returns:
        The payloadInMetadata.

      • getPayloadInMetadataBytes

        com.google.protobuf.ByteString getPayloadInMetadataBytes()
         If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
 The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
 and the value is the *protobuf::Struct* converted from JWT JSON payload.
 For example, if payload_in_metadata is *my_payload*:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
        string payload_in_metadata = 9;
        Returns:
        The bytes for payloadInMetadata.