jwt_authnv2alpha

package
v1.36.11-2026011520535... Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: unknown License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source 
const JwtProvider_JwksSourceSpecifier_not_set_case case_JwtProvider_JwksSourceSpecifier = 0
View Source 
const JwtProvider_LocalJwks_case case_JwtProvider_JwksSourceSpecifier = 4
View Source 
const JwtProvider_RemoteJwks_case case_JwtProvider_JwksSourceSpecifier = 3
View Source 
const JwtRequirement_AllowMissingOrFailed_case case_JwtRequirement_RequiresType = 5
View Source 
const JwtRequirement_AllowMissing_case case_JwtRequirement_RequiresType = 6
View Source 
const JwtRequirement_ProviderAndAudiences_case case_JwtRequirement_RequiresType = 2
View Source 
const JwtRequirement_ProviderName_case case_JwtRequirement_RequiresType = 1
View Source 
const JwtRequirement_RequiresAll_case case_JwtRequirement_RequiresType = 4
View Source 
const JwtRequirement_RequiresAny_case case_JwtRequirement_RequiresType = 3
View Source 
const JwtRequirement_RequiresType_not_set_case case_JwtRequirement_RequiresType = 0

Variables

View Source 
var File_envoy_config_filter_http_jwt_authn_v2alpha_config_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type FilterStateRule 

type FilterStateRule struct {

	// The filter state name to retrieve the `Router::StringAccessor` object.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// A map of string keys to requirements. The string key is the string value
	// in the FilterState with the name specified in the *name* field above.
	Requires map[string]*JwtRequirement `` /* 143-byte string literal not displayed */
	// contains filtered or unexported fields
}

This message specifies Jwt requirements based on stream_info.filterState. This FilterState should use `Router::StringAccessor` object to set a string value. Other HTTP filters can use it to specify Jwt requirements dynamically.

Example:

.. code-block:: yaml 

name: jwt_selector
requires:
  issuer_1:
    provider_name: issuer1
  issuer_2:
    provider_name: issuer2

If a filter set "jwt_selector" with "issuer_1" to FilterState for a request, jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify.

func (*FilterStateRule) GetName 

func (x *FilterStateRule) GetName() string

func (*FilterStateRule) GetRequires 

func (x *FilterStateRule) GetRequires() map[string]*JwtRequirement

func (*FilterStateRule) ProtoMessage 

func (*FilterStateRule) ProtoMessage()

func (*FilterStateRule) ProtoReflect 

func (x *FilterStateRule) ProtoReflect() protoreflect.Message

func (*FilterStateRule) Reset 

func (x *FilterStateRule) Reset()

func (*FilterStateRule) SetName 

func (x *FilterStateRule) SetName(v string)

func (*FilterStateRule) SetRequires 

func (x *FilterStateRule) SetRequires(v map[string]*JwtRequirement)

func (*FilterStateRule) String 

func (x *FilterStateRule) String() string

type FilterStateRule_builder 

type FilterStateRule_builder struct {

	// The filter state name to retrieve the `Router::StringAccessor` object.
	Name string
	// A map of string keys to requirements. The string key is the string value
	// in the FilterState with the name specified in the *name* field above.
	Requires map[string]*JwtRequirement
	// contains filtered or unexported fields
}

func (FilterStateRule_builder) Build 

func (b0 FilterStateRule_builder) Build() *FilterStateRule

type JwtAuthentication 

type JwtAuthentication struct {

	// Map of provider names to JwtProviders.
	//
	// .. code-block:: yaml
	//
	//	providers:
	//	  provider1:
	//	     issuer: issuer1
	//	     audiences:
	//	     - audience1
	//	     - audience2
	//	     remote_jwks:
	//	       http_uri:
	//	         uri: https://example.com/.well-known/jwks.json
	//	         cluster: example_jwks_cluster
	//	   provider2:
	//	     issuer: provider2
	//	     local_jwks:
	//	       inline_string: jwks_string
	Providers map[string]*JwtProvider `` /* 145-byte string literal not displayed */
	// Specifies requirements based on the route matches. The first matched requirement will be
	// applied. If there are overlapped match conditions, please put the most specific match first.
	//
	// # Examples
	//
	// .. code-block:: yaml
	//
	//	rules:
	//	  - match:
	//	      prefix: /healthz
	//	  - match:
	//	      prefix: /baz
	//	    requires:
	//	      provider_name: provider1
	//	  - match:
	//	      prefix: /foo
	//	    requires:
	//	      requires_any:
	//	        requirements:
	//	          - provider_name: provider1
	//	          - provider_name: provider2
	//	  - match:
	//	      prefix: /bar
	//	    requires:
	//	      requires_all:
	//	        requirements:
	//	          - provider_name: provider1
	//	          - provider_name: provider2
	Rules []*RequirementRule `protobuf:"bytes,2,rep,name=rules,proto3" json:"rules,omitempty"`
	// This message specifies Jwt requirements based on stream_info.filterState.
	// Other HTTP filters can use it to specify Jwt requirements dynamically.
	// The *rules* field above is checked first, if it could not find any matches,
	// check this one.
	FilterStateRules *FilterStateRule `protobuf:"bytes,3,opt,name=filter_state_rules,json=filterStateRules,proto3" json:"filter_state_rules,omitempty"`
	// When set to true, bypass the `CORS preflight request
	// <http://www.w3.org/TR/cors/#cross-origin-request-with-preflight>`_ regardless of JWT
	// requirements specified in the rules.
	BypassCorsPreflight bool `protobuf:"varint,4,opt,name=bypass_cors_preflight,json=bypassCorsPreflight,proto3" json:"bypass_cors_preflight,omitempty"`
	// contains filtered or unexported fields
}

This is the Envoy HTTP filter config for JWT authentication.

For example:

.. code-block:: yaml 

providers:
   provider1:
     issuer: issuer1
     audiences:
     - audience1
     - audience2
     remote_jwks:
       http_uri:
         uri: https://example.com/.well-known/jwks.json
         cluster: example_jwks_cluster
   provider2:
     issuer: issuer2
     local_jwks:
       inline_string: jwks_string

rules:
   # Not jwt verification is required for /health path
   - match:
       prefix: /health

   # Jwt verification for provider1 is required for path prefixed with "prefix"
   - match:
       prefix: /prefix
     requires:
       provider_name: provider1

   # Jwt verification for either provider1 or provider2 is required for all other requests.
   - match:
       prefix: /
     requires:
       requires_any:
         requirements:
           - provider_name: provider1
           - provider_name: provider2

func (*JwtAuthentication) ClearFilterStateRules 

func (x *JwtAuthentication) ClearFilterStateRules()

func (*JwtAuthentication) GetBypassCorsPreflight 

func (x *JwtAuthentication) GetBypassCorsPreflight() bool

func (*JwtAuthentication) GetFilterStateRules 

func (x *JwtAuthentication) GetFilterStateRules() *FilterStateRule

func (*JwtAuthentication) GetProviders 

func (x *JwtAuthentication) GetProviders() map[string]*JwtProvider

func (*JwtAuthentication) GetRules 

func (x *JwtAuthentication) GetRules() []*RequirementRule

func (*JwtAuthentication) HasFilterStateRules 

func (x *JwtAuthentication) HasFilterStateRules() bool

func (*JwtAuthentication) ProtoMessage 

func (*JwtAuthentication) ProtoMessage()

func (*JwtAuthentication) ProtoReflect 

func (x *JwtAuthentication) ProtoReflect() protoreflect.Message

func (*JwtAuthentication) Reset 

func (x *JwtAuthentication) Reset()

func (*JwtAuthentication) SetBypassCorsPreflight 

func (x *JwtAuthentication) SetBypassCorsPreflight(v bool)

func (*JwtAuthentication) SetFilterStateRules 

func (x *JwtAuthentication) SetFilterStateRules(v *FilterStateRule)

func (*JwtAuthentication) SetProviders 

func (x *JwtAuthentication) SetProviders(v map[string]*JwtProvider)

func (*JwtAuthentication) SetRules 

func (x *JwtAuthentication) SetRules(v []*RequirementRule)

func (*JwtAuthentication) String 

func (x *JwtAuthentication) String() string

type JwtAuthentication_builder 

type JwtAuthentication_builder struct {

	// Map of provider names to JwtProviders.
	//
	// .. code-block:: yaml
	//
	//	providers:
	//	  provider1:
	//	     issuer: issuer1
	//	     audiences:
	//	     - audience1
	//	     - audience2
	//	     remote_jwks:
	//	       http_uri:
	//	         uri: https://example.com/.well-known/jwks.json
	//	         cluster: example_jwks_cluster
	//	   provider2:
	//	     issuer: provider2
	//	     local_jwks:
	//	       inline_string: jwks_string
	Providers map[string]*JwtProvider
	// Specifies requirements based on the route matches. The first matched requirement will be
	// applied. If there are overlapped match conditions, please put the most specific match first.
	//
	// # Examples
	//
	// .. code-block:: yaml
	//
	//	rules:
	//	  - match:
	//	      prefix: /healthz
	//	  - match:
	//	      prefix: /baz
	//	    requires:
	//	      provider_name: provider1
	//	  - match:
	//	      prefix: /foo
	//	    requires:
	//	      requires_any:
	//	        requirements:
	//	          - provider_name: provider1
	//	          - provider_name: provider2
	//	  - match:
	//	      prefix: /bar
	//	    requires:
	//	      requires_all:
	//	        requirements:
	//	          - provider_name: provider1
	//	          - provider_name: provider2
	Rules []*RequirementRule
	// This message specifies Jwt requirements based on stream_info.filterState.
	// Other HTTP filters can use it to specify Jwt requirements dynamically.
	// The *rules* field above is checked first, if it could not find any matches,
	// check this one.
	FilterStateRules *FilterStateRule
	// When set to true, bypass the `CORS preflight request
	// <http://www.w3.org/TR/cors/#cross-origin-request-with-preflight>`_ regardless of JWT
	// requirements specified in the rules.
	BypassCorsPreflight bool
	// contains filtered or unexported fields
}

func (JwtAuthentication_builder) Build 

func (b0 JwtAuthentication_builder) Build() *JwtAuthentication

type JwtHeader 

type JwtHeader struct {

	// The HTTP header name.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// The value prefix. The value format is "value_prefix<token>"
	// For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
	// end.
	ValuePrefix string `protobuf:"bytes,2,opt,name=value_prefix,json=valuePrefix,proto3" json:"value_prefix,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a header location to extract JWT.

func (*JwtHeader) GetName 

func (x *JwtHeader) GetName() string

func (*JwtHeader) GetValuePrefix 

func (x *JwtHeader) GetValuePrefix() string

func (*JwtHeader) ProtoMessage 

func (*JwtHeader) ProtoMessage()

func (*JwtHeader) ProtoReflect 

func (x *JwtHeader) ProtoReflect() protoreflect.Message

func (*JwtHeader) Reset 

func (x *JwtHeader) Reset()

func (*JwtHeader) SetName 

func (x *JwtHeader) SetName(v string)

func (*JwtHeader) SetValuePrefix 

func (x *JwtHeader) SetValuePrefix(v string)

func (*JwtHeader) String 

func (x *JwtHeader) String() string

type JwtHeader_builder 

type JwtHeader_builder struct {

	// The HTTP header name.
	Name string
	// The value prefix. The value format is "value_prefix<token>"
	// For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
	// end.
	ValuePrefix string
	// contains filtered or unexported fields
}

func (JwtHeader_builder) Build 

func (b0 JwtHeader_builder) Build() *JwtHeader

type JwtProvider 

type JwtProvider struct {

	// Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
	// the JWT, usually a URL or an email address.
	//
	// Example: https://securetoken.google.com
	// Example: 1234567-compute@developer.gserviceaccount.com
	Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"`
	// The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
	// allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
	// will not check audiences in the token.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	audiences:
	//	- bookstore_android.apps.googleusercontent.com
	//	- bookstore_web.apps.googleusercontent.com
	Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
	// `JSON Web Key Set (JWKS) <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed to
	// validate signature of a JWT. This field specifies where to fetch JWKS.
	//
	// Types that are valid to be assigned to JwksSourceSpecifier:
	//
	//	*JwtProvider_RemoteJwks
	//	*JwtProvider_LocalJwks
	JwksSourceSpecifier isJwtProvider_JwksSourceSpecifier `protobuf_oneof:"jwks_source_specifier"`
	// If false, the JWT is removed in the request after a success verification. If true, the JWT is
	// not removed in the request. Default value is false.
	Forward bool `protobuf:"varint,5,opt,name=forward,proto3" json:"forward,omitempty"`
	// Two fields below define where to extract the JWT from an HTTP request.
	//
	// If no explicit location is specified, the following default locations are tried in order:
	//
	// 1. The Authorization header using the `Bearer schema
	// <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
	//
	//	Authorization: Bearer <token>.
	//
	// 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
	//
	// Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
	// its provider specified or from the default locations.
	//
	// Specify the HTTP headers to extract the JWT. For examples, following config:
	//
	// .. code-block:: yaml
	//
	//	from_headers:
	//	- name: x-goog-iap-jwt-assertion
	//
	// can be used to extract token from header::
	//
	//	“x-goog-iap-jwt-assertion: <JWT>“.
	FromHeaders []*JwtHeader `protobuf:"bytes,6,rep,name=from_headers,json=fromHeaders,proto3" json:"from_headers,omitempty"`
	// JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
	//
	// For example, if config is:
	//
	// .. code-block:: yaml
	//
	//	from_params:
	//	- jwt_token
	//
	// The JWT format in query parameter is::
	//
	//	/path?jwt_token=<JWT>
	FromParams []string `protobuf:"bytes,7,rep,name=from_params,json=fromParams,proto3" json:"from_params,omitempty"`
	// This field specifies the header name to forward a successfully verified JWT payload to the
	// backend. The forwarded data is::
	//
	//	base64url_encoded(jwt_payload_in_JSON)
	//
	// If it is not specified, the payload will not be forwarded.
	ForwardPayloadHeader string `protobuf:"bytes,8,opt,name=forward_payload_header,json=forwardPayloadHeader,proto3" json:"forward_payload_header,omitempty"`
	// If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
	// in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
	// The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
	// and the value is the *protobuf::Struct* converted from JWT JSON payload.
	//
	// For example, if payload_in_metadata is *my_payload*:
	//
	// .. code-block:: yaml
	//
	//	envoy.filters.http.jwt_authn:
	//	  my_payload:
	//	    iss: https://example.com
	//	    sub: test@example.com
	//	    aud: https://example.com
	//	    exp: 1501281058
	PayloadInMetadata string `protobuf:"bytes,9,opt,name=payload_in_metadata,json=payloadInMetadata,proto3" json:"payload_in_metadata,omitempty"`
	// contains filtered or unexported fields
}

Please see following for JWT authentication flow:

* `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_ * `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_ * `OpenID Connect <http://openid.net/connect>`_

A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:

* issuer: the principal that issues the JWT. It has to match the one from the token. * allowed audiences: the ones in the token have to be listed here. * how to fetch public key JWKS to verify the token signature. * how to extract the JWT in the request. * how to pass successfully verified token payload.

Example:

.. code-block:: yaml 

issuer: https://example.com
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
remote_jwks:
  http_uri:
    uri: https://example.com/.well-known/jwks.json
    cluster: example_jwks_cluster
  cache_duration:
    seconds: 300

[#next-free-field: 10]

func (*JwtProvider) ClearJwksSourceSpecifier 

func (x *JwtProvider) ClearJwksSourceSpecifier()

func (*JwtProvider) ClearLocalJwks 

func (x *JwtProvider) ClearLocalJwks()

func (*JwtProvider) ClearRemoteJwks 

func (x *JwtProvider) ClearRemoteJwks()

func (*JwtProvider) GetAudiences 

func (x *JwtProvider) GetAudiences() []string

func (*JwtProvider) GetForward 

func (x *JwtProvider) GetForward() bool

func (*JwtProvider) GetForwardPayloadHeader 

func (x *JwtProvider) GetForwardPayloadHeader() string

func (*JwtProvider) GetFromHeaders 

func (x *JwtProvider) GetFromHeaders() []*JwtHeader

func (*JwtProvider) GetFromParams 

func (x *JwtProvider) GetFromParams() []string

func (*JwtProvider) GetIssuer 

func (x *JwtProvider) GetIssuer() string

func (*JwtProvider) GetJwksSourceSpecifier 

func (x *JwtProvider) GetJwksSourceSpecifier() isJwtProvider_JwksSourceSpecifier

func (*JwtProvider) GetLocalJwks 

func (x *JwtProvider) GetLocalJwks() *core.DataSource

func (*JwtProvider) GetPayloadInMetadata 

func (x *JwtProvider) GetPayloadInMetadata() string

func (*JwtProvider) GetRemoteJwks 

func (x *JwtProvider) GetRemoteJwks() *RemoteJwks

func (*JwtProvider) HasJwksSourceSpecifier 

func (x *JwtProvider) HasJwksSourceSpecifier() bool

func (*JwtProvider) HasLocalJwks 

func (x *JwtProvider) HasLocalJwks() bool

func (*JwtProvider) HasRemoteJwks 

func (x *JwtProvider) HasRemoteJwks() bool

func (*JwtProvider) ProtoMessage 

func (*JwtProvider) ProtoMessage()

func (*JwtProvider) ProtoReflect 

func (x *JwtProvider) ProtoReflect() protoreflect.Message

func (*JwtProvider) Reset 

func (x *JwtProvider) Reset()

func (*JwtProvider) SetAudiences 

func (x *JwtProvider) SetAudiences(v []string)

func (*JwtProvider) SetForward 

func (x *JwtProvider) SetForward(v bool)

func (*JwtProvider) SetForwardPayloadHeader 

func (x *JwtProvider) SetForwardPayloadHeader(v string)

func (*JwtProvider) SetFromHeaders 

func (x *JwtProvider) SetFromHeaders(v []*JwtHeader)

func (*JwtProvider) SetFromParams 

func (x *JwtProvider) SetFromParams(v []string)

func (*JwtProvider) SetIssuer 

func (x *JwtProvider) SetIssuer(v string)

func (*JwtProvider) SetLocalJwks 

func (x *JwtProvider) SetLocalJwks(v *core.DataSource)

func (*JwtProvider) SetPayloadInMetadata 

func (x *JwtProvider) SetPayloadInMetadata(v string)

func (*JwtProvider) SetRemoteJwks 

func (x *JwtProvider) SetRemoteJwks(v *RemoteJwks)

func (*JwtProvider) String 

func (x *JwtProvider) String() string

func (*JwtProvider) WhichJwksSourceSpecifier 

func (x *JwtProvider) WhichJwksSourceSpecifier() case_JwtProvider_JwksSourceSpecifier

type JwtProvider_LocalJwks 

type JwtProvider_LocalJwks struct {
	// JWKS is in local data source. It could be either in a local file or embedded in the
	// inline_string.
	//
	// Example: local file
	//
	// .. code-block:: yaml
	//
	//	local_jwks:
	//	  filename: /etc/envoy/jwks/jwks1.txt
	//
	// Example: inline_string
	//
	// .. code-block:: yaml
	//
	//	local_jwks:
	//	  inline_string: ACADADADADA
	LocalJwks *core.DataSource `protobuf:"bytes,4,opt,name=local_jwks,json=localJwks,proto3,oneof"`
}

type JwtProvider_RemoteJwks 

type JwtProvider_RemoteJwks struct {
	// JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
	// URI and how the fetched JWKS should be cached.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	remote_jwks:
	//	  http_uri:
	//	    uri: https://www.googleapis.com/oauth2/v1/certs
	//	    cluster: jwt.www.googleapis.com|443
	//	  cache_duration:
	//	    seconds: 300
	RemoteJwks *RemoteJwks `protobuf:"bytes,3,opt,name=remote_jwks,json=remoteJwks,proto3,oneof"`
}

type JwtProvider_builder 

type JwtProvider_builder struct {

	// Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
	// the JWT, usually a URL or an email address.
	//
	// Example: https://securetoken.google.com
	// Example: 1234567-compute@developer.gserviceaccount.com
	Issuer string
	// The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
	// allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
	// will not check audiences in the token.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	audiences:
	//	- bookstore_android.apps.googleusercontent.com
	//	- bookstore_web.apps.googleusercontent.com
	Audiences []string

	// Fields of oneof JwksSourceSpecifier:
	// JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
	// URI and how the fetched JWKS should be cached.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	remote_jwks:
	//	  http_uri:
	//	    uri: https://www.googleapis.com/oauth2/v1/certs
	//	    cluster: jwt.www.googleapis.com|443
	//	  cache_duration:
	//	    seconds: 300
	RemoteJwks *RemoteJwks
	// JWKS is in local data source. It could be either in a local file or embedded in the
	// inline_string.
	//
	// Example: local file
	//
	// .. code-block:: yaml
	//
	//	local_jwks:
	//	  filename: /etc/envoy/jwks/jwks1.txt
	//
	// Example: inline_string
	//
	// .. code-block:: yaml
	//
	//	local_jwks:
	//	  inline_string: ACADADADADA
	LocalJwks *core.DataSource
	// -- end of JwksSourceSpecifier
	// If false, the JWT is removed in the request after a success verification. If true, the JWT is
	// not removed in the request. Default value is false.
	Forward bool
	// Two fields below define where to extract the JWT from an HTTP request.
	//
	// If no explicit location is specified, the following default locations are tried in order:
	//
	// 1. The Authorization header using the `Bearer schema
	// <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
	//
	//	Authorization: Bearer <token>.
	//
	// 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
	//
	// Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
	// its provider specified or from the default locations.
	//
	// Specify the HTTP headers to extract the JWT. For examples, following config:
	//
	// .. code-block:: yaml
	//
	//	from_headers:
	//	- name: x-goog-iap-jwt-assertion
	//
	// can be used to extract token from header::
	//
	//	“x-goog-iap-jwt-assertion: <JWT>“.
	FromHeaders []*JwtHeader
	// JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
	//
	// For example, if config is:
	//
	// .. code-block:: yaml
	//
	//	from_params:
	//	- jwt_token
	//
	// The JWT format in query parameter is::
	//
	//	/path?jwt_token=<JWT>
	FromParams []string
	// This field specifies the header name to forward a successfully verified JWT payload to the
	// backend. The forwarded data is::
	//
	//	base64url_encoded(jwt_payload_in_JSON)
	//
	// If it is not specified, the payload will not be forwarded.
	ForwardPayloadHeader string
	// If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
	// in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
	// The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
	// and the value is the *protobuf::Struct* converted from JWT JSON payload.
	//
	// For example, if payload_in_metadata is *my_payload*:
	//
	// .. code-block:: yaml
	//
	//	envoy.filters.http.jwt_authn:
	//	  my_payload:
	//	    iss: https://example.com
	//	    sub: test@example.com
	//	    aud: https://example.com
	//	    exp: 1501281058
	PayloadInMetadata string
	// contains filtered or unexported fields
}

func (JwtProvider_builder) Build 

func (b0 JwtProvider_builder) Build() *JwtProvider

type JwtRequirement 

type JwtRequirement struct {

	// Types that are valid to be assigned to RequiresType:
	//
	//	*JwtRequirement_ProviderName
	//	*JwtRequirement_ProviderAndAudiences
	//	*JwtRequirement_RequiresAny
	//	*JwtRequirement_RequiresAll
	//	*JwtRequirement_AllowMissingOrFailed
	//	*JwtRequirement_AllowMissing
	RequiresType isJwtRequirement_RequiresType `protobuf_oneof:"requires_type"`
	// contains filtered or unexported fields
}

This message specifies a Jwt requirement. An empty message means JWT verification is not required. Here are some config examples:

.. code-block:: yaml 

# Example 1: not required with an empty message

# Example 2: require A
provider_name: provider-A

# Example 3: require A or B
requires_any:
  requirements:
    - provider_name: provider-A
    - provider_name: provider-B

# Example 4: require A and B
requires_all:
  requirements:
    - provider_name: provider-A
    - provider_name: provider-B

# Example 5: require A and (B or C)
requires_all:
  requirements:
    - provider_name: provider-A
    - requires_any:
      requirements:
        - provider_name: provider-B
        - provider_name: provider-C

# Example 6: require A or (B and C)
requires_any:
  requirements:
    - provider_name: provider-A
    - requires_all:
      requirements:
        - provider_name: provider-B
        - provider_name: provider-C

# Example 7: A is optional (if token from A is provided, it must be valid, but also allows
missing token.)
requires_any:
  requirements:
  - provider_name: provider-A
  - allow_missing: {}

# Example 8: A is optional and B is required.
requires_all:
  requirements:
  - requires_any:
      requirements:
      - provider_name: provider-A
      - allow_missing: {}
  - provider_name: provider-B

[#next-free-field: 7]

func (*JwtRequirement) ClearAllowMissing 

func (x *JwtRequirement) ClearAllowMissing()

func (*JwtRequirement) ClearAllowMissingOrFailed 

func (x *JwtRequirement) ClearAllowMissingOrFailed()

func (*JwtRequirement) ClearProviderAndAudiences 

func (x *JwtRequirement) ClearProviderAndAudiences()

func (*JwtRequirement) ClearProviderName 

func (x *JwtRequirement) ClearProviderName()

func (*JwtRequirement) ClearRequiresAll 

func (x *JwtRequirement) ClearRequiresAll()

func (*JwtRequirement) ClearRequiresAny 

func (x *JwtRequirement) ClearRequiresAny()

func (*JwtRequirement) ClearRequiresType 

func (x *JwtRequirement) ClearRequiresType()

func (*JwtRequirement) GetAllowMissing 

func (x *JwtRequirement) GetAllowMissing() *emptypb.Empty

func (*JwtRequirement) GetAllowMissingOrFailed 

func (x *JwtRequirement) GetAllowMissingOrFailed() *emptypb.Empty

func (*JwtRequirement) GetProviderAndAudiences 

func (x *JwtRequirement) GetProviderAndAudiences() *ProviderWithAudiences

func (*JwtRequirement) GetProviderName 

func (x *JwtRequirement) GetProviderName() string

func (*JwtRequirement) GetRequiresAll 

func (x *JwtRequirement) GetRequiresAll() *JwtRequirementAndList

func (*JwtRequirement) GetRequiresAny 

func (x *JwtRequirement) GetRequiresAny() *JwtRequirementOrList

func (*JwtRequirement) GetRequiresType 

func (x *JwtRequirement) GetRequiresType() isJwtRequirement_RequiresType

func (*JwtRequirement) HasAllowMissing 

func (x *JwtRequirement) HasAllowMissing() bool

func (*JwtRequirement) HasAllowMissingOrFailed 

func (x *JwtRequirement) HasAllowMissingOrFailed() bool

func (*JwtRequirement) HasProviderAndAudiences 

func (x *JwtRequirement) HasProviderAndAudiences() bool

func (*JwtRequirement) HasProviderName 

func (x *JwtRequirement) HasProviderName() bool

func (*JwtRequirement) HasRequiresAll 

func (x *JwtRequirement) HasRequiresAll() bool

func (*JwtRequirement) HasRequiresAny 

func (x *JwtRequirement) HasRequiresAny() bool

func (*JwtRequirement) HasRequiresType 

func (x *JwtRequirement) HasRequiresType() bool

func (*JwtRequirement) ProtoMessage 

func (*JwtRequirement) ProtoMessage()

func (*JwtRequirement) ProtoReflect 

func (x *JwtRequirement) ProtoReflect() protoreflect.Message

func (*JwtRequirement) Reset 

func (x *JwtRequirement) Reset()

func (*JwtRequirement) SetAllowMissing 

func (x *JwtRequirement) SetAllowMissing(v *emptypb.Empty)

func (*JwtRequirement) SetAllowMissingOrFailed 

func (x *JwtRequirement) SetAllowMissingOrFailed(v *emptypb.Empty)

func (*JwtRequirement) SetProviderAndAudiences 

func (x *JwtRequirement) SetProviderAndAudiences(v *ProviderWithAudiences)

func (*JwtRequirement) SetProviderName 

func (x *JwtRequirement) SetProviderName(v string)

func (*JwtRequirement) SetRequiresAll 

func (x *JwtRequirement) SetRequiresAll(v *JwtRequirementAndList)

func (*JwtRequirement) SetRequiresAny 

func (x *JwtRequirement) SetRequiresAny(v *JwtRequirementOrList)

func (*JwtRequirement) String 

func (x *JwtRequirement) String() string

func (*JwtRequirement) WhichRequiresType 

func (x *JwtRequirement) WhichRequiresType() case_JwtRequirement_RequiresType

type JwtRequirementAndList 

type JwtRequirementAndList struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a list of RequiredProvider. Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails.

func (*JwtRequirementAndList) GetRequirements 

func (x *JwtRequirementAndList) GetRequirements() []*JwtRequirement

func (*JwtRequirementAndList) ProtoMessage 

func (*JwtRequirementAndList) ProtoMessage()

func (*JwtRequirementAndList) ProtoReflect 

func (x *JwtRequirementAndList) ProtoReflect() protoreflect.Message

func (*JwtRequirementAndList) Reset 

func (x *JwtRequirementAndList) Reset()

func (*JwtRequirementAndList) SetRequirements 

func (x *JwtRequirementAndList) SetRequirements(v []*JwtRequirement)

func (*JwtRequirementAndList) String 

func (x *JwtRequirementAndList) String() string

type JwtRequirementAndList_builder 

type JwtRequirementAndList_builder struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement
	// contains filtered or unexported fields
}

func (JwtRequirementAndList_builder) Build 

func (b0 JwtRequirementAndList_builder) Build() *JwtRequirementAndList

type JwtRequirementOrList 

type JwtRequirementOrList struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a list of RequiredProvider. Their results are OR-ed; if any one of them passes, the result is passed

func (*JwtRequirementOrList) GetRequirements 

func (x *JwtRequirementOrList) GetRequirements() []*JwtRequirement

func (*JwtRequirementOrList) ProtoMessage 

func (*JwtRequirementOrList) ProtoMessage()

func (*JwtRequirementOrList) ProtoReflect 

func (x *JwtRequirementOrList) ProtoReflect() protoreflect.Message

func (*JwtRequirementOrList) Reset 

func (x *JwtRequirementOrList) Reset()

func (*JwtRequirementOrList) SetRequirements 

func (x *JwtRequirementOrList) SetRequirements(v []*JwtRequirement)

func (*JwtRequirementOrList) String 

func (x *JwtRequirementOrList) String() string

type JwtRequirementOrList_builder 

type JwtRequirementOrList_builder struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement
	// contains filtered or unexported fields
}

func (JwtRequirementOrList_builder) Build 

func (b0 JwtRequirementOrList_builder) Build() *JwtRequirementOrList

type JwtRequirement_AllowMissing 

type JwtRequirement_AllowMissing struct {
	// The requirement is satisfied if JWT is missing, but failed if JWT is
	// presented but invalid. Similar to allow_missing_or_failed, this is used
	// to only verify JWTs and pass the verified payload to another filter. The
	// different is this mode will reject requests with invalid tokens.
	AllowMissing *emptypb.Empty `protobuf:"bytes,6,opt,name=allow_missing,json=allowMissing,proto3,oneof"`
}

type JwtRequirement_AllowMissingOrFailed 

type JwtRequirement_AllowMissingOrFailed struct {
	// The requirement is always satisfied even if JWT is missing or the JWT
	// verification fails. A typical usage is: this filter is used to only verify
	// JWTs and pass the verified JWT payloads to another filter, the other filter
	// will make decision. In this mode, all JWTs will be verified.
	AllowMissingOrFailed *emptypb.Empty `protobuf:"bytes,5,opt,name=allow_missing_or_failed,json=allowMissingOrFailed,proto3,oneof"`
}

type JwtRequirement_ProviderAndAudiences 

type JwtRequirement_ProviderAndAudiences struct {
	// Specify a required provider with audiences.
	ProviderAndAudiences *ProviderWithAudiences `protobuf:"bytes,2,opt,name=provider_and_audiences,json=providerAndAudiences,proto3,oneof"`
}

type JwtRequirement_ProviderName 

type JwtRequirement_ProviderName struct {
	// Specify a required provider name.
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3,oneof"`
}

type JwtRequirement_RequiresAll 

type JwtRequirement_RequiresAll struct {
	// Specify list of JwtRequirement. Their results are AND-ed.
	// All of them must pass, if one of them fails or missing, it fails.
	RequiresAll *JwtRequirementAndList `protobuf:"bytes,4,opt,name=requires_all,json=requiresAll,proto3,oneof"`
}

type JwtRequirement_RequiresAny 

type JwtRequirement_RequiresAny struct {
	// Specify list of JwtRequirement. Their results are OR-ed.
	// If any one of them passes, the result is passed.
	RequiresAny *JwtRequirementOrList `protobuf:"bytes,3,opt,name=requires_any,json=requiresAny,proto3,oneof"`
}

type JwtRequirement_builder 

type JwtRequirement_builder struct {

	// Fields of oneof RequiresType:
	// Specify a required provider name.
	ProviderName *string
	// Specify a required provider with audiences.
	ProviderAndAudiences *ProviderWithAudiences
	// Specify list of JwtRequirement. Their results are OR-ed.
	// If any one of them passes, the result is passed.
	RequiresAny *JwtRequirementOrList
	// Specify list of JwtRequirement. Their results are AND-ed.
	// All of them must pass, if one of them fails or missing, it fails.
	RequiresAll *JwtRequirementAndList
	// The requirement is always satisfied even if JWT is missing or the JWT
	// verification fails. A typical usage is: this filter is used to only verify
	// JWTs and pass the verified JWT payloads to another filter, the other filter
	// will make decision. In this mode, all JWTs will be verified.
	AllowMissingOrFailed *emptypb.Empty
	// The requirement is satisfied if JWT is missing, but failed if JWT is
	// presented but invalid. Similar to allow_missing_or_failed, this is used
	// to only verify JWTs and pass the verified payload to another filter. The
	// different is this mode will reject requests with invalid tokens.
	AllowMissing *emptypb.Empty
	// contains filtered or unexported fields
}

func (JwtRequirement_builder) Build 

func (b0 JwtRequirement_builder) Build() *JwtRequirement

type ProviderWithAudiences 

type ProviderWithAudiences struct {

	// Specify a required provider name.
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3" json:"provider_name,omitempty"`
	// This field overrides the one specified in the JwtProvider.
	Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
	// contains filtered or unexported fields
}

Specify a required provider with audiences.

func (*ProviderWithAudiences) GetAudiences 

func (x *ProviderWithAudiences) GetAudiences() []string

func (*ProviderWithAudiences) GetProviderName 

func (x *ProviderWithAudiences) GetProviderName() string

func (*ProviderWithAudiences) ProtoMessage 

func (*ProviderWithAudiences) ProtoMessage()

func (*ProviderWithAudiences) ProtoReflect 

func (x *ProviderWithAudiences) ProtoReflect() protoreflect.Message

func (*ProviderWithAudiences) Reset 

func (x *ProviderWithAudiences) Reset()

func (*ProviderWithAudiences) SetAudiences 

func (x *ProviderWithAudiences) SetAudiences(v []string)

func (*ProviderWithAudiences) SetProviderName 

func (x *ProviderWithAudiences) SetProviderName(v string)

func (*ProviderWithAudiences) String 

func (x *ProviderWithAudiences) String() string

type ProviderWithAudiences_builder 

type ProviderWithAudiences_builder struct {

	// Specify a required provider name.
	ProviderName string
	// This field overrides the one specified in the JwtProvider.
	Audiences []string
	// contains filtered or unexported fields
}

func (ProviderWithAudiences_builder) Build 

func (b0 ProviderWithAudiences_builder) Build() *ProviderWithAudiences

type RemoteJwks 

type RemoteJwks struct {

	// The HTTP URI to fetch the JWKS. For example:
	//
	// .. code-block:: yaml
	//
	//	http_uri:
	//	  uri: https://www.googleapis.com/oauth2/v1/certs
	//	  cluster: jwt.www.googleapis.com|443
	HttpUri *core.HttpUri `protobuf:"bytes,1,opt,name=http_uri,json=httpUri,proto3" json:"http_uri,omitempty"`
	// Duration after which the cached JWKS should be expired. If not specified, default cache
	// duration is 5 minutes.
	CacheDuration *durationpb.Duration `protobuf:"bytes,2,opt,name=cache_duration,json=cacheDuration,proto3" json:"cache_duration,omitempty"`
	// contains filtered or unexported fields
}

This message specifies how to fetch JWKS from remote and how to cache it.

func (*RemoteJwks) ClearCacheDuration 

func (x *RemoteJwks) ClearCacheDuration()

func (*RemoteJwks) ClearHttpUri 

func (x *RemoteJwks) ClearHttpUri()

func (*RemoteJwks) GetCacheDuration 

func (x *RemoteJwks) GetCacheDuration() *durationpb.Duration

func (*RemoteJwks) GetHttpUri 

func (x *RemoteJwks) GetHttpUri() *core.HttpUri

func (*RemoteJwks) HasCacheDuration 

func (x *RemoteJwks) HasCacheDuration() bool

func (*RemoteJwks) HasHttpUri 

func (x *RemoteJwks) HasHttpUri() bool

func (*RemoteJwks) ProtoMessage 

func (*RemoteJwks) ProtoMessage()

func (*RemoteJwks) ProtoReflect 

func (x *RemoteJwks) ProtoReflect() protoreflect.Message

func (*RemoteJwks) Reset 

func (x *RemoteJwks) Reset()

func (*RemoteJwks) SetCacheDuration 

func (x *RemoteJwks) SetCacheDuration(v *durationpb.Duration)

func (*RemoteJwks) SetHttpUri 

func (x *RemoteJwks) SetHttpUri(v *core.HttpUri)

func (*RemoteJwks) String 

func (x *RemoteJwks) String() string

type RemoteJwks_builder 

type RemoteJwks_builder struct {

	// The HTTP URI to fetch the JWKS. For example:
	//
	// .. code-block:: yaml
	//
	//	http_uri:
	//	  uri: https://www.googleapis.com/oauth2/v1/certs
	//	  cluster: jwt.www.googleapis.com|443
	HttpUri *core.HttpUri
	// Duration after which the cached JWKS should be expired. If not specified, default cache
	// duration is 5 minutes.
	CacheDuration *durationpb.Duration
	// contains filtered or unexported fields
}

func (RemoteJwks_builder) Build 

func (b0 RemoteJwks_builder) Build() *RemoteJwks

type RequirementRule 

type RequirementRule struct {

	// The route matching parameter. Only when the match is satisfied, the "requires" field will
	// apply.
	//
	// For example: following match will match all requests.
	//
	// .. code-block:: yaml
	//
	//	match:
	//	  prefix: /
	Match *route.RouteMatch `protobuf:"bytes,1,opt,name=match,proto3" json:"match,omitempty"`
	// Specify a Jwt Requirement. Please detail comment in message JwtRequirement.
	Requires *JwtRequirement `protobuf:"bytes,2,opt,name=requires,proto3" json:"requires,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a Jwt requirement for a specific Route condition. Example 1:

.. code-block:: yaml

  • match: prefix: /healthz

In above example, "requires" field is empty for /healthz prefix match, it means that requests matching the path prefix don't require JWT authentication.

Example 2:

.. code-block:: yaml

  • match: prefix: / requires: { provider_name: provider-A }

In above example, all requests matched the path prefix require jwt authentication from "provider-A".

func (*RequirementRule) ClearMatch 

func (x *RequirementRule) ClearMatch()

func (*RequirementRule) ClearRequires 

func (x *RequirementRule) ClearRequires()

func (*RequirementRule) GetMatch 

func (x *RequirementRule) GetMatch() *route.RouteMatch

func (*RequirementRule) GetRequires 

func (x *RequirementRule) GetRequires() *JwtRequirement

func (*RequirementRule) HasMatch 

func (x *RequirementRule) HasMatch() bool

func (*RequirementRule) HasRequires 

func (x *RequirementRule) HasRequires() bool

func (*RequirementRule) ProtoMessage 

func (*RequirementRule) ProtoMessage()

func (*RequirementRule) ProtoReflect 

func (x *RequirementRule) ProtoReflect() protoreflect.Message

func (*RequirementRule) Reset 

func (x *RequirementRule) Reset()

func (*RequirementRule) SetMatch 

func (x *RequirementRule) SetMatch(v *route.RouteMatch)

func (*RequirementRule) SetRequires 

func (x *RequirementRule) SetRequires(v *JwtRequirement)

func (*RequirementRule) String 

func (x *RequirementRule) String() string

type RequirementRule_builder 

type RequirementRule_builder struct {

	// The route matching parameter. Only when the match is satisfied, the "requires" field will
	// apply.
	//
	// For example: following match will match all requests.
	//
	// .. code-block:: yaml
	//
	//	match:
	//	  prefix: /
	Match *route.RouteMatch
	// Specify a Jwt Requirement. Please detail comment in message JwtRequirement.
	Requires *JwtRequirement
	// contains filtered or unexported fields
}

func (RequirementRule_builder) Build 

func (b0 RequirementRule_builder) Build() *RequirementRule

Source Files

  • config.pb.go

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.