jwt_authnv2alpha

package
v1.33.0-20240422202039... Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: unknown License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var File_envoy_config_filter_http_jwt_authn_v2alpha_config_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type FilterStateRule 

type FilterStateRule struct {

	// The filter state name to retrieve the `Router::StringAccessor` object.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// A map of string keys to requirements. The string key is the string value
	// in the FilterState with the name specified in the *name* field above.
	Requires map[string]*JwtRequirement `` /* 157-byte string literal not displayed */
	// contains filtered or unexported fields
}

This message specifies Jwt requirements based on stream_info.filterState. This FilterState should use `Router::StringAccessor` object to set a string value. Other HTTP filters can use it to specify Jwt requirements dynamically.

Example:

.. code-block:: yaml 

name: jwt_selector
requires:
  issuer_1:
    provider_name: issuer1
  issuer_2:
    provider_name: issuer2

If a filter set "jwt_selector" with "issuer_1" to FilterState for a request, jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify.

func (*FilterStateRule) Descriptor deprecated 

func (*FilterStateRule) Descriptor() ([]byte, []int)

Deprecated: Use FilterStateRule.ProtoReflect.Descriptor instead.

func (*FilterStateRule) GetName 

func (x *FilterStateRule) GetName() string

func (*FilterStateRule) GetRequires 

func (x *FilterStateRule) GetRequires() map[string]*JwtRequirement

func (*FilterStateRule) ProtoMessage 

func (*FilterStateRule) ProtoMessage()

func (*FilterStateRule) ProtoReflect 

func (x *FilterStateRule) ProtoReflect() protoreflect.Message

func (*FilterStateRule) Reset 

func (x *FilterStateRule) Reset()

func (*FilterStateRule) String 

func (x *FilterStateRule) String() string

type JwtAuthentication 

type JwtAuthentication struct {

	// Map of provider names to JwtProviders.
	//
	// .. code-block:: yaml
	//
	//	providers:
	//	  provider1:
	//	     issuer: issuer1
	//	     audiences:
	//	     - audience1
	//	     - audience2
	//	     remote_jwks:
	//	       http_uri:
	//	         uri: https://example.com/.well-known/jwks.json
	//	         cluster: example_jwks_cluster
	//	   provider2:
	//	     issuer: provider2
	//	     local_jwks:
	//	       inline_string: jwks_string
	Providers map[string]*JwtProvider `` /* 159-byte string literal not displayed */
	// Specifies requirements based on the route matches. The first matched requirement will be
	// applied. If there are overlapped match conditions, please put the most specific match first.
	//
	// # Examples
	//
	// .. code-block:: yaml
	//
	//	rules:
	//	  - match:
	//	      prefix: /healthz
	//	  - match:
	//	      prefix: /baz
	//	    requires:
	//	      provider_name: provider1
	//	  - match:
	//	      prefix: /foo
	//	    requires:
	//	      requires_any:
	//	        requirements:
	//	          - provider_name: provider1
	//	          - provider_name: provider2
	//	  - match:
	//	      prefix: /bar
	//	    requires:
	//	      requires_all:
	//	        requirements:
	//	          - provider_name: provider1
	//	          - provider_name: provider2
	Rules []*RequirementRule `protobuf:"bytes,2,rep,name=rules,proto3" json:"rules,omitempty"`
	// This message specifies Jwt requirements based on stream_info.filterState.
	// Other HTTP filters can use it to specify Jwt requirements dynamically.
	// The *rules* field above is checked first, if it could not find any matches,
	// check this one.
	FilterStateRules *FilterStateRule `protobuf:"bytes,3,opt,name=filter_state_rules,json=filterStateRules,proto3" json:"filter_state_rules,omitempty"`
	// When set to true, bypass the `CORS preflight request
	// <http://www.w3.org/TR/cors/#cross-origin-request-with-preflight>`_ regardless of JWT
	// requirements specified in the rules.
	BypassCorsPreflight bool `protobuf:"varint,4,opt,name=bypass_cors_preflight,json=bypassCorsPreflight,proto3" json:"bypass_cors_preflight,omitempty"`
	// contains filtered or unexported fields
}

This is the Envoy HTTP filter config for JWT authentication.

For example:

.. code-block:: yaml 

providers:
   provider1:
     issuer: issuer1
     audiences:
     - audience1
     - audience2
     remote_jwks:
       http_uri:
         uri: https://example.com/.well-known/jwks.json
         cluster: example_jwks_cluster
   provider2:
     issuer: issuer2
     local_jwks:
       inline_string: jwks_string

rules:
   # Not jwt verification is required for /health path
   - match:
       prefix: /health

   # Jwt verification for provider1 is required for path prefixed with "prefix"
   - match:
       prefix: /prefix
     requires:
       provider_name: provider1

   # Jwt verification for either provider1 or provider2 is required for all other requests.
   - match:
       prefix: /
     requires:
       requires_any:
         requirements:
           - provider_name: provider1
           - provider_name: provider2

func (*JwtAuthentication) Descriptor deprecated 

func (*JwtAuthentication) Descriptor() ([]byte, []int)

Deprecated: Use JwtAuthentication.ProtoReflect.Descriptor instead.

func (*JwtAuthentication) GetBypassCorsPreflight 

func (x *JwtAuthentication) GetBypassCorsPreflight() bool

func (*JwtAuthentication) GetFilterStateRules 

func (x *JwtAuthentication) GetFilterStateRules() *FilterStateRule

func (*JwtAuthentication) GetProviders 

func (x *JwtAuthentication) GetProviders() map[string]*JwtProvider

func (*JwtAuthentication) GetRules 

func (x *JwtAuthentication) GetRules() []*RequirementRule

func (*JwtAuthentication) ProtoMessage 

func (*JwtAuthentication) ProtoMessage()

func (*JwtAuthentication) ProtoReflect 

func (x *JwtAuthentication) ProtoReflect() protoreflect.Message

func (*JwtAuthentication) Reset 

func (x *JwtAuthentication) Reset()

func (*JwtAuthentication) String 

func (x *JwtAuthentication) String() string

type JwtHeader 

type JwtHeader struct {

	// The HTTP header name.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// The value prefix. The value format is "value_prefix<token>"
	// For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
	// end.
	ValuePrefix string `protobuf:"bytes,2,opt,name=value_prefix,json=valuePrefix,proto3" json:"value_prefix,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a header location to extract JWT token.

func (*JwtHeader) Descriptor deprecated 

func (*JwtHeader) Descriptor() ([]byte, []int)

Deprecated: Use JwtHeader.ProtoReflect.Descriptor instead.

func (*JwtHeader) GetName 

func (x *JwtHeader) GetName() string

func (*JwtHeader) GetValuePrefix 

func (x *JwtHeader) GetValuePrefix() string

func (*JwtHeader) ProtoMessage 

func (*JwtHeader) ProtoMessage()

func (*JwtHeader) ProtoReflect 

func (x *JwtHeader) ProtoReflect() protoreflect.Message

func (*JwtHeader) Reset 

func (x *JwtHeader) Reset()

func (*JwtHeader) String 

func (x *JwtHeader) String() string

type JwtProvider 

type JwtProvider struct {

	// Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
	// the JWT, usually a URL or an email address.
	//
	// Example: https://securetoken.google.com
	// Example: 1234567-compute@developer.gserviceaccount.com
	Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"`
	// The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
	// allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
	// will not check audiences in the token.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	audiences:
	//	- bookstore_android.apps.googleusercontent.com
	//	- bookstore_web.apps.googleusercontent.com
	Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
	// `JSON Web Key Set (JWKS) <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed to
	// validate signature of a JWT. This field specifies where to fetch JWKS.
	//
	// Types that are assignable to JwksSourceSpecifier:
	//
	//	*JwtProvider_RemoteJwks
	//	*JwtProvider_LocalJwks
	JwksSourceSpecifier isJwtProvider_JwksSourceSpecifier `protobuf_oneof:"jwks_source_specifier"`
	// If false, the JWT is removed in the request after a success verification. If true, the JWT is
	// not removed in the request. Default value is false.
	Forward bool `protobuf:"varint,5,opt,name=forward,proto3" json:"forward,omitempty"`
	// Two fields below define where to extract the JWT from an HTTP request.
	//
	// If no explicit location is specified, the following default locations are tried in order:
	//
	// 1. The Authorization header using the `Bearer schema
	// <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
	//
	//	Authorization: Bearer <token>.
	//
	// 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
	//
	// Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
	// its provider specified or from the default locations.
	//
	// Specify the HTTP headers to extract JWT token. For examples, following config:
	//
	// .. code-block:: yaml
	//
	//	from_headers:
	//	- name: x-goog-iap-jwt-assertion
	//
	// can be used to extract token from header::
	//
	//	“x-goog-iap-jwt-assertion: <JWT>“.
	FromHeaders []*JwtHeader `protobuf:"bytes,6,rep,name=from_headers,json=fromHeaders,proto3" json:"from_headers,omitempty"`
	// JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
	//
	// For example, if config is:
	//
	// .. code-block:: yaml
	//
	//	from_params:
	//	- jwt_token
	//
	// The JWT format in query parameter is::
	//
	//	/path?jwt_token=<JWT>
	FromParams []string `protobuf:"bytes,7,rep,name=from_params,json=fromParams,proto3" json:"from_params,omitempty"`
	// This field specifies the header name to forward a successfully verified JWT payload to the
	// backend. The forwarded data is::
	//
	//	base64url_encoded(jwt_payload_in_JSON)
	//
	// If it is not specified, the payload will not be forwarded.
	ForwardPayloadHeader string `protobuf:"bytes,8,opt,name=forward_payload_header,json=forwardPayloadHeader,proto3" json:"forward_payload_header,omitempty"`
	// If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
	// in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
	// The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
	// and the value is the *protobuf::Struct* converted from JWT JSON payload.
	//
	// For example, if payload_in_metadata is *my_payload*:
	//
	// .. code-block:: yaml
	//
	//	envoy.filters.http.jwt_authn:
	//	  my_payload:
	//	    iss: https://example.com
	//	    sub: test@example.com
	//	    aud: https://example.com
	//	    exp: 1501281058
	PayloadInMetadata string `protobuf:"bytes,9,opt,name=payload_in_metadata,json=payloadInMetadata,proto3" json:"payload_in_metadata,omitempty"`
	// contains filtered or unexported fields
}

Please see following for JWT authentication flow:

* `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_ * `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_ * `OpenID Connect <http://openid.net/connect>`_

A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:

* issuer: the principal that issues the JWT. It has to match the one from the token. * allowed audiences: the ones in the token have to be listed here. * how to fetch public key JWKS to verify the token signature. * how to extract JWT token in the request. * how to pass successfully verified token payload.

Example:

.. code-block:: yaml 

issuer: https://example.com
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
remote_jwks:
  http_uri:
    uri: https://example.com/.well-known/jwks.json
    cluster: example_jwks_cluster
  cache_duration:
    seconds: 300

[#next-free-field: 10]

func (*JwtProvider) Descriptor deprecated 

func (*JwtProvider) Descriptor() ([]byte, []int)

Deprecated: Use JwtProvider.ProtoReflect.Descriptor instead.

func (*JwtProvider) GetAudiences 

func (x *JwtProvider) GetAudiences() []string

func (*JwtProvider) GetForward 

func (x *JwtProvider) GetForward() bool

func (*JwtProvider) GetForwardPayloadHeader 

func (x *JwtProvider) GetForwardPayloadHeader() string

func (*JwtProvider) GetFromHeaders 

func (x *JwtProvider) GetFromHeaders() []*JwtHeader

func (*JwtProvider) GetFromParams 

func (x *JwtProvider) GetFromParams() []string

func (*JwtProvider) GetIssuer 

func (x *JwtProvider) GetIssuer() string

func (*JwtProvider) GetJwksSourceSpecifier 

func (m *JwtProvider) GetJwksSourceSpecifier() isJwtProvider_JwksSourceSpecifier

func (*JwtProvider) GetLocalJwks 

func (x *JwtProvider) GetLocalJwks() *core.DataSource

func (*JwtProvider) GetPayloadInMetadata 

func (x *JwtProvider) GetPayloadInMetadata() string

func (*JwtProvider) GetRemoteJwks 

func (x *JwtProvider) GetRemoteJwks() *RemoteJwks

func (*JwtProvider) ProtoMessage 

func (*JwtProvider) ProtoMessage()

func (*JwtProvider) ProtoReflect 

func (x *JwtProvider) ProtoReflect() protoreflect.Message

func (*JwtProvider) Reset 

func (x *JwtProvider) Reset()

func (*JwtProvider) String 

func (x *JwtProvider) String() string

type JwtProvider_LocalJwks 

type JwtProvider_LocalJwks struct {
	// JWKS is in local data source. It could be either in a local file or embedded in the
	// inline_string.
	//
	// Example: local file
	//
	// .. code-block:: yaml
	//
	//	local_jwks:
	//	  filename: /etc/envoy/jwks/jwks1.txt
	//
	// Example: inline_string
	//
	// .. code-block:: yaml
	//
	//	local_jwks:
	//	  inline_string: ACADADADADA
	LocalJwks *core.DataSource `protobuf:"bytes,4,opt,name=local_jwks,json=localJwks,proto3,oneof"`
}

type JwtProvider_RemoteJwks 

type JwtProvider_RemoteJwks struct {
	// JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
	// URI and how the fetched JWKS should be cached.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	remote_jwks:
	//	  http_uri:
	//	    uri: https://www.googleapis.com/oauth2/v1/certs
	//	    cluster: jwt.www.googleapis.com|443
	//	  cache_duration:
	//	    seconds: 300
	RemoteJwks *RemoteJwks `protobuf:"bytes,3,opt,name=remote_jwks,json=remoteJwks,proto3,oneof"`
}

type JwtRequirement 

type JwtRequirement struct {

	// Types that are assignable to RequiresType:
	//
	//	*JwtRequirement_ProviderName
	//	*JwtRequirement_ProviderAndAudiences
	//	*JwtRequirement_RequiresAny
	//	*JwtRequirement_RequiresAll
	//	*JwtRequirement_AllowMissingOrFailed
	//	*JwtRequirement_AllowMissing
	RequiresType isJwtRequirement_RequiresType `protobuf_oneof:"requires_type"`
	// contains filtered or unexported fields
}

This message specifies a Jwt requirement. An empty message means JWT verification is not required. Here are some config examples:

.. code-block:: yaml 

# Example 1: not required with an empty message

# Example 2: require A
provider_name: provider-A

# Example 3: require A or B
requires_any:
  requirements:
    - provider_name: provider-A
    - provider_name: provider-B

# Example 4: require A and B
requires_all:
  requirements:
    - provider_name: provider-A
    - provider_name: provider-B

# Example 5: require A and (B or C)
requires_all:
  requirements:
    - provider_name: provider-A
    - requires_any:
      requirements:
        - provider_name: provider-B
        - provider_name: provider-C

# Example 6: require A or (B and C)
requires_any:
  requirements:
    - provider_name: provider-A
    - requires_all:
      requirements:
        - provider_name: provider-B
        - provider_name: provider-C

# Example 7: A is optional (if token from A is provided, it must be valid, but also allows
missing token.)
requires_any:
  requirements:
  - provider_name: provider-A
  - allow_missing: {}

# Example 8: A is optional and B is required.
requires_all:
  requirements:
  - requires_any:
      requirements:
      - provider_name: provider-A
      - allow_missing: {}
  - provider_name: provider-B

[#next-free-field: 7]

func (*JwtRequirement) Descriptor deprecated 

func (*JwtRequirement) Descriptor() ([]byte, []int)

Deprecated: Use JwtRequirement.ProtoReflect.Descriptor instead.

func (*JwtRequirement) GetAllowMissing 

func (x *JwtRequirement) GetAllowMissing() *emptypb.Empty

func (*JwtRequirement) GetAllowMissingOrFailed 

func (x *JwtRequirement) GetAllowMissingOrFailed() *emptypb.Empty

func (*JwtRequirement) GetProviderAndAudiences 

func (x *JwtRequirement) GetProviderAndAudiences() *ProviderWithAudiences

func (*JwtRequirement) GetProviderName 

func (x *JwtRequirement) GetProviderName() string

func (*JwtRequirement) GetRequiresAll 

func (x *JwtRequirement) GetRequiresAll() *JwtRequirementAndList

func (*JwtRequirement) GetRequiresAny 

func (x *JwtRequirement) GetRequiresAny() *JwtRequirementOrList

func (*JwtRequirement) GetRequiresType 

func (m *JwtRequirement) GetRequiresType() isJwtRequirement_RequiresType

func (*JwtRequirement) ProtoMessage 

func (*JwtRequirement) ProtoMessage()

func (*JwtRequirement) ProtoReflect 

func (x *JwtRequirement) ProtoReflect() protoreflect.Message

func (*JwtRequirement) Reset 

func (x *JwtRequirement) Reset()

func (*JwtRequirement) String 

func (x *JwtRequirement) String() string

type JwtRequirementAndList 

type JwtRequirementAndList struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a list of RequiredProvider. Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails.

func (*JwtRequirementAndList) Descriptor deprecated 

func (*JwtRequirementAndList) Descriptor() ([]byte, []int)

Deprecated: Use JwtRequirementAndList.ProtoReflect.Descriptor instead.

func (*JwtRequirementAndList) GetRequirements 

func (x *JwtRequirementAndList) GetRequirements() []*JwtRequirement

func (*JwtRequirementAndList) ProtoMessage 

func (*JwtRequirementAndList) ProtoMessage()

func (*JwtRequirementAndList) ProtoReflect 

func (x *JwtRequirementAndList) ProtoReflect() protoreflect.Message

func (*JwtRequirementAndList) Reset 

func (x *JwtRequirementAndList) Reset()

func (*JwtRequirementAndList) String 

func (x *JwtRequirementAndList) String() string

type JwtRequirementOrList 

type JwtRequirementOrList struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a list of RequiredProvider. Their results are OR-ed; if any one of them passes, the result is passed

func (*JwtRequirementOrList) Descriptor deprecated 

func (*JwtRequirementOrList) Descriptor() ([]byte, []int)

Deprecated: Use JwtRequirementOrList.ProtoReflect.Descriptor instead.

func (*JwtRequirementOrList) GetRequirements 

func (x *JwtRequirementOrList) GetRequirements() []*JwtRequirement

func (*JwtRequirementOrList) ProtoMessage 

func (*JwtRequirementOrList) ProtoMessage()

func (*JwtRequirementOrList) ProtoReflect 

func (x *JwtRequirementOrList) ProtoReflect() protoreflect.Message

func (*JwtRequirementOrList) Reset 

func (x *JwtRequirementOrList) Reset()

func (*JwtRequirementOrList) String 

func (x *JwtRequirementOrList) String() string

type JwtRequirement_AllowMissing 

type JwtRequirement_AllowMissing struct {
	// The requirement is satisfied if JWT is missing, but failed if JWT is
	// presented but invalid. Similar to allow_missing_or_failed, this is used
	// to only verify JWTs and pass the verified payload to another filter. The
	// different is this mode will reject requests with invalid tokens.
	AllowMissing *emptypb.Empty `protobuf:"bytes,6,opt,name=allow_missing,json=allowMissing,proto3,oneof"`
}

type JwtRequirement_AllowMissingOrFailed 

type JwtRequirement_AllowMissingOrFailed struct {
	// The requirement is always satisfied even if JWT is missing or the JWT
	// verification fails. A typical usage is: this filter is used to only verify
	// JWTs and pass the verified JWT payloads to another filter, the other filter
	// will make decision. In this mode, all JWT tokens will be verified.
	AllowMissingOrFailed *emptypb.Empty `protobuf:"bytes,5,opt,name=allow_missing_or_failed,json=allowMissingOrFailed,proto3,oneof"`
}

type JwtRequirement_ProviderAndAudiences 

type JwtRequirement_ProviderAndAudiences struct {
	// Specify a required provider with audiences.
	ProviderAndAudiences *ProviderWithAudiences `protobuf:"bytes,2,opt,name=provider_and_audiences,json=providerAndAudiences,proto3,oneof"`
}

type JwtRequirement_ProviderName 

type JwtRequirement_ProviderName struct {
	// Specify a required provider name.
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3,oneof"`
}

type JwtRequirement_RequiresAll 

type JwtRequirement_RequiresAll struct {
	// Specify list of JwtRequirement. Their results are AND-ed.
	// All of them must pass, if one of them fails or missing, it fails.
	RequiresAll *JwtRequirementAndList `protobuf:"bytes,4,opt,name=requires_all,json=requiresAll,proto3,oneof"`
}

type JwtRequirement_RequiresAny 

type JwtRequirement_RequiresAny struct {
	// Specify list of JwtRequirement. Their results are OR-ed.
	// If any one of them passes, the result is passed.
	RequiresAny *JwtRequirementOrList `protobuf:"bytes,3,opt,name=requires_any,json=requiresAny,proto3,oneof"`
}

type ProviderWithAudiences 

type ProviderWithAudiences struct {

	// Specify a required provider name.
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3" json:"provider_name,omitempty"`
	// This field overrides the one specified in the JwtProvider.
	Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
	// contains filtered or unexported fields
}

Specify a required provider with audiences.

func (*ProviderWithAudiences) Descriptor deprecated 

func (*ProviderWithAudiences) Descriptor() ([]byte, []int)

Deprecated: Use ProviderWithAudiences.ProtoReflect.Descriptor instead.

func (*ProviderWithAudiences) GetAudiences 

func (x *ProviderWithAudiences) GetAudiences() []string

func (*ProviderWithAudiences) GetProviderName 

func (x *ProviderWithAudiences) GetProviderName() string

func (*ProviderWithAudiences) ProtoMessage 

func (*ProviderWithAudiences) ProtoMessage()

func (*ProviderWithAudiences) ProtoReflect 

func (x *ProviderWithAudiences) ProtoReflect() protoreflect.Message

func (*ProviderWithAudiences) Reset 

func (x *ProviderWithAudiences) Reset()

func (*ProviderWithAudiences) String 

func (x *ProviderWithAudiences) String() string

type RemoteJwks 

type RemoteJwks struct {

	// The HTTP URI to fetch the JWKS. For example:
	//
	// .. code-block:: yaml
	//
	//	http_uri:
	//	  uri: https://www.googleapis.com/oauth2/v1/certs
	//	  cluster: jwt.www.googleapis.com|443
	HttpUri *core.HttpUri `protobuf:"bytes,1,opt,name=http_uri,json=httpUri,proto3" json:"http_uri,omitempty"`
	// Duration after which the cached JWKS should be expired. If not specified, default cache
	// duration is 5 minutes.
	CacheDuration *durationpb.Duration `protobuf:"bytes,2,opt,name=cache_duration,json=cacheDuration,proto3" json:"cache_duration,omitempty"`
	// contains filtered or unexported fields
}

This message specifies how to fetch JWKS from remote and how to cache it.

func (*RemoteJwks) Descriptor deprecated 

func (*RemoteJwks) Descriptor() ([]byte, []int)

Deprecated: Use RemoteJwks.ProtoReflect.Descriptor instead.

func (*RemoteJwks) GetCacheDuration 

func (x *RemoteJwks) GetCacheDuration() *durationpb.Duration

func (*RemoteJwks) GetHttpUri 

func (x *RemoteJwks) GetHttpUri() *core.HttpUri

func (*RemoteJwks) ProtoMessage 

func (*RemoteJwks) ProtoMessage()

func (*RemoteJwks) ProtoReflect 

func (x *RemoteJwks) ProtoReflect() protoreflect.Message

func (*RemoteJwks) Reset 

func (x *RemoteJwks) Reset()

func (*RemoteJwks) String 

func (x *RemoteJwks) String() string

type RequirementRule 

type RequirementRule struct {

	// The route matching parameter. Only when the match is satisfied, the "requires" field will
	// apply.
	//
	// For example: following match will match all requests.
	//
	// .. code-block:: yaml
	//
	//	match:
	//	  prefix: /
	Match *route.RouteMatch `protobuf:"bytes,1,opt,name=match,proto3" json:"match,omitempty"`
	// Specify a Jwt Requirement. Please detail comment in message JwtRequirement.
	Requires *JwtRequirement `protobuf:"bytes,2,opt,name=requires,proto3" json:"requires,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a Jwt requirement for a specific Route condition. Example 1:

.. code-block:: yaml

  • match: prefix: /healthz

In above example, "requires" field is empty for /healthz prefix match, it means that requests matching the path prefix don't require JWT authentication.

Example 2:

.. code-block:: yaml

  • match: prefix: / requires: { provider_name: provider-A }

In above example, all requests matched the path prefix require jwt authentication from "provider-A".

func (*RequirementRule) Descriptor deprecated 

func (*RequirementRule) Descriptor() ([]byte, []int)

Deprecated: Use RequirementRule.ProtoReflect.Descriptor instead.

func (*RequirementRule) GetMatch 

func (x *RequirementRule) GetMatch() *route.RouteMatch

func (*RequirementRule) GetRequires 

func (x *RequirementRule) GetRequires() *JwtRequirement

func (*RequirementRule) ProtoMessage 

func (*RequirementRule) ProtoMessage()

func (*RequirementRule) ProtoReflect 

func (x *RequirementRule) ProtoReflect() protoreflect.Message

func (*RequirementRule) Reset 

func (x *RequirementRule) Reset()

func (*RequirementRule) String 

func (x *RequirementRule) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.