Package io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3

Class JwtProvider

  • All Implemented Interfaces:
    com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, JwtProviderOrBuilder, Serializable
    public final class JwtProvider
extends com.google.protobuf.GeneratedMessageV3
implements JwtProviderOrBuilder
     Please see following for JWT authentication flow:
 * `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_
 * `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_
 * `OpenID Connect <http://openid.net/connect>`_
 A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:
 * issuer: the principal that issues the JWT. If specified, it has to match the ``iss`` field in JWT.
 * allowed audiences: the ones in the token have to be listed here.
 * how to fetch public key JWKS to verify the token signature.
 * how to extract JWT token in the request.
 * how to pass successfully verified token payload.
 Example:
 .. code-block:: yaml
     issuer: https://example.com
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
     remote_jwks:
       http_uri:
         uri: https://example.com/.well-known/jwks.json
         cluster: example_jwks_cluster
         timeout: 1s
       cache_duration:
         seconds: 300
 [#next-free-field: 15]
    Protobuf type envoy.extensions.filters.http.jwt_authn.v3.JwtProvider
    See Also:
    Serialized Form

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  JwtProvider.Builder
      Please see following for JWT authentication flow: * `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_ * `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_ * `OpenID Connect <http://openid.net/connect>`_ A JwtProvider message specifies how a JSON Web Token (JWT) can be verified.
      static class  JwtProvider.JwksSourceSpecifierCase  

      • Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessageV3

        com.google.protobuf.GeneratedMessageV3.BuilderParent, com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage,​BuilderType extends com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType,​BuilderType>>, com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.ExtendableMessageOrBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.FieldAccessorTable, com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter

      • Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessageLite

        com.google.protobuf.AbstractMessageLite.InternalOneOfEnum

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean equals​(Object obj)  
      String getAudiences​(int index)
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      com.google.protobuf.ByteString getAudiencesBytes​(int index)
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      int getAudiencesCount()
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      com.google.protobuf.ProtocolStringList getAudiencesList()
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      int getClockSkewSeconds()
      Specify the clock skew in seconds when verifying JWT time constraint, such as ``exp``, and ``nbf``.
      static JwtProvider getDefaultInstance()  
      JwtProvider getDefaultInstanceForType()  
      static com.google.protobuf.Descriptors.Descriptor getDescriptor()  
      boolean getForward()
      If false, the JWT is removed in the request after a success verification.
      String getForwardPayloadHeader()
      This field specifies the header name to forward a successfully verified JWT payload to the backend.
      com.google.protobuf.ByteString getForwardPayloadHeaderBytes()
      This field specifies the header name to forward a successfully verified JWT payload to the backend.
      String getFromCookies​(int index)
      JWT is sent in a cookie.
      com.google.protobuf.ByteString getFromCookiesBytes​(int index)
      JWT is sent in a cookie.
      int getFromCookiesCount()
      JWT is sent in a cookie.
      com.google.protobuf.ProtocolStringList getFromCookiesList()
      JWT is sent in a cookie.
      JwtHeader getFromHeaders​(int index)
      Two fields below define where to extract the JWT from an HTTP request.
      int getFromHeadersCount()
      Two fields below define where to extract the JWT from an HTTP request.
      List<JwtHeader> getFromHeadersList()
      Two fields below define where to extract the JWT from an HTTP request.
      JwtHeaderOrBuilder getFromHeadersOrBuilder​(int index)
      Two fields below define where to extract the JWT from an HTTP request.
      List<? extends JwtHeaderOrBuilder> getFromHeadersOrBuilderList()
      Two fields below define where to extract the JWT from an HTTP request.
      String getFromParams​(int index)
      JWT is sent in a query parameter.
      com.google.protobuf.ByteString getFromParamsBytes​(int index)
      JWT is sent in a query parameter.
      int getFromParamsCount()
      JWT is sent in a query parameter.
      com.google.protobuf.ProtocolStringList getFromParamsList()
      JWT is sent in a query parameter.
      String getHeaderInMetadata()
      If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`, a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>` as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the value of this field as the key.
      com.google.protobuf.ByteString getHeaderInMetadataBytes()
      If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`, a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>` as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the value of this field as the key.
      String getIssuer()
      Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.
      com.google.protobuf.ByteString getIssuerBytes()
      Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.
      JwtProvider.JwksSourceSpecifierCase getJwksSourceSpecifierCase()  
      JwtCacheConfig getJwtCacheConfig()
      Enables JWT cache, its size is specified by ``jwt_cache_size``.
      JwtCacheConfigOrBuilder getJwtCacheConfigOrBuilder()
      Enables JWT cache, its size is specified by ``jwt_cache_size``.
      DataSource getLocalJwks()
      JWKS is in local data source.
      DataSourceOrBuilder getLocalJwksOrBuilder()
      JWKS is in local data source.
      boolean getPadForwardPayloadHeader()
      When :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>` is specified, the base64 encoded payload will be added to the headers.
      com.google.protobuf.Parser<JwtProvider> getParserForType()  
      String getPayloadInMetadata()
      If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn```` The value is the ``protobuf::Struct``.
      com.google.protobuf.ByteString getPayloadInMetadataBytes()
      If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn```` The value is the ``protobuf::Struct``.
      RemoteJwks getRemoteJwks()
      JWKS can be fetched from remote server via HTTP/HTTPS.
      RemoteJwksOrBuilder getRemoteJwksOrBuilder()
      JWKS can be fetched from remote server via HTTP/HTTPS.
      int getSerializedSize()  
      com.google.protobuf.UnknownFieldSet getUnknownFields()  
      int hashCode()  
      boolean hasJwtCacheConfig()
      Enables JWT cache, its size is specified by ``jwt_cache_size``.
      boolean hasLocalJwks()
      JWKS is in local data source.
      boolean hasRemoteJwks()
      JWKS can be fetched from remote server via HTTP/HTTPS.
      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()  
      boolean isInitialized()  
      static JwtProvider.Builder newBuilder()  
      static JwtProvider.Builder newBuilder​(JwtProvider prototype)  
      JwtProvider.Builder newBuilderForType()  
      protected JwtProvider.Builder newBuilderForType​(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)  
      protected Object newInstance​(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)  
      static JwtProvider parseDelimitedFrom​(InputStream input)  
      static JwtProvider parseDelimitedFrom​(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static JwtProvider parseFrom​(byte[] data)  
      static JwtProvider parseFrom​(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static JwtProvider parseFrom​(com.google.protobuf.ByteString data)  
      static JwtProvider parseFrom​(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static JwtProvider parseFrom​(com.google.protobuf.CodedInputStream input)  
      static JwtProvider parseFrom​(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static JwtProvider parseFrom​(InputStream input)  
      static JwtProvider parseFrom​(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static JwtProvider parseFrom​(ByteBuffer data)  
      static JwtProvider parseFrom​(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static com.google.protobuf.Parser<JwtProvider> parser()  
      JwtProvider.Builder toBuilder()  
      void writeTo​(com.google.protobuf.CodedOutputStream output)  

      • Methods inherited from class com.google.protobuf.GeneratedMessageV3

        canUseUnsafe, computeStringSize, computeStringSizeNoTag, emptyBooleanList, emptyDoubleList, emptyFloatList, emptyIntList, emptyLongList, getAllFields, getDescriptorForType, getField, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, hasField, hasOneof, internalGetMapField, isStringEmpty, makeExtensionsImmutable, mergeFromAndMakeImmutableInternal, mutableCopy, mutableCopy, mutableCopy, mutableCopy, mutableCopy, newBooleanList, newBuilderForType, newDoubleList, newFloatList, newIntList, newLongList, parseDelimitedWithIOException, parseDelimitedWithIOException, parseUnknownField, parseUnknownFieldProto3, parseWithIOException, parseWithIOException, parseWithIOException, parseWithIOException, serializeBooleanMapTo, serializeIntegerMapTo, serializeLongMapTo, serializeStringMapTo, writeReplace, writeString, writeStringNoTag

      • Methods inherited from class com.google.protobuf.AbstractMessage

        findInitializationErrors, getInitializationErrorString, hashBoolean, hashEnum, hashEnumList, hashFields, hashLong, toString

      • Methods inherited from class com.google.protobuf.AbstractMessageLite

        addAll, addAll, checkByteStringIsUtf8, toByteArray, toByteString, writeDelimitedTo, writeTo

      • Methods inherited from interface com.google.protobuf.MessageLite

        toByteArray, toByteString, writeDelimitedTo, writeTo

      • Methods inherited from interface com.google.protobuf.MessageOrBuilder

        findInitializationErrors, getAllFields, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, hasField, hasOneof

    • Field Detail

      • REMOTE_JWKS_FIELD_NUMBER

        public static final int REMOTE_JWKS_FIELD_NUMBER
        See Also:
        Constant Field Values

      • LOCAL_JWKS_FIELD_NUMBER

        public static final int LOCAL_JWKS_FIELD_NUMBER
        See Also:
        Constant Field Values

      • FROM_HEADERS_FIELD_NUMBER

        public static final int FROM_HEADERS_FIELD_NUMBER
        See Also:
        Constant Field Values

      • FROM_PARAMS_FIELD_NUMBER

        public static final int FROM_PARAMS_FIELD_NUMBER
        See Also:
        Constant Field Values

      • FROM_COOKIES_FIELD_NUMBER

        public static final int FROM_COOKIES_FIELD_NUMBER
        See Also:
        Constant Field Values

      • FORWARD_PAYLOAD_HEADER_FIELD_NUMBER

        public static final int FORWARD_PAYLOAD_HEADER_FIELD_NUMBER
        See Also:
        Constant Field Values

      • PAD_FORWARD_PAYLOAD_HEADER_FIELD_NUMBER

        public static final int PAD_FORWARD_PAYLOAD_HEADER_FIELD_NUMBER
        See Also:
        Constant Field Values

      • PAYLOAD_IN_METADATA_FIELD_NUMBER

        public static final int PAYLOAD_IN_METADATA_FIELD_NUMBER
        See Also:
        Constant Field Values

      • HEADER_IN_METADATA_FIELD_NUMBER

        public static final int HEADER_IN_METADATA_FIELD_NUMBER
        See Also:
        Constant Field Values

      • CLOCK_SKEW_SECONDS_FIELD_NUMBER

        public static final int CLOCK_SKEW_SECONDS_FIELD_NUMBER
        See Also:
        Constant Field Values

      • JWT_CACHE_CONFIG_FIELD_NUMBER

        public static final int JWT_CACHE_CONFIG_FIELD_NUMBER
        See Also:
        Constant Field Values

    • Method Detail

      • newInstance

        protected Object newInstance​(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
        Overrides:
        newInstance in class com.google.protobuf.GeneratedMessageV3

      • getUnknownFields

        public final com.google.protobuf.UnknownFieldSet getUnknownFields()
        Specified by:
        getUnknownFields in interface com.google.protobuf.MessageOrBuilder
        Overrides:
        getUnknownFields in class com.google.protobuf.GeneratedMessageV3

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

      • getIssuer

        public String getIssuer()
         Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.
 It is optional. If specified, it has to match the ``iss`` field in JWT,
 otherwise the JWT ``iss`` field is not checked.
 Note: ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
 and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
 are implemented differently than other ``JwtRequirements``. Hence the usage of this field
 is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used:
 * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``.
 * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty.
 * Multiple ``JwtProviders`` should not have same value in this field.
 Example: https://securetoken.google.com
 Example: 1234567-compute@developer.gserviceaccount.com
        string issuer = 1;
        Specified by:
        getIssuer in interface JwtProviderOrBuilder
        Returns:
        The issuer.

      • getIssuerBytes

        public com.google.protobuf.ByteString getIssuerBytes()
         Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.
 It is optional. If specified, it has to match the ``iss`` field in JWT,
 otherwise the JWT ``iss`` field is not checked.
 Note: ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
 and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
 are implemented differently than other ``JwtRequirements``. Hence the usage of this field
 is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used:
 * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``.
 * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty.
 * Multiple ``JwtProviders`` should not have same value in this field.
 Example: https://securetoken.google.com
 Example: 1234567-compute@developer.gserviceaccount.com
        string issuer = 1;
        Specified by:
        getIssuerBytes in interface JwtProviderOrBuilder
        Returns:
        The bytes for issuer.

      • getAudiencesList

        public com.google.protobuf.ProtocolStringList getAudiencesList()
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Specified by:
        getAudiencesList in interface JwtProviderOrBuilder
        Returns:
        A list containing the audiences.

      • getAudiencesCount

        public int getAudiencesCount()
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Specified by:
        getAudiencesCount in interface JwtProviderOrBuilder
        Returns:
        The count of audiences.

      • getAudiences

        public String getAudiences​(int index)
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Specified by:
        getAudiences in interface JwtProviderOrBuilder
        Parameters:
        index - The index of the element to return.
        Returns:
        The audiences at the given index.

      • getAudiencesBytes

        public com.google.protobuf.ByteString getAudiencesBytes​(int index)
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Specified by:
        getAudiencesBytes in interface JwtProviderOrBuilder
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the audiences at the given index.

      • hasRemoteJwks

        public boolean hasRemoteJwks()
         JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
        .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;
        Specified by:
        hasRemoteJwks in interface JwtProviderOrBuilder
        Returns:
        Whether the remoteJwks field is set.

      • getRemoteJwks

        public RemoteJwks getRemoteJwks()
         JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
        .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;
        Specified by:
        getRemoteJwks in interface JwtProviderOrBuilder
        Returns:
        The remoteJwks.

      • getRemoteJwksOrBuilder

        public RemoteJwksOrBuilder getRemoteJwksOrBuilder()
         JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
        .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;
        Specified by:
        getRemoteJwksOrBuilder in interface JwtProviderOrBuilder

      • hasLocalJwks

        public boolean hasLocalJwks()
         JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
        .envoy.config.core.v3.DataSource local_jwks = 4;
        Specified by:
        hasLocalJwks in interface JwtProviderOrBuilder
        Returns:
        Whether the localJwks field is set.

      • getLocalJwks

        public DataSource getLocalJwks()
         JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
        .envoy.config.core.v3.DataSource local_jwks = 4;
        Specified by:
        getLocalJwks in interface JwtProviderOrBuilder
        Returns:
        The localJwks.

      • getLocalJwksOrBuilder

        public DataSourceOrBuilder getLocalJwksOrBuilder()
         JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
        .envoy.config.core.v3.DataSource local_jwks = 4;
        Specified by:
        getLocalJwksOrBuilder in interface JwtProviderOrBuilder

      • getForward

        public boolean getForward()
         If false, the JWT is removed in the request after a success verification. If true, the JWT is
 not removed in the request. Default value is false.
 caveat: only works for from_header & has no effect for JWTs extracted through from_params & from_cookies.
        bool forward = 5;
        Specified by:
        getForward in interface JwtProviderOrBuilder
        Returns:
        The forward.

      • getFromHeadersList

        public List<JwtHeader> getFromHeadersList()
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;
        Specified by:
        getFromHeadersList in interface JwtProviderOrBuilder

      • getFromHeadersOrBuilderList

        public List<? extends JwtHeaderOrBuilder> getFromHeadersOrBuilderList()
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;
        Specified by:
        getFromHeadersOrBuilderList in interface JwtProviderOrBuilder

      • getFromHeadersCount

        public int getFromHeadersCount()
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;
        Specified by:
        getFromHeadersCount in interface JwtProviderOrBuilder

      • getFromHeaders

        public JwtHeader getFromHeaders​(int index)
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;
        Specified by:
        getFromHeaders in interface JwtProviderOrBuilder

      • getFromHeadersOrBuilder

        public JwtHeaderOrBuilder getFromHeadersOrBuilder​(int index)
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;
        Specified by:
        getFromHeadersOrBuilder in interface JwtProviderOrBuilder

      • getFromParamsList

        public com.google.protobuf.ProtocolStringList getFromParamsList()
         JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Specified by:
        getFromParamsList in interface JwtProviderOrBuilder
        Returns:
        A list containing the fromParams.

      • getFromParamsCount

        public int getFromParamsCount()
         JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Specified by:
        getFromParamsCount in interface JwtProviderOrBuilder
        Returns:
        The count of fromParams.

      • getFromParams

        public String getFromParams​(int index)
         JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Specified by:
        getFromParams in interface JwtProviderOrBuilder
        Parameters:
        index - The index of the element to return.
        Returns:
        The fromParams at the given index.

      • getFromParamsBytes

        public com.google.protobuf.ByteString getFromParamsBytes​(int index)
         JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Specified by:
        getFromParamsBytes in interface JwtProviderOrBuilder
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the fromParams at the given index.

      • getFromCookiesList

        public com.google.protobuf.ProtocolStringList getFromCookiesList()
         JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.
 For example, if config is:
 .. code-block:: yaml
   from_cookies:
   - auth-token
 Then JWT will be extracted from ``auth-token`` cookie in the request.
        repeated string from_cookies = 13;
        Specified by:
        getFromCookiesList in interface JwtProviderOrBuilder
        Returns:
        A list containing the fromCookies.

      • getFromCookiesCount

        public int getFromCookiesCount()
         JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.
 For example, if config is:
 .. code-block:: yaml
   from_cookies:
   - auth-token
 Then JWT will be extracted from ``auth-token`` cookie in the request.
        repeated string from_cookies = 13;
        Specified by:
        getFromCookiesCount in interface JwtProviderOrBuilder
        Returns:
        The count of fromCookies.

      • getFromCookies

        public String getFromCookies​(int index)
         JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.
 For example, if config is:
 .. code-block:: yaml
   from_cookies:
   - auth-token
 Then JWT will be extracted from ``auth-token`` cookie in the request.
        repeated string from_cookies = 13;
        Specified by:
        getFromCookies in interface JwtProviderOrBuilder
        Parameters:
        index - The index of the element to return.
        Returns:
        The fromCookies at the given index.

      • getFromCookiesBytes

        public com.google.protobuf.ByteString getFromCookiesBytes​(int index)
         JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.
 For example, if config is:
 .. code-block:: yaml
   from_cookies:
   - auth-token
 Then JWT will be extracted from ``auth-token`` cookie in the request.
        repeated string from_cookies = 13;
        Specified by:
        getFromCookiesBytes in interface JwtProviderOrBuilder
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the fromCookies at the given index.

      • getForwardPayloadHeader

        public String getForwardPayloadHeader()
         This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::
    base64url_encoded(jwt_payload_in_JSON)
 If it is not specified, the payload will not be forwarded.
        string forward_payload_header = 8 [(.validate.rules) = { ... }
        Specified by:
        getForwardPayloadHeader in interface JwtProviderOrBuilder
        Returns:
        The forwardPayloadHeader.

      • getForwardPayloadHeaderBytes

        public com.google.protobuf.ByteString getForwardPayloadHeaderBytes()
         This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::
    base64url_encoded(jwt_payload_in_JSON)
 If it is not specified, the payload will not be forwarded.
        string forward_payload_header = 8 [(.validate.rules) = { ... }
        Specified by:
        getForwardPayloadHeaderBytes in interface JwtProviderOrBuilder
        Returns:
        The bytes for forwardPayloadHeader.

      • getPadForwardPayloadHeader

        public boolean getPadForwardPayloadHeader()
         When :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
 is specified, the base64 encoded payload will be added to the headers.
 Normally JWT based64 encode doesn't add padding. If this field is true,
 the header will be padded.
 This field is only relevant if :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
 is specified.
        bool pad_forward_payload_header = 11;
        Specified by:
        getPadForwardPayloadHeader in interface JwtProviderOrBuilder
        Returns:
        The padForwardPayloadHeader.

      • getPayloadInMetadata

        public String getPayloadInMetadata()
         If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn````
 The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields``
 and the value is the ``protobuf::Struct`` converted from JWT JSON payload.
 For example, if payload_in_metadata is ``my_payload``:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
        string payload_in_metadata = 9;
        Specified by:
        getPayloadInMetadata in interface JwtProviderOrBuilder
        Returns:
        The payloadInMetadata.

      • getPayloadInMetadataBytes

        public com.google.protobuf.ByteString getPayloadInMetadataBytes()
         If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn````
 The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields``
 and the value is the ``protobuf::Struct`` converted from JWT JSON payload.
 For example, if payload_in_metadata is ``my_payload``:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
        string payload_in_metadata = 9;
        Specified by:
        getPayloadInMetadataBytes in interface JwtProviderOrBuilder
        Returns:
        The bytes for payloadInMetadata.

      • getHeaderInMetadata

        public String getHeaderInMetadata()
         If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
 a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
 as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the
 value of this field as the key.
 For example, if ``header_in_metadata`` is ``my_header``:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256
 When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if
 :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
 is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256
 .. warning::
   Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   is not suggested due to potential override of existing entry, while it is not enforced during
   config validation.
        string header_in_metadata = 14;
        Specified by:
        getHeaderInMetadata in interface JwtProviderOrBuilder
        Returns:
        The headerInMetadata.

      • getHeaderInMetadataBytes

        public com.google.protobuf.ByteString getHeaderInMetadataBytes()
         If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
 a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
 as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the
 value of this field as the key.
 For example, if ``header_in_metadata`` is ``my_header``:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256
 When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if
 :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
 is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256
 .. warning::
   Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   is not suggested due to potential override of existing entry, while it is not enforced during
   config validation.
        string header_in_metadata = 14;
        Specified by:
        getHeaderInMetadataBytes in interface JwtProviderOrBuilder
        Returns:
        The bytes for headerInMetadata.

      • getClockSkewSeconds

        public int getClockSkewSeconds()
         Specify the clock skew in seconds when verifying JWT time constraint,
 such as ``exp``, and ``nbf``. If not specified, default is 60 seconds.
        uint32 clock_skew_seconds = 10;
        Specified by:
        getClockSkewSeconds in interface JwtProviderOrBuilder
        Returns:
        The clockSkewSeconds.

      • hasJwtCacheConfig

        public boolean hasJwtCacheConfig()
         Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWT tokens are cached.
        .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;
        Specified by:
        hasJwtCacheConfig in interface JwtProviderOrBuilder
        Returns:
        Whether the jwtCacheConfig field is set.

      • getJwtCacheConfig

        public JwtCacheConfig getJwtCacheConfig()
         Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWT tokens are cached.
        .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;
        Specified by:
        getJwtCacheConfig in interface JwtProviderOrBuilder
        Returns:
        The jwtCacheConfig.

      • getJwtCacheConfigOrBuilder

        public JwtCacheConfigOrBuilder getJwtCacheConfigOrBuilder()
         Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWT tokens are cached.
        .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;
        Specified by:
        getJwtCacheConfigOrBuilder in interface JwtProviderOrBuilder

      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessageV3

      • writeTo

        public void writeTo​(com.google.protobuf.CodedOutputStream output)
             throws IOException
        Specified by:
        writeTo in interface com.google.protobuf.MessageLite
        Overrides:
        writeTo in class com.google.protobuf.GeneratedMessageV3
        Throws:
        IOException

      • getSerializedSize

        public int getSerializedSize()
        Specified by:
        getSerializedSize in interface com.google.protobuf.MessageLite
        Overrides:
        getSerializedSize in class com.google.protobuf.GeneratedMessageV3

      • equals

        public boolean equals​(Object obj)
        Specified by:
        equals in interface com.google.protobuf.Message
        Overrides:
        equals in class com.google.protobuf.AbstractMessage

      • hashCode

        public int hashCode()
        Specified by:
        hashCode in interface com.google.protobuf.Message
        Overrides:
        hashCode in class com.google.protobuf.AbstractMessage

      • parseFrom

        public static JwtProvider parseFrom​(ByteBuffer data)
                             throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static JwtProvider parseFrom​(ByteBuffer data,
                                    com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                             throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static JwtProvider parseFrom​(com.google.protobuf.ByteString data)
                             throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static JwtProvider parseFrom​(com.google.protobuf.ByteString data,
                                    com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                             throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static JwtProvider parseFrom​(byte[] data)
                             throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static JwtProvider parseFrom​(byte[] data,
                                    com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                             throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static JwtProvider parseFrom​(com.google.protobuf.CodedInputStream input,
                                    com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                             throws IOException
        Throws:
        IOException

      • newBuilderForType

        public JwtProvider.Builder newBuilderForType()
        Specified by:
        newBuilderForType in interface com.google.protobuf.Message
        Specified by:
        newBuilderForType in interface com.google.protobuf.MessageLite

      • toBuilder

        public JwtProvider.Builder toBuilder()
        Specified by:
        toBuilder in interface com.google.protobuf.Message
        Specified by:
        toBuilder in interface com.google.protobuf.MessageLite

      • newBuilderForType

        protected JwtProvider.Builder newBuilderForType​(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
        Specified by:
        newBuilderForType in class com.google.protobuf.GeneratedMessageV3

      • getDefaultInstance

        public static JwtProvider getDefaultInstance()

      • parser

        public static com.google.protobuf.Parser<JwtProvider> parser()

      • getParserForType

        public com.google.protobuf.Parser<JwtProvider> getParserForType()
        Specified by:
        getParserForType in interface com.google.protobuf.Message
        Specified by:
        getParserForType in interface com.google.protobuf.MessageLite
        Overrides:
        getParserForType in class com.google.protobuf.GeneratedMessageV3

      • getDefaultInstanceForType

        public JwtProvider getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder