Package io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3

Interface JwtProviderOrBuilder

  • All Superinterfaces:
    com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
    All Known Implementing Classes:
    JwtProvider, JwtProvider.Builder
    public interface JwtProviderOrBuilder
extends com.google.protobuf.MessageOrBuilder

    • Method Summary

      All Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      String getAudiences​(int index)
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      com.google.protobuf.ByteString getAudiencesBytes​(int index)
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      int getAudiencesCount()
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      List<String> getAudiencesList()
      The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are allowed to access.
      int getClockSkewSeconds()
      Specify the clock skew in seconds when verifying JWT time constraint, such as ``exp``, and ``nbf``.
      boolean getForward()
      If false, the JWT is removed in the request after a success verification.
      String getForwardPayloadHeader()
      This field specifies the header name to forward a successfully verified JWT payload to the backend.
      com.google.protobuf.ByteString getForwardPayloadHeaderBytes()
      This field specifies the header name to forward a successfully verified JWT payload to the backend.
      String getFromCookies​(int index)
      JWT is sent in a cookie.
      com.google.protobuf.ByteString getFromCookiesBytes​(int index)
      JWT is sent in a cookie.
      int getFromCookiesCount()
      JWT is sent in a cookie.
      List<String> getFromCookiesList()
      JWT is sent in a cookie.
      JwtHeader getFromHeaders​(int index)
      Two fields below define where to extract the JWT from an HTTP request.
      int getFromHeadersCount()
      Two fields below define where to extract the JWT from an HTTP request.
      List<JwtHeader> getFromHeadersList()
      Two fields below define where to extract the JWT from an HTTP request.
      JwtHeaderOrBuilder getFromHeadersOrBuilder​(int index)
      Two fields below define where to extract the JWT from an HTTP request.
      List<? extends JwtHeaderOrBuilder> getFromHeadersOrBuilderList()
      Two fields below define where to extract the JWT from an HTTP request.
      String getFromParams​(int index)
      JWT is sent in a query parameter.
      com.google.protobuf.ByteString getFromParamsBytes​(int index)
      JWT is sent in a query parameter.
      int getFromParamsCount()
      JWT is sent in a query parameter.
      List<String> getFromParamsList()
      JWT is sent in a query parameter.
      String getHeaderInMetadata()
      If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`, a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>` as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the value of this field as the key.
      com.google.protobuf.ByteString getHeaderInMetadataBytes()
      If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`, a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>` as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the value of this field as the key.
      String getIssuer()
      Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.
      com.google.protobuf.ByteString getIssuerBytes()
      Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued the JWT, usually a URL or an email address.
      JwtProvider.JwksSourceSpecifierCase getJwksSourceSpecifierCase()  
      JwtCacheConfig getJwtCacheConfig()
      Enables JWT cache, its size is specified by ``jwt_cache_size``.
      JwtCacheConfigOrBuilder getJwtCacheConfigOrBuilder()
      Enables JWT cache, its size is specified by ``jwt_cache_size``.
      DataSource getLocalJwks()
      JWKS is in local data source.
      DataSourceOrBuilder getLocalJwksOrBuilder()
      JWKS is in local data source.
      boolean getPadForwardPayloadHeader()
      When :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>` is specified, the base64 encoded payload will be added to the headers.
      String getPayloadInMetadata()
      If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn```` The value is the ``protobuf::Struct``.
      com.google.protobuf.ByteString getPayloadInMetadataBytes()
      If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn```` The value is the ``protobuf::Struct``.
      RemoteJwks getRemoteJwks()
      JWKS can be fetched from remote server via HTTP/HTTPS.
      RemoteJwksOrBuilder getRemoteJwksOrBuilder()
      JWKS can be fetched from remote server via HTTP/HTTPS.
      boolean hasJwtCacheConfig()
      Enables JWT cache, its size is specified by ``jwt_cache_size``.
      boolean hasLocalJwks()
      JWKS is in local data source.
      boolean hasRemoteJwks()
      JWKS can be fetched from remote server via HTTP/HTTPS.

      • Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder

        isInitialized

      • Methods inherited from interface com.google.protobuf.MessageOrBuilder

        findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

    • Method Detail

      • getIssuer

        String getIssuer()
         Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.
 It is optional. If specified, it has to match the ``iss`` field in JWT,
 otherwise the JWT ``iss`` field is not checked.
 Note: ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
 and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
 are implemented differently than other ``JwtRequirements``. Hence the usage of this field
 is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used:
 * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``.
 * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty.
 * Multiple ``JwtProviders`` should not have same value in this field.
 Example: https://securetoken.google.com
 Example: 1234567-compute@developer.gserviceaccount.com
        string issuer = 1;
        Returns:
        The issuer.

      • getIssuerBytes

        com.google.protobuf.ByteString getIssuerBytes()
         Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
 the JWT, usually a URL or an email address.
 It is optional. If specified, it has to match the ``iss`` field in JWT,
 otherwise the JWT ``iss`` field is not checked.
 Note: ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
 and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
 are implemented differently than other ``JwtRequirements``. Hence the usage of this field
 is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used:
 * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``.
 * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty.
 * Multiple ``JwtProviders`` should not have same value in this field.
 Example: https://securetoken.google.com
 Example: 1234567-compute@developer.gserviceaccount.com
        string issuer = 1;
        Returns:
        The bytes for issuer.

      • getAudiencesList

        List<String> getAudiencesList()
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Returns:
        A list containing the audiences.

      • getAudiencesCount

        int getAudiencesCount()
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Returns:
        The count of audiences.

      • getAudiences

        String getAudiences​(int index)
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Parameters:
        index - The index of the element to return.
        Returns:
        The audiences at the given index.

      • getAudiencesBytes

        com.google.protobuf.ByteString getAudiencesBytes​(int index)
         The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
 allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
 will not check audiences in the token.
 Example:
 .. code-block:: yaml
     audiences:
     - bookstore_android.apps.googleusercontent.com
     - bookstore_web.apps.googleusercontent.com
        repeated string audiences = 2;
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the audiences at the given index.

      • hasRemoteJwks

        boolean hasRemoteJwks()
         JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
        .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;
        Returns:
        Whether the remoteJwks field is set.

      • getRemoteJwks

        RemoteJwks getRemoteJwks()
         JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
        .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;
        Returns:
        The remoteJwks.

      • getRemoteJwksOrBuilder

        RemoteJwksOrBuilder getRemoteJwksOrBuilder()
         JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
 URI and how the fetched JWKS should be cached.
 Example:
 .. code-block:: yaml
    remote_jwks:
      http_uri:
        uri: https://www.googleapis.com/oauth2/v1/certs
        cluster: jwt.www.googleapis.com|443
        timeout: 1s
      cache_duration:
        seconds: 300
        .envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks remote_jwks = 3;

      • hasLocalJwks

        boolean hasLocalJwks()
         JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
        .envoy.config.core.v3.DataSource local_jwks = 4;
        Returns:
        Whether the localJwks field is set.

      • getLocalJwks

        DataSource getLocalJwks()
         JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
        .envoy.config.core.v3.DataSource local_jwks = 4;
        Returns:
        The localJwks.

      • getLocalJwksOrBuilder

        DataSourceOrBuilder getLocalJwksOrBuilder()
         JWKS is in local data source. It could be either in a local file or embedded in the
 inline_string.
 Example: local file
 .. code-block:: yaml
    local_jwks:
      filename: /etc/envoy/jwks/jwks1.txt
 Example: inline_string
 .. code-block:: yaml
    local_jwks:
      inline_string: ACADADADADA
        .envoy.config.core.v3.DataSource local_jwks = 4;

      • getForward

        boolean getForward()
         If false, the JWT is removed in the request after a success verification. If true, the JWT is
 not removed in the request. Default value is false.
 caveat: only works for from_header & has no effect for JWTs extracted through from_params & from_cookies.
        bool forward = 5;
        Returns:
        The forward.

      • getFromHeadersList

        List<JwtHeader> getFromHeadersList()
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

      • getFromHeaders

        JwtHeader getFromHeaders​(int index)
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

      • getFromHeadersCount

        int getFromHeadersCount()
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

      • getFromHeadersOrBuilderList

        List<? extends JwtHeaderOrBuilder> getFromHeadersOrBuilderList()
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

      • getFromHeadersOrBuilder

        JwtHeaderOrBuilder getFromHeadersOrBuilder​(int index)
         Two fields below define where to extract the JWT from an HTTP request.
 If no explicit location is specified, the following default locations are tried in order:
 1. The Authorization header using the `Bearer schema
 <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
    Authorization: Bearer <token>.
 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
 Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
 its provider specified or from the default locations.
 Specify the HTTP headers to extract JWT token. For examples, following config:
 .. code-block:: yaml
   from_headers:
   - name: x-goog-iap-jwt-assertion
 can be used to extract token from header::
   ``x-goog-iap-jwt-assertion: <JWT>``.
        repeated .envoy.extensions.filters.http.jwt_authn.v3.JwtHeader from_headers = 6;

      • getFromParamsList

        List<String> getFromParamsList()
         JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Returns:
        A list containing the fromParams.

      • getFromParamsCount

        int getFromParamsCount()
         JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Returns:
        The count of fromParams.

      • getFromParams

        String getFromParams​(int index)
         JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Parameters:
        index - The index of the element to return.
        Returns:
        The fromParams at the given index.

      • getFromParamsBytes

        com.google.protobuf.ByteString getFromParamsBytes​(int index)
         JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.
 For example, if config is:
 .. code-block:: yaml
   from_params:
   - jwt_token
 The JWT format in query parameter is::
    /path?jwt_token=<JWT>
        repeated string from_params = 7;
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the fromParams at the given index.

      • getFromCookiesList

        List<String> getFromCookiesList()
         JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.
 For example, if config is:
 .. code-block:: yaml
   from_cookies:
   - auth-token
 Then JWT will be extracted from ``auth-token`` cookie in the request.
        repeated string from_cookies = 13;
        Returns:
        A list containing the fromCookies.

      • getFromCookiesCount

        int getFromCookiesCount()
         JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.
 For example, if config is:
 .. code-block:: yaml
   from_cookies:
   - auth-token
 Then JWT will be extracted from ``auth-token`` cookie in the request.
        repeated string from_cookies = 13;
        Returns:
        The count of fromCookies.

      • getFromCookies

        String getFromCookies​(int index)
         JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.
 For example, if config is:
 .. code-block:: yaml
   from_cookies:
   - auth-token
 Then JWT will be extracted from ``auth-token`` cookie in the request.
        repeated string from_cookies = 13;
        Parameters:
        index - The index of the element to return.
        Returns:
        The fromCookies at the given index.

      • getFromCookiesBytes

        com.google.protobuf.ByteString getFromCookiesBytes​(int index)
         JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.
 For example, if config is:
 .. code-block:: yaml
   from_cookies:
   - auth-token
 Then JWT will be extracted from ``auth-token`` cookie in the request.
        repeated string from_cookies = 13;
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the fromCookies at the given index.

      • getForwardPayloadHeader

        String getForwardPayloadHeader()
         This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::
    base64url_encoded(jwt_payload_in_JSON)
 If it is not specified, the payload will not be forwarded.
        string forward_payload_header = 8 [(.validate.rules) = { ... }
        Returns:
        The forwardPayloadHeader.

      • getForwardPayloadHeaderBytes

        com.google.protobuf.ByteString getForwardPayloadHeaderBytes()
         This field specifies the header name to forward a successfully verified JWT payload to the
 backend. The forwarded data is::
    base64url_encoded(jwt_payload_in_JSON)
 If it is not specified, the payload will not be forwarded.
        string forward_payload_header = 8 [(.validate.rules) = { ... }
        Returns:
        The bytes for forwardPayloadHeader.

      • getPadForwardPayloadHeader

        boolean getPadForwardPayloadHeader()
         When :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
 is specified, the base64 encoded payload will be added to the headers.
 Normally JWT based64 encode doesn't add padding. If this field is true,
 the header will be padded.
 This field is only relevant if :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
 is specified.
        bool pad_forward_payload_header = 11;
        Returns:
        The padForwardPayloadHeader.

      • getPayloadInMetadata

        String getPayloadInMetadata()
         If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn````
 The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields``
 and the value is the ``protobuf::Struct`` converted from JWT JSON payload.
 For example, if payload_in_metadata is ``my_payload``:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
        string payload_in_metadata = 9;
        Returns:
        The payloadInMetadata.

      • getPayloadInMetadataBytes

        com.google.protobuf.ByteString getPayloadInMetadataBytes()
         If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
 in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn````
 The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields``
 and the value is the ``protobuf::Struct`` converted from JWT JSON payload.
 For example, if payload_in_metadata is ``my_payload``:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
        string payload_in_metadata = 9;
        Returns:
        The bytes for payloadInMetadata.

      • getHeaderInMetadata

        String getHeaderInMetadata()
         If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
 a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
 as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the
 value of this field as the key.
 For example, if ``header_in_metadata`` is ``my_header``:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256
 When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if
 :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
 is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256
 .. warning::
   Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   is not suggested due to potential override of existing entry, while it is not enforced during
   config validation.
        string header_in_metadata = 14;
        Returns:
        The headerInMetadata.

      • getHeaderInMetadataBytes

        com.google.protobuf.ByteString getHeaderInMetadataBytes()
         If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
 a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
 as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the
 value of this field as the key.
 For example, if ``header_in_metadata`` is ``my_header``:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256
 When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if
 :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
 is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below:
 .. code-block:: yaml
   envoy.filters.http.jwt_authn:
     my_payload:
       iss: https://example.com
       sub: test@example.com
       aud: https://example.com
       exp: 1501281058
     my_header:
       alg: JWT
       kid: EF71iSaosbC5C4tC6Syq1Gm647M
       alg: PS256
 .. warning::
   Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
   is not suggested due to potential override of existing entry, while it is not enforced during
   config validation.
        string header_in_metadata = 14;
        Returns:
        The bytes for headerInMetadata.

      • getClockSkewSeconds

        int getClockSkewSeconds()
         Specify the clock skew in seconds when verifying JWT time constraint,
 such as ``exp``, and ``nbf``. If not specified, default is 60 seconds.
        uint32 clock_skew_seconds = 10;
        Returns:
        The clockSkewSeconds.

      • hasJwtCacheConfig

        boolean hasJwtCacheConfig()
         Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWT tokens are cached.
        .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;
        Returns:
        Whether the jwtCacheConfig field is set.

      • getJwtCacheConfig

        JwtCacheConfig getJwtCacheConfig()
         Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWT tokens are cached.
        .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;
        Returns:
        The jwtCacheConfig.

      • getJwtCacheConfigOrBuilder

        JwtCacheConfigOrBuilder getJwtCacheConfigOrBuilder()
         Enables JWT cache, its size is specified by ``jwt_cache_size``.
 Only valid JWT tokens are cached.
        .envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig jwt_cache_config = 12;