jwt_authnv3

package
v1.36.11-2025121120105... Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: unknown License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source 
const JwtProvider_JwksSourceSpecifier_not_set_case case_JwtProvider_JwksSourceSpecifier = 0
View Source 
const JwtProvider_LocalJwks_case case_JwtProvider_JwksSourceSpecifier = 4
View Source 
const JwtProvider_RemoteJwks_case case_JwtProvider_JwksSourceSpecifier = 3
View Source 
const JwtRequirement_AllowMissingOrFailed_case case_JwtRequirement_RequiresType = 5
View Source 
const JwtRequirement_AllowMissing_case case_JwtRequirement_RequiresType = 6
View Source 
const JwtRequirement_ProviderAndAudiences_case case_JwtRequirement_RequiresType = 2
View Source 
const JwtRequirement_ProviderName_case case_JwtRequirement_RequiresType = 1
View Source 
const JwtRequirement_RequiresAll_case case_JwtRequirement_RequiresType = 4
View Source 
const JwtRequirement_RequiresAny_case case_JwtRequirement_RequiresType = 3
View Source 
const JwtRequirement_RequiresType_not_set_case case_JwtRequirement_RequiresType = 0
View Source 
const PerRouteConfig_Disabled_case case_PerRouteConfig_RequirementSpecifier = 1
View Source 
const PerRouteConfig_RequirementName_case case_PerRouteConfig_RequirementSpecifier = 2
View Source 
const PerRouteConfig_RequirementSpecifier_not_set_case case_PerRouteConfig_RequirementSpecifier = 0
View Source 
const RequirementRule_RequirementName_case case_RequirementRule_RequirementType = 3
View Source 
const RequirementRule_RequirementType_not_set_case case_RequirementRule_RequirementType = 0
View Source 
const RequirementRule_Requires_case case_RequirementRule_RequirementType = 2

Variables

View Source 
var File_envoy_extensions_filters_http_jwt_authn_v3_config_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type FilterStateRule 

type FilterStateRule struct {

	// The filter state name to retrieve the “Router::StringAccessor“ object.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// A map of string keys to requirements. The string key is the string value
	// in the FilterState with the name specified in the “name“ field above.
	Requires map[string]*JwtRequirement `` /* 143-byte string literal not displayed */
	// contains filtered or unexported fields
}

This message specifies Jwt requirements based on stream_info.filterState. This FilterState should use “Router::StringAccessor“ object to set a string value. Other HTTP filters can use it to specify Jwt requirements dynamically.

Example:

.. code-block:: yaml 

name: jwt_selector
requires:
  issuer_1:
    provider_name: issuer1
  issuer_2:
    provider_name: issuer2

If a filter set "jwt_selector" with "issuer_1" to FilterState for a request, jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify.

func (*FilterStateRule) GetName 

func (x *FilterStateRule) GetName() string

func (*FilterStateRule) GetRequires 

func (x *FilterStateRule) GetRequires() map[string]*JwtRequirement

func (*FilterStateRule) ProtoMessage 

func (*FilterStateRule) ProtoMessage()

func (*FilterStateRule) ProtoReflect 

func (x *FilterStateRule) ProtoReflect() protoreflect.Message

func (*FilterStateRule) Reset 

func (x *FilterStateRule) Reset()

func (*FilterStateRule) SetName 

func (x *FilterStateRule) SetName(v string)

func (*FilterStateRule) SetRequires 

func (x *FilterStateRule) SetRequires(v map[string]*JwtRequirement)

func (*FilterStateRule) String 

func (x *FilterStateRule) String() string

type FilterStateRule_builder 

type FilterStateRule_builder struct {

	// The filter state name to retrieve the “Router::StringAccessor“ object.
	Name string
	// A map of string keys to requirements. The string key is the string value
	// in the FilterState with the name specified in the “name“ field above.
	Requires map[string]*JwtRequirement
	// contains filtered or unexported fields
}

func (FilterStateRule_builder) Build 

func (b0 FilterStateRule_builder) Build() *FilterStateRule

type JwksAsyncFetch 

type JwksAsyncFetch struct {

	// If false, the listener is activated after the initial fetch is completed.
	// The initial fetch result can be either successful or failed.
	// If true, it is activated without waiting for the initial fetch to complete.
	// Default is false.
	FastListener bool `protobuf:"varint,1,opt,name=fast_listener,json=fastListener,proto3" json:"fast_listener,omitempty"`
	// The duration to refetch after a failed fetch. If not specified, default is 1 second.
	FailedRefetchDuration *durationpb.Duration `` /* 126-byte string literal not displayed */
	// contains filtered or unexported fields
}

Fetch Jwks asynchronously in the main thread when the filter config is parsed. The listener is activated only after the Jwks is fetched. When the Jwks is expired in the cache, it is fetched again in the main thread. The fetched Jwks from the main thread can be used by all worker threads.

func (*JwksAsyncFetch) ClearFailedRefetchDuration 

func (x *JwksAsyncFetch) ClearFailedRefetchDuration()

func (*JwksAsyncFetch) GetFailedRefetchDuration 

func (x *JwksAsyncFetch) GetFailedRefetchDuration() *durationpb.Duration

func (*JwksAsyncFetch) GetFastListener 

func (x *JwksAsyncFetch) GetFastListener() bool

func (*JwksAsyncFetch) HasFailedRefetchDuration 

func (x *JwksAsyncFetch) HasFailedRefetchDuration() bool

func (*JwksAsyncFetch) ProtoMessage 

func (*JwksAsyncFetch) ProtoMessage()

func (*JwksAsyncFetch) ProtoReflect 

func (x *JwksAsyncFetch) ProtoReflect() protoreflect.Message

func (*JwksAsyncFetch) Reset 

func (x *JwksAsyncFetch) Reset()

func (*JwksAsyncFetch) SetFailedRefetchDuration 

func (x *JwksAsyncFetch) SetFailedRefetchDuration(v *durationpb.Duration)

func (*JwksAsyncFetch) SetFastListener 

func (x *JwksAsyncFetch) SetFastListener(v bool)

func (*JwksAsyncFetch) String 

func (x *JwksAsyncFetch) String() string

type JwksAsyncFetch_builder 

type JwksAsyncFetch_builder struct {

	// If false, the listener is activated after the initial fetch is completed.
	// The initial fetch result can be either successful or failed.
	// If true, it is activated without waiting for the initial fetch to complete.
	// Default is false.
	FastListener bool
	// The duration to refetch after a failed fetch. If not specified, default is 1 second.
	FailedRefetchDuration *durationpb.Duration
	// contains filtered or unexported fields
}

func (JwksAsyncFetch_builder) Build 

func (b0 JwksAsyncFetch_builder) Build() *JwksAsyncFetch

type JwtAuthentication 

type JwtAuthentication struct {

	// Map of provider names to JwtProviders.
	//
	// .. code-block:: yaml
	//
	//	providers:
	//	  provider1:
	//	     issuer: issuer1
	//	     audiences:
	//	     - audience1
	//	     - audience2
	//	     remote_jwks:
	//	       http_uri:
	//	         uri: https://example.com/.well-known/jwks.json
	//	         cluster: example_jwks_cluster
	//	         timeout: 1s
	//	   provider2:
	//	     issuer: provider2
	//	     local_jwks:
	//	       inline_string: jwks_string
	Providers map[string]*JwtProvider `` /* 145-byte string literal not displayed */
	// Specifies requirements based on the route matches. The first matched requirement will be
	// applied. If there are overlapped match conditions, please put the most specific match first.
	//
	// # Examples
	//
	// .. code-block:: yaml
	//
	//	rules:
	//	  - match:
	//	      prefix: /healthz
	//	  - match:
	//	      prefix: /baz
	//	    requires:
	//	      provider_name: provider1
	//	  - match:
	//	      prefix: /foo
	//	    requires:
	//	      requires_any:
	//	        requirements:
	//	          - provider_name: provider1
	//	          - provider_name: provider2
	//	  - match:
	//	      prefix: /bar
	//	    requires:
	//	      requires_all:
	//	        requirements:
	//	          - provider_name: provider1
	//	          - provider_name: provider2
	Rules []*RequirementRule `protobuf:"bytes,2,rep,name=rules,proto3" json:"rules,omitempty"`
	// This message specifies Jwt requirements based on stream_info.filterState.
	// Other HTTP filters can use it to specify Jwt requirements dynamically.
	// The “rules“ field above is checked first, if it could not find any matches,
	// check this one.
	FilterStateRules *FilterStateRule `protobuf:"bytes,3,opt,name=filter_state_rules,json=filterStateRules,proto3" json:"filter_state_rules,omitempty"`
	// When set to true, bypass the `CORS preflight request
	// <http://www.w3.org/TR/cors/#cross-origin-request-with-preflight>`_ regardless of JWT
	// requirements specified in the rules.
	BypassCorsPreflight bool `protobuf:"varint,4,opt,name=bypass_cors_preflight,json=bypassCorsPreflight,proto3" json:"bypass_cors_preflight,omitempty"`
	// A map of unique requirement_names to JwtRequirements.
	// :ref:`requirement_name <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.PerRouteConfig.requirement_name>`
	// in “PerRouteConfig“ uses this map to specify a JwtRequirement.
	RequirementMap map[string]*JwtRequirement `` /* 177-byte string literal not displayed */
	// A request failing the verification process will receive a 401 downstream with the failure response details
	// in the body along with WWWAuthenticate header value set with "invalid token". If this value is set to true,
	// the response details will be stripped and only a 401 response code will be returned. Default value is false
	StripFailureResponse bool `protobuf:"varint,6,opt,name=strip_failure_response,json=stripFailureResponse,proto3" json:"strip_failure_response,omitempty"`
	// Optional additional prefix to use when emitting statistics.
	StatPrefix string `protobuf:"bytes,7,opt,name=stat_prefix,json=statPrefix,proto3" json:"stat_prefix,omitempty"`
	// contains filtered or unexported fields
}

This is the Envoy HTTP filter config for JWT authentication.

For example:

.. code-block:: yaml 

providers:
   provider1:
     issuer: issuer1
     audiences:
     - audience1
     - audience2
     remote_jwks:
       http_uri:
         uri: https://example.com/.well-known/jwks.json
         cluster: example_jwks_cluster
         timeout: 1s
   provider2:
     issuer: issuer2
     local_jwks:
       inline_string: jwks_string

rules:
   # Not jwt verification is required for /health path
   - match:
       prefix: /health

   # Jwt verification for provider1 is required for path prefixed with "prefix"
   - match:
       prefix: /prefix
     requires:
       provider_name: provider1

   # Jwt verification for either provider1 or provider2 is required for all other requests.
   - match:
       prefix: /
     requires:
       requires_any:
         requirements:
           - provider_name: provider1
           - provider_name: provider2

[#next-free-field: 8]

func (*JwtAuthentication) ClearFilterStateRules 

func (x *JwtAuthentication) ClearFilterStateRules()

func (*JwtAuthentication) GetBypassCorsPreflight 

func (x *JwtAuthentication) GetBypassCorsPreflight() bool

func (*JwtAuthentication) GetFilterStateRules 

func (x *JwtAuthentication) GetFilterStateRules() *FilterStateRule

func (*JwtAuthentication) GetProviders 

func (x *JwtAuthentication) GetProviders() map[string]*JwtProvider

func (*JwtAuthentication) GetRequirementMap 

func (x *JwtAuthentication) GetRequirementMap() map[string]*JwtRequirement

func (*JwtAuthentication) GetRules 

func (x *JwtAuthentication) GetRules() []*RequirementRule

func (*JwtAuthentication) GetStatPrefix 

func (x *JwtAuthentication) GetStatPrefix() string

func (*JwtAuthentication) GetStripFailureResponse 

func (x *JwtAuthentication) GetStripFailureResponse() bool

func (*JwtAuthentication) HasFilterStateRules 

func (x *JwtAuthentication) HasFilterStateRules() bool

func (*JwtAuthentication) ProtoMessage 

func (*JwtAuthentication) ProtoMessage()

func (*JwtAuthentication) ProtoReflect 

func (x *JwtAuthentication) ProtoReflect() protoreflect.Message

func (*JwtAuthentication) Reset 

func (x *JwtAuthentication) Reset()

func (*JwtAuthentication) SetBypassCorsPreflight 

func (x *JwtAuthentication) SetBypassCorsPreflight(v bool)

func (*JwtAuthentication) SetFilterStateRules 

func (x *JwtAuthentication) SetFilterStateRules(v *FilterStateRule)

func (*JwtAuthentication) SetProviders 

func (x *JwtAuthentication) SetProviders(v map[string]*JwtProvider)

func (*JwtAuthentication) SetRequirementMap 

func (x *JwtAuthentication) SetRequirementMap(v map[string]*JwtRequirement)

func (*JwtAuthentication) SetRules 

func (x *JwtAuthentication) SetRules(v []*RequirementRule)

func (*JwtAuthentication) SetStatPrefix 

func (x *JwtAuthentication) SetStatPrefix(v string)

func (*JwtAuthentication) SetStripFailureResponse 

func (x *JwtAuthentication) SetStripFailureResponse(v bool)

func (*JwtAuthentication) String 

func (x *JwtAuthentication) String() string

type JwtAuthentication_builder 

type JwtAuthentication_builder struct {

	// Map of provider names to JwtProviders.
	//
	// .. code-block:: yaml
	//
	//	providers:
	//	  provider1:
	//	     issuer: issuer1
	//	     audiences:
	//	     - audience1
	//	     - audience2
	//	     remote_jwks:
	//	       http_uri:
	//	         uri: https://example.com/.well-known/jwks.json
	//	         cluster: example_jwks_cluster
	//	         timeout: 1s
	//	   provider2:
	//	     issuer: provider2
	//	     local_jwks:
	//	       inline_string: jwks_string
	Providers map[string]*JwtProvider
	// Specifies requirements based on the route matches. The first matched requirement will be
	// applied. If there are overlapped match conditions, please put the most specific match first.
	//
	// # Examples
	//
	// .. code-block:: yaml
	//
	//	rules:
	//	  - match:
	//	      prefix: /healthz
	//	  - match:
	//	      prefix: /baz
	//	    requires:
	//	      provider_name: provider1
	//	  - match:
	//	      prefix: /foo
	//	    requires:
	//	      requires_any:
	//	        requirements:
	//	          - provider_name: provider1
	//	          - provider_name: provider2
	//	  - match:
	//	      prefix: /bar
	//	    requires:
	//	      requires_all:
	//	        requirements:
	//	          - provider_name: provider1
	//	          - provider_name: provider2
	Rules []*RequirementRule
	// This message specifies Jwt requirements based on stream_info.filterState.
	// Other HTTP filters can use it to specify Jwt requirements dynamically.
	// The “rules“ field above is checked first, if it could not find any matches,
	// check this one.
	FilterStateRules *FilterStateRule
	// When set to true, bypass the `CORS preflight request
	// <http://www.w3.org/TR/cors/#cross-origin-request-with-preflight>`_ regardless of JWT
	// requirements specified in the rules.
	BypassCorsPreflight bool
	// A map of unique requirement_names to JwtRequirements.
	// :ref:`requirement_name <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.PerRouteConfig.requirement_name>`
	// in “PerRouteConfig“ uses this map to specify a JwtRequirement.
	RequirementMap map[string]*JwtRequirement
	// A request failing the verification process will receive a 401 downstream with the failure response details
	// in the body along with WWWAuthenticate header value set with "invalid token". If this value is set to true,
	// the response details will be stripped and only a 401 response code will be returned. Default value is false
	StripFailureResponse bool
	// Optional additional prefix to use when emitting statistics.
	StatPrefix string
	// contains filtered or unexported fields
}

func (JwtAuthentication_builder) Build 

func (b0 JwtAuthentication_builder) Build() *JwtAuthentication

type JwtCacheConfig 

type JwtCacheConfig struct {

	// The unit is number of JWTs, default to 100.
	JwtCacheSize uint32 `protobuf:"varint,1,opt,name=jwt_cache_size,json=jwtCacheSize,proto3" json:"jwt_cache_size,omitempty"`
	// The maximum size of a single cached token in bytes.
	// If this field is not set or is set to 0, then the default value 4096 bytes is used.
	// The maximum value for a token is inclusive.
	JwtMaxTokenSize uint32 `protobuf:"varint,2,opt,name=jwt_max_token_size,json=jwtMaxTokenSize,proto3" json:"jwt_max_token_size,omitempty"`
	// contains filtered or unexported fields
}

This message specifies JWT Cache configuration.

func (*JwtCacheConfig) GetJwtCacheSize 

func (x *JwtCacheConfig) GetJwtCacheSize() uint32

func (*JwtCacheConfig) GetJwtMaxTokenSize 

func (x *JwtCacheConfig) GetJwtMaxTokenSize() uint32

func (*JwtCacheConfig) ProtoMessage 

func (*JwtCacheConfig) ProtoMessage()

func (*JwtCacheConfig) ProtoReflect 

func (x *JwtCacheConfig) ProtoReflect() protoreflect.Message

func (*JwtCacheConfig) Reset 

func (x *JwtCacheConfig) Reset()

func (*JwtCacheConfig) SetJwtCacheSize 

func (x *JwtCacheConfig) SetJwtCacheSize(v uint32)

func (*JwtCacheConfig) SetJwtMaxTokenSize 

func (x *JwtCacheConfig) SetJwtMaxTokenSize(v uint32)

func (*JwtCacheConfig) String 

func (x *JwtCacheConfig) String() string

type JwtCacheConfig_builder 

type JwtCacheConfig_builder struct {

	// The unit is number of JWTs, default to 100.
	JwtCacheSize uint32
	// The maximum size of a single cached token in bytes.
	// If this field is not set or is set to 0, then the default value 4096 bytes is used.
	// The maximum value for a token is inclusive.
	JwtMaxTokenSize uint32
	// contains filtered or unexported fields
}

func (JwtCacheConfig_builder) Build 

func (b0 JwtCacheConfig_builder) Build() *JwtCacheConfig

type JwtClaimToHeader 

type JwtClaimToHeader struct {

	// The HTTP header name to copy the claim to.
	// The header name will be sanitized and replaced.
	HeaderName string `protobuf:"bytes,1,opt,name=header_name,json=headerName,proto3" json:"header_name,omitempty"`
	// The field name for the JWT Claim : it can be a nested claim of type (eg. "claim.nested.key", "sub")
	// String separated with "." in case of nested claims. The nested claim name must use dot "." to separate
	// the JSON name path.
	ClaimName string `protobuf:"bytes,2,opt,name=claim_name,json=claimName,proto3" json:"claim_name,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a combination of header name and claim name.

func (*JwtClaimToHeader) GetClaimName 

func (x *JwtClaimToHeader) GetClaimName() string

func (*JwtClaimToHeader) GetHeaderName 

func (x *JwtClaimToHeader) GetHeaderName() string

func (*JwtClaimToHeader) ProtoMessage 

func (*JwtClaimToHeader) ProtoMessage()

func (*JwtClaimToHeader) ProtoReflect 

func (x *JwtClaimToHeader) ProtoReflect() protoreflect.Message

func (*JwtClaimToHeader) Reset 

func (x *JwtClaimToHeader) Reset()

func (*JwtClaimToHeader) SetClaimName 

func (x *JwtClaimToHeader) SetClaimName(v string)

func (*JwtClaimToHeader) SetHeaderName 

func (x *JwtClaimToHeader) SetHeaderName(v string)

func (*JwtClaimToHeader) String 

func (x *JwtClaimToHeader) String() string

type JwtClaimToHeader_builder 

type JwtClaimToHeader_builder struct {

	// The HTTP header name to copy the claim to.
	// The header name will be sanitized and replaced.
	HeaderName string
	// The field name for the JWT Claim : it can be a nested claim of type (eg. "claim.nested.key", "sub")
	// String separated with "." in case of nested claims. The nested claim name must use dot "." to separate
	// the JSON name path.
	ClaimName string
	// contains filtered or unexported fields
}

func (JwtClaimToHeader_builder) Build 

func (b0 JwtClaimToHeader_builder) Build() *JwtClaimToHeader

type JwtHeader 

type JwtHeader struct {

	// The HTTP header name.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// The value prefix. The value format is "value_prefix<token>"
	// For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
	// end.
	ValuePrefix string `protobuf:"bytes,2,opt,name=value_prefix,json=valuePrefix,proto3" json:"value_prefix,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a header location to extract the JWT.

func (*JwtHeader) GetName 

func (x *JwtHeader) GetName() string

func (*JwtHeader) GetValuePrefix 

func (x *JwtHeader) GetValuePrefix() string

func (*JwtHeader) ProtoMessage 

func (*JwtHeader) ProtoMessage()

func (*JwtHeader) ProtoReflect 

func (x *JwtHeader) ProtoReflect() protoreflect.Message

func (*JwtHeader) Reset 

func (x *JwtHeader) Reset()

func (*JwtHeader) SetName 

func (x *JwtHeader) SetName(v string)

func (*JwtHeader) SetValuePrefix 

func (x *JwtHeader) SetValuePrefix(v string)

func (*JwtHeader) String 

func (x *JwtHeader) String() string

type JwtHeader_builder 

type JwtHeader_builder struct {

	// The HTTP header name.
	Name string
	// The value prefix. The value format is "value_prefix<token>"
	// For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
	// end.
	ValuePrefix string
	// contains filtered or unexported fields
}

func (JwtHeader_builder) Build 

func (b0 JwtHeader_builder) Build() *JwtHeader

type JwtProvider 

type JwtProvider struct {

	// Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
	// the JWT, usually a URL or an email address.
	//
	// It is optional. If specified, it has to match the “iss“ field in JWT,
	// otherwise the JWT “iss“ field is not checked.
	//
	// Note: “JwtRequirement“ :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
	// and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
	// are implemented differently than other “JwtRequirements“. Hence the usage of this field
	// is different as follows if “allow_missing“ or “allow_missing_or_failed“ is used:
	//
	// * If a JWT has “iss“ field, it needs to be specified by this field in one of “JwtProviders“.
	// * If a JWT doesn't have “iss“ field, one of “JwtProviders“ should fill this field empty.
	// * Multiple “JwtProviders“ should not have same value in this field.
	//
	// Example: https://securetoken.google.com
	// Example: 1234567-compute@developer.gserviceaccount.com
	Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"`
	// The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
	// allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
	// will not check audiences in the token.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	audiences:
	//	- bookstore_android.apps.googleusercontent.com
	//	- bookstore_web.apps.googleusercontent.com
	Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
	// Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
	// that the JwtProvider can assert. For instance, this could implement JWT-SVID
	// `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
	// If not specified, will not check subjects in the token.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	subjects:
	//	  prefix: spiffe://spiffe.example.com/
	Subjects *v3.StringMatcher `protobuf:"bytes,19,opt,name=subjects,proto3" json:"subjects,omitempty"`
	// Requires that the credential contains an `expiration <https://tools.ietf.org/html/rfc7519#section-4.1.4>`_.
	// For instance, this could implement JWT-SVID
	// `expiration restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#33-expiration-time>`_.
	// Unlike “max_lifetime“, this only requires that expiration is present, where “max_lifetime“ also checks the value.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	require_expiration: true
	RequireExpiration bool `protobuf:"varint,20,opt,name=require_expiration,json=requireExpiration,proto3" json:"require_expiration,omitempty"`
	// Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime
	// is the difference between the current time and the expiration of the credential. For instance,
	// the following example will reject credentials that have a lifetime longer than 24 hours. If not set,
	// expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence
	// over “require_expiration“.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	max_lifetime:
	//	  seconds: 86400
	MaxLifetime *durationpb.Duration `protobuf:"bytes,21,opt,name=max_lifetime,json=maxLifetime,proto3" json:"max_lifetime,omitempty"`
	// `JSON Web Key Set (JWKS) <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed to
	// validate signature of a JWT. This field specifies where to fetch JWKS.
	//
	// Types that are valid to be assigned to JwksSourceSpecifier:
	//
	//	*JwtProvider_RemoteJwks
	//	*JwtProvider_LocalJwks
	JwksSourceSpecifier isJwtProvider_JwksSourceSpecifier `protobuf_oneof:"jwks_source_specifier"`
	// If false, the JWT is removed in the request after a success verification. If true, the JWT is
	// not removed in the request. Default value is false.
	// caveat: only works for from_header/from_params & has no effect for JWTs extracted through from_cookies.
	Forward bool `protobuf:"varint,5,opt,name=forward,proto3" json:"forward,omitempty"`
	// Two fields below define where to extract the JWT from an HTTP request.
	//
	// If no explicit location is specified, the following default locations are tried in order:
	//
	// 1. The Authorization header using the `Bearer schema
	// <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
	//
	//	Authorization: Bearer <token>.
	//
	// 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
	//
	// Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
	// its provider specified or from the default locations.
	//
	// Specify the HTTP headers to extract the JWT. For examples, following config:
	//
	// .. code-block:: yaml
	//
	//	from_headers:
	//	- name: x-goog-iap-jwt-assertion
	//
	// can be used to extract token from header::
	//
	//	“x-goog-iap-jwt-assertion: <JWT>“.
	FromHeaders []*JwtHeader `protobuf:"bytes,6,rep,name=from_headers,json=fromHeaders,proto3" json:"from_headers,omitempty"`
	// JWT is sent in a query parameter. “jwt_params“ represents the query parameter names.
	//
	// For example, if config is:
	//
	// .. code-block:: yaml
	//
	//	from_params:
	//	- jwt_token
	//
	// The JWT format in query parameter is::
	//
	//	/path?jwt_token=<JWT>
	FromParams []string `protobuf:"bytes,7,rep,name=from_params,json=fromParams,proto3" json:"from_params,omitempty"`
	// JWT is sent in a cookie. “from_cookies“ represents the cookie names to extract from.
	//
	// For example, if config is:
	//
	// .. code-block:: yaml
	//
	//	from_cookies:
	//	- auth-token
	//
	// Then JWT will be extracted from “auth-token“ cookie in the request.
	FromCookies []string `protobuf:"bytes,13,rep,name=from_cookies,json=fromCookies,proto3" json:"from_cookies,omitempty"`
	// This field specifies the header name to forward a successfully verified JWT payload to the
	// backend. The forwarded data is::
	//
	//	base64url_encoded(jwt_payload_in_JSON)
	//
	// If it is not specified, the payload will not be forwarded.
	ForwardPayloadHeader string `protobuf:"bytes,8,opt,name=forward_payload_header,json=forwardPayloadHeader,proto3" json:"forward_payload_header,omitempty"`
	// When :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
	// is specified, the base64 encoded payload will be added to the headers.
	// Normally JWT based64 encode doesn't add padding. If this field is true,
	// the header will be padded.
	//
	// This field is only relevant if :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
	// is specified.
	PadForwardPayloadHeader bool `` /* 136-byte string literal not displayed */
	// If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
	// in the format as: “namespace“ is the jwt_authn filter name as ““envoy.filters.http.jwt_authn““
	// The value is the “protobuf::Struct“. The value of this field will be the key for its “fields“
	// and the value is the “protobuf::Struct“ converted from JWT JSON payload.
	//
	// For example, if payload_in_metadata is “my_payload“:
	//
	// .. code-block:: yaml
	//
	//	envoy.filters.http.jwt_authn:
	//	  my_payload:
	//	    iss: https://example.com
	//	    sub: test@example.com
	//	    aud: https://example.com
	//	    exp: 1501281058
	PayloadInMetadata string `protobuf:"bytes,9,opt,name=payload_in_metadata,json=payloadInMetadata,proto3" json:"payload_in_metadata,omitempty"`
	// Normalizes the payload representation in the request metadata.
	NormalizePayloadInMetadata *JwtProvider_NormalizePayload `` /* 144-byte string literal not displayed */
	// If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
	// a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
	// as an entry (“protobuf::Struct“) in “envoy.filters.http.jwt_authn“ “namespace“ with the
	// value of this field as the key.
	//
	// For example, if “header_in_metadata“ is “my_header“:
	//
	// .. code-block:: yaml
	//
	//	envoy.filters.http.jwt_authn:
	//	  my_header:
	//	    alg: JWT
	//	    kid: EF71iSaosbC5C4tC6Syq1Gm647M
	//	    alg: PS256
	//
	// When the metadata has “envoy.filters.http.jwt_authn“ entry already (for example if
	// :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
	// is not empty), it will be inserted as a new entry in the same “namespace“ as shown below:
	//
	// .. code-block:: yaml
	//
	//	envoy.filters.http.jwt_authn:
	//	  my_payload:
	//	    iss: https://example.com
	//	    sub: test@example.com
	//	    aud: https://example.com
	//	    exp: 1501281058
	//	  my_header:
	//	    alg: JWT
	//	    kid: EF71iSaosbC5C4tC6Syq1Gm647M
	//	    alg: PS256
	//
	// .. warning::
	//
	//	Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
	//	and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
	//	is not suggested due to potential override of existing entry, while it is not enforced during
	//	config validation.
	HeaderInMetadata string `protobuf:"bytes,14,opt,name=header_in_metadata,json=headerInMetadata,proto3" json:"header_in_metadata,omitempty"`
	// If non empty, the failure status “::google::jwt_verify::Status“ for a non verified JWT will be written to StreamInfo DynamicMetadata
	// in the format as: “namespace“ is the jwt_authn filter name as “envoy.filters.http.jwt_authn“
	// The value is the “protobuf::Struct“. The values of this field will be “code“ and “message“
	// and they will contain the JWT authentication failure status code and a message describing the failure.
	//
	// For example, if failed_status_in_metadata is “my_auth_failure_status“:
	//
	// .. code-block:: yaml
	//
	//	envoy.filters.http.jwt_authn:
	//	  my_auth_failure_status:
	//	    code: 3
	//	    message: Jwt expired
	FailedStatusInMetadata string `` /* 132-byte string literal not displayed */
	// Specify the clock skew in seconds when verifying JWT time constraint,
	// such as “exp“, and “nbf“. If not specified, default is 60 seconds.
	ClockSkewSeconds uint32 `protobuf:"varint,10,opt,name=clock_skew_seconds,json=clockSkewSeconds,proto3" json:"clock_skew_seconds,omitempty"`
	// Enables JWT cache, its size is specified by “jwt_cache_size“.
	// Only valid JWTs are cached.
	JwtCacheConfig *JwtCacheConfig `protobuf:"bytes,12,opt,name=jwt_cache_config,json=jwtCacheConfig,proto3" json:"jwt_cache_config,omitempty"`
	// Add JWT claim to HTTP Header
	// Specify the claim name you want to copy in which HTTP header. For examples, following config:
	// The claim must be of type; string, int, double, bool. Array type claims are not supported
	//
	// .. literalinclude:: /_configs/repo/jwt_authn.yaml
	//
	//	:language: yaml
	//	:lines: 44-48
	//	:linenos:
	//	:lineno-start: 44
	//	:caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`
	//
	// This header is only reserved for jwt claim; any other value will be overwritten.
	ClaimToHeaders []*JwtClaimToHeader `protobuf:"bytes,15,rep,name=claim_to_headers,json=claimToHeaders,proto3" json:"claim_to_headers,omitempty"`
	// Clears route cache in order to allow the JWT to correctly affect
	// routing decisions. Filter clears all cached routes when:
	//
	// 1. The field is set to “true“.
	//
	//  2. At least one “claim_to_headers“ header is added to the request OR
	//     if “payload_in_metadata“ is set.
	ClearRouteCache bool `protobuf:"varint,17,opt,name=clear_route_cache,json=clearRouteCache,proto3" json:"clear_route_cache,omitempty"`
	// contains filtered or unexported fields
}

Please see following for JWT authentication flow:

* `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_ * `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_ * `OpenID Connect <http://openid.net/connect>`_

A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:

* issuer: the principal that issues the JWT. If specified, it has to match the “iss“ field in JWT. * allowed audiences: the ones in the token have to be listed here. * how to fetch public key JWKS to verify the token signature. * how to extract the JWT in the request. * how to pass successfully verified token payload.

Example:

.. code-block:: yaml 

issuer: https://example.com
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
remote_jwks:
  http_uri:
    uri: https://example.com/.well-known/jwks.json
    cluster: example_jwks_cluster
    timeout: 1s
  cache_duration:
    seconds: 300

[#next-free-field: 22]

func (*JwtProvider) ClearJwksSourceSpecifier 

func (x *JwtProvider) ClearJwksSourceSpecifier()

func (*JwtProvider) ClearJwtCacheConfig 

func (x *JwtProvider) ClearJwtCacheConfig()

func (*JwtProvider) ClearLocalJwks 

func (x *JwtProvider) ClearLocalJwks()

func (*JwtProvider) ClearMaxLifetime 

func (x *JwtProvider) ClearMaxLifetime()

func (*JwtProvider) ClearNormalizePayloadInMetadata 

func (x *JwtProvider) ClearNormalizePayloadInMetadata()

func (*JwtProvider) ClearRemoteJwks 

func (x *JwtProvider) ClearRemoteJwks()

func (*JwtProvider) ClearSubjects 

func (x *JwtProvider) ClearSubjects()

func (*JwtProvider) GetAudiences 

func (x *JwtProvider) GetAudiences() []string

func (*JwtProvider) GetClaimToHeaders 

func (x *JwtProvider) GetClaimToHeaders() []*JwtClaimToHeader

func (*JwtProvider) GetClearRouteCache 

func (x *JwtProvider) GetClearRouteCache() bool

func (*JwtProvider) GetClockSkewSeconds 

func (x *JwtProvider) GetClockSkewSeconds() uint32

func (*JwtProvider) GetFailedStatusInMetadata 

func (x *JwtProvider) GetFailedStatusInMetadata() string

func (*JwtProvider) GetForward 

func (x *JwtProvider) GetForward() bool

func (*JwtProvider) GetForwardPayloadHeader 

func (x *JwtProvider) GetForwardPayloadHeader() string

func (*JwtProvider) GetFromCookies 

func (x *JwtProvider) GetFromCookies() []string

func (*JwtProvider) GetFromHeaders 

func (x *JwtProvider) GetFromHeaders() []*JwtHeader

func (*JwtProvider) GetFromParams 

func (x *JwtProvider) GetFromParams() []string

func (*JwtProvider) GetHeaderInMetadata 

func (x *JwtProvider) GetHeaderInMetadata() string

func (*JwtProvider) GetIssuer 

func (x *JwtProvider) GetIssuer() string

func (*JwtProvider) GetJwksSourceSpecifier 

func (x *JwtProvider) GetJwksSourceSpecifier() isJwtProvider_JwksSourceSpecifier

func (*JwtProvider) GetJwtCacheConfig 

func (x *JwtProvider) GetJwtCacheConfig() *JwtCacheConfig

func (*JwtProvider) GetLocalJwks 

func (x *JwtProvider) GetLocalJwks() *v31.DataSource

func (*JwtProvider) GetMaxLifetime 

func (x *JwtProvider) GetMaxLifetime() *durationpb.Duration

func (*JwtProvider) GetNormalizePayloadInMetadata 

func (x *JwtProvider) GetNormalizePayloadInMetadata() *JwtProvider_NormalizePayload

func (*JwtProvider) GetPadForwardPayloadHeader 

func (x *JwtProvider) GetPadForwardPayloadHeader() bool

func (*JwtProvider) GetPayloadInMetadata 

func (x *JwtProvider) GetPayloadInMetadata() string

func (*JwtProvider) GetRemoteJwks 

func (x *JwtProvider) GetRemoteJwks() *RemoteJwks

func (*JwtProvider) GetRequireExpiration 

func (x *JwtProvider) GetRequireExpiration() bool

func (*JwtProvider) GetSubjects 

func (x *JwtProvider) GetSubjects() *v3.StringMatcher

func (*JwtProvider) HasJwksSourceSpecifier 

func (x *JwtProvider) HasJwksSourceSpecifier() bool

func (*JwtProvider) HasJwtCacheConfig 

func (x *JwtProvider) HasJwtCacheConfig() bool

func (*JwtProvider) HasLocalJwks 

func (x *JwtProvider) HasLocalJwks() bool

func (*JwtProvider) HasMaxLifetime 

func (x *JwtProvider) HasMaxLifetime() bool

func (*JwtProvider) HasNormalizePayloadInMetadata 

func (x *JwtProvider) HasNormalizePayloadInMetadata() bool

func (*JwtProvider) HasRemoteJwks 

func (x *JwtProvider) HasRemoteJwks() bool

func (*JwtProvider) HasSubjects 

func (x *JwtProvider) HasSubjects() bool

func (*JwtProvider) ProtoMessage 

func (*JwtProvider) ProtoMessage()

func (*JwtProvider) ProtoReflect 

func (x *JwtProvider) ProtoReflect() protoreflect.Message

func (*JwtProvider) Reset 

func (x *JwtProvider) Reset()

func (*JwtProvider) SetAudiences 

func (x *JwtProvider) SetAudiences(v []string)

func (*JwtProvider) SetClaimToHeaders 

func (x *JwtProvider) SetClaimToHeaders(v []*JwtClaimToHeader)

func (*JwtProvider) SetClearRouteCache 

func (x *JwtProvider) SetClearRouteCache(v bool)

func (*JwtProvider) SetClockSkewSeconds 

func (x *JwtProvider) SetClockSkewSeconds(v uint32)

func (*JwtProvider) SetFailedStatusInMetadata 

func (x *JwtProvider) SetFailedStatusInMetadata(v string)

func (*JwtProvider) SetForward 

func (x *JwtProvider) SetForward(v bool)

func (*JwtProvider) SetForwardPayloadHeader 

func (x *JwtProvider) SetForwardPayloadHeader(v string)

func (*JwtProvider) SetFromCookies 

func (x *JwtProvider) SetFromCookies(v []string)

func (*JwtProvider) SetFromHeaders 

func (x *JwtProvider) SetFromHeaders(v []*JwtHeader)

func (*JwtProvider) SetFromParams 

func (x *JwtProvider) SetFromParams(v []string)

func (*JwtProvider) SetHeaderInMetadata 

func (x *JwtProvider) SetHeaderInMetadata(v string)

func (*JwtProvider) SetIssuer 

func (x *JwtProvider) SetIssuer(v string)

func (*JwtProvider) SetJwtCacheConfig 

func (x *JwtProvider) SetJwtCacheConfig(v *JwtCacheConfig)

func (*JwtProvider) SetLocalJwks 

func (x *JwtProvider) SetLocalJwks(v *v31.DataSource)

func (*JwtProvider) SetMaxLifetime 

func (x *JwtProvider) SetMaxLifetime(v *durationpb.Duration)

func (*JwtProvider) SetNormalizePayloadInMetadata 

func (x *JwtProvider) SetNormalizePayloadInMetadata(v *JwtProvider_NormalizePayload)

func (*JwtProvider) SetPadForwardPayloadHeader 

func (x *JwtProvider) SetPadForwardPayloadHeader(v bool)

func (*JwtProvider) SetPayloadInMetadata 

func (x *JwtProvider) SetPayloadInMetadata(v string)

func (*JwtProvider) SetRemoteJwks 

func (x *JwtProvider) SetRemoteJwks(v *RemoteJwks)

func (*JwtProvider) SetRequireExpiration 

func (x *JwtProvider) SetRequireExpiration(v bool)

func (*JwtProvider) SetSubjects 

func (x *JwtProvider) SetSubjects(v *v3.StringMatcher)

func (*JwtProvider) String 

func (x *JwtProvider) String() string

func (*JwtProvider) WhichJwksSourceSpecifier 

func (x *JwtProvider) WhichJwksSourceSpecifier() case_JwtProvider_JwksSourceSpecifier

type JwtProvider_LocalJwks 

type JwtProvider_LocalJwks struct {
	// JWKS is in local data source. It could be either in a local file or embedded in the
	// inline_string.
	//
	// Example: local file
	//
	// .. code-block:: yaml
	//
	//	local_jwks:
	//	  filename: /etc/envoy/jwks/jwks1.txt
	//
	// Example: inline_string
	//
	// .. code-block:: yaml
	//
	//	local_jwks:
	//	  inline_string: ACADADADADA
	LocalJwks *v31.DataSource `protobuf:"bytes,4,opt,name=local_jwks,json=localJwks,proto3,oneof"`
}

type JwtProvider_NormalizePayload 

type JwtProvider_NormalizePayload struct {

	// Each claim in this list will be interpreted as a space-delimited string
	// and converted to a list of strings based on the delimited values.
	// Example: a token with a claim “scope: "email profile"“ is translated
	// to dynamic metadata  “scope: ["email", "profile"]“ if this field is
	// set value “["scope"]“. This special handling of “scope“ is
	// recommended by `RFC8693
	// <https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim>`_.
	SpaceDelimitedClaims []string `protobuf:"bytes,1,rep,name=space_delimited_claims,json=spaceDelimitedClaims,proto3" json:"space_delimited_claims,omitempty"`
	// contains filtered or unexported fields
}

Alters the payload representation in the request dynamic metadata to facilitate its use in matching.

func (*JwtProvider_NormalizePayload) GetSpaceDelimitedClaims 

func (x *JwtProvider_NormalizePayload) GetSpaceDelimitedClaims() []string

func (*JwtProvider_NormalizePayload) ProtoMessage 

func (*JwtProvider_NormalizePayload) ProtoMessage()

func (*JwtProvider_NormalizePayload) ProtoReflect 

func (x *JwtProvider_NormalizePayload) ProtoReflect() protoreflect.Message

func (*JwtProvider_NormalizePayload) Reset 

func (x *JwtProvider_NormalizePayload) Reset()

func (*JwtProvider_NormalizePayload) SetSpaceDelimitedClaims 

func (x *JwtProvider_NormalizePayload) SetSpaceDelimitedClaims(v []string)

func (*JwtProvider_NormalizePayload) String 

func (x *JwtProvider_NormalizePayload) String() string

type JwtProvider_NormalizePayload_builder 

type JwtProvider_NormalizePayload_builder struct {

	// Each claim in this list will be interpreted as a space-delimited string
	// and converted to a list of strings based on the delimited values.
	// Example: a token with a claim “scope: "email profile"“ is translated
	// to dynamic metadata  “scope: ["email", "profile"]“ if this field is
	// set value “["scope"]“. This special handling of “scope“ is
	// recommended by `RFC8693
	// <https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim>`_.
	SpaceDelimitedClaims []string
	// contains filtered or unexported fields
}

func (JwtProvider_NormalizePayload_builder) Build 

func (b0 JwtProvider_NormalizePayload_builder) Build() *JwtProvider_NormalizePayload

type JwtProvider_RemoteJwks 

type JwtProvider_RemoteJwks struct {
	// JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
	// URI and how the fetched JWKS should be cached.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	remote_jwks:
	//	  http_uri:
	//	    uri: https://www.googleapis.com/oauth2/v1/certs
	//	    cluster: jwt.www.googleapis.com|443
	//	    timeout: 1s
	//	  cache_duration:
	//	    seconds: 300
	RemoteJwks *RemoteJwks `protobuf:"bytes,3,opt,name=remote_jwks,json=remoteJwks,proto3,oneof"`
}

type JwtProvider_builder 

type JwtProvider_builder struct {

	// Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
	// the JWT, usually a URL or an email address.
	//
	// It is optional. If specified, it has to match the “iss“ field in JWT,
	// otherwise the JWT “iss“ field is not checked.
	//
	// Note: “JwtRequirement“ :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
	// and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
	// are implemented differently than other “JwtRequirements“. Hence the usage of this field
	// is different as follows if “allow_missing“ or “allow_missing_or_failed“ is used:
	//
	// * If a JWT has “iss“ field, it needs to be specified by this field in one of “JwtProviders“.
	// * If a JWT doesn't have “iss“ field, one of “JwtProviders“ should fill this field empty.
	// * Multiple “JwtProviders“ should not have same value in this field.
	//
	// Example: https://securetoken.google.com
	// Example: 1234567-compute@developer.gserviceaccount.com
	Issuer string
	// The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
	// allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
	// will not check audiences in the token.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	audiences:
	//	- bookstore_android.apps.googleusercontent.com
	//	- bookstore_web.apps.googleusercontent.com
	Audiences []string
	// Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
	// that the JwtProvider can assert. For instance, this could implement JWT-SVID
	// `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
	// If not specified, will not check subjects in the token.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	subjects:
	//	  prefix: spiffe://spiffe.example.com/
	Subjects *v3.StringMatcher
	// Requires that the credential contains an `expiration <https://tools.ietf.org/html/rfc7519#section-4.1.4>`_.
	// For instance, this could implement JWT-SVID
	// `expiration restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#33-expiration-time>`_.
	// Unlike “max_lifetime“, this only requires that expiration is present, where “max_lifetime“ also checks the value.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	require_expiration: true
	RequireExpiration bool
	// Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime
	// is the difference between the current time and the expiration of the credential. For instance,
	// the following example will reject credentials that have a lifetime longer than 24 hours. If not set,
	// expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence
	// over “require_expiration“.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	max_lifetime:
	//	  seconds: 86400
	MaxLifetime *durationpb.Duration

	// Fields of oneof JwksSourceSpecifier:
	// JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
	// URI and how the fetched JWKS should be cached.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//	remote_jwks:
	//	  http_uri:
	//	    uri: https://www.googleapis.com/oauth2/v1/certs
	//	    cluster: jwt.www.googleapis.com|443
	//	    timeout: 1s
	//	  cache_duration:
	//	    seconds: 300
	RemoteJwks *RemoteJwks
	// JWKS is in local data source. It could be either in a local file or embedded in the
	// inline_string.
	//
	// Example: local file
	//
	// .. code-block:: yaml
	//
	//	local_jwks:
	//	  filename: /etc/envoy/jwks/jwks1.txt
	//
	// Example: inline_string
	//
	// .. code-block:: yaml
	//
	//	local_jwks:
	//	  inline_string: ACADADADADA
	LocalJwks *v31.DataSource
	// -- end of JwksSourceSpecifier
	// If false, the JWT is removed in the request after a success verification. If true, the JWT is
	// not removed in the request. Default value is false.
	// caveat: only works for from_header/from_params & has no effect for JWTs extracted through from_cookies.
	Forward bool
	// Two fields below define where to extract the JWT from an HTTP request.
	//
	// If no explicit location is specified, the following default locations are tried in order:
	//
	// 1. The Authorization header using the `Bearer schema
	// <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
	//
	//	Authorization: Bearer <token>.
	//
	// 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
	//
	// Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
	// its provider specified or from the default locations.
	//
	// Specify the HTTP headers to extract the JWT. For examples, following config:
	//
	// .. code-block:: yaml
	//
	//	from_headers:
	//	- name: x-goog-iap-jwt-assertion
	//
	// can be used to extract token from header::
	//
	//	“x-goog-iap-jwt-assertion: <JWT>“.
	FromHeaders []*JwtHeader
	// JWT is sent in a query parameter. “jwt_params“ represents the query parameter names.
	//
	// For example, if config is:
	//
	// .. code-block:: yaml
	//
	//	from_params:
	//	- jwt_token
	//
	// The JWT format in query parameter is::
	//
	//	/path?jwt_token=<JWT>
	FromParams []string
	// JWT is sent in a cookie. “from_cookies“ represents the cookie names to extract from.
	//
	// For example, if config is:
	//
	// .. code-block:: yaml
	//
	//	from_cookies:
	//	- auth-token
	//
	// Then JWT will be extracted from “auth-token“ cookie in the request.
	FromCookies []string
	// This field specifies the header name to forward a successfully verified JWT payload to the
	// backend. The forwarded data is::
	//
	//	base64url_encoded(jwt_payload_in_JSON)
	//
	// If it is not specified, the payload will not be forwarded.
	ForwardPayloadHeader string
	// When :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
	// is specified, the base64 encoded payload will be added to the headers.
	// Normally JWT based64 encode doesn't add padding. If this field is true,
	// the header will be padded.
	//
	// This field is only relevant if :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
	// is specified.
	PadForwardPayloadHeader bool
	// If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
	// in the format as: “namespace“ is the jwt_authn filter name as ““envoy.filters.http.jwt_authn““
	// The value is the “protobuf::Struct“. The value of this field will be the key for its “fields“
	// and the value is the “protobuf::Struct“ converted from JWT JSON payload.
	//
	// For example, if payload_in_metadata is “my_payload“:
	//
	// .. code-block:: yaml
	//
	//	envoy.filters.http.jwt_authn:
	//	  my_payload:
	//	    iss: https://example.com
	//	    sub: test@example.com
	//	    aud: https://example.com
	//	    exp: 1501281058
	PayloadInMetadata string
	// Normalizes the payload representation in the request metadata.
	NormalizePayloadInMetadata *JwtProvider_NormalizePayload
	// If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
	// a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
	// as an entry (“protobuf::Struct“) in “envoy.filters.http.jwt_authn“ “namespace“ with the
	// value of this field as the key.
	//
	// For example, if “header_in_metadata“ is “my_header“:
	//
	// .. code-block:: yaml
	//
	//	envoy.filters.http.jwt_authn:
	//	  my_header:
	//	    alg: JWT
	//	    kid: EF71iSaosbC5C4tC6Syq1Gm647M
	//	    alg: PS256
	//
	// When the metadata has “envoy.filters.http.jwt_authn“ entry already (for example if
	// :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
	// is not empty), it will be inserted as a new entry in the same “namespace“ as shown below:
	//
	// .. code-block:: yaml
	//
	//	envoy.filters.http.jwt_authn:
	//	  my_payload:
	//	    iss: https://example.com
	//	    sub: test@example.com
	//	    aud: https://example.com
	//	    exp: 1501281058
	//	  my_header:
	//	    alg: JWT
	//	    kid: EF71iSaosbC5C4tC6Syq1Gm647M
	//	    alg: PS256
	//
	// .. warning::
	//
	//	Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
	//	and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
	//	is not suggested due to potential override of existing entry, while it is not enforced during
	//	config validation.
	HeaderInMetadata string
	// If non empty, the failure status “::google::jwt_verify::Status“ for a non verified JWT will be written to StreamInfo DynamicMetadata
	// in the format as: “namespace“ is the jwt_authn filter name as “envoy.filters.http.jwt_authn“
	// The value is the “protobuf::Struct“. The values of this field will be “code“ and “message“
	// and they will contain the JWT authentication failure status code and a message describing the failure.
	//
	// For example, if failed_status_in_metadata is “my_auth_failure_status“:
	//
	// .. code-block:: yaml
	//
	//	envoy.filters.http.jwt_authn:
	//	  my_auth_failure_status:
	//	    code: 3
	//	    message: Jwt expired
	FailedStatusInMetadata string
	// Specify the clock skew in seconds when verifying JWT time constraint,
	// such as “exp“, and “nbf“. If not specified, default is 60 seconds.
	ClockSkewSeconds uint32
	// Enables JWT cache, its size is specified by “jwt_cache_size“.
	// Only valid JWTs are cached.
	JwtCacheConfig *JwtCacheConfig
	// Add JWT claim to HTTP Header
	// Specify the claim name you want to copy in which HTTP header. For examples, following config:
	// The claim must be of type; string, int, double, bool. Array type claims are not supported
	//
	// .. literalinclude:: /_configs/repo/jwt_authn.yaml
	//
	//	:language: yaml
	//	:lines: 44-48
	//	:linenos:
	//	:lineno-start: 44
	//	:caption: :download:`jwt_authn.yaml </_configs/repo/jwt_authn.yaml>`
	//
	// This header is only reserved for jwt claim; any other value will be overwritten.
	ClaimToHeaders []*JwtClaimToHeader
	// Clears route cache in order to allow the JWT to correctly affect
	// routing decisions. Filter clears all cached routes when:
	//
	// 1. The field is set to “true“.
	//
	//  2. At least one “claim_to_headers“ header is added to the request OR
	//     if “payload_in_metadata“ is set.
	ClearRouteCache bool
	// contains filtered or unexported fields
}

func (JwtProvider_builder) Build 

func (b0 JwtProvider_builder) Build() *JwtProvider

type JwtRequirement 

type JwtRequirement struct {

	// Types that are valid to be assigned to RequiresType:
	//
	//	*JwtRequirement_ProviderName
	//	*JwtRequirement_ProviderAndAudiences
	//	*JwtRequirement_RequiresAny
	//	*JwtRequirement_RequiresAll
	//	*JwtRequirement_AllowMissingOrFailed
	//	*JwtRequirement_AllowMissing
	RequiresType isJwtRequirement_RequiresType `protobuf_oneof:"requires_type"`
	// contains filtered or unexported fields
}

This message specifies a Jwt requirement. An empty message means JWT verification is not required. Here are some config examples:

.. code-block:: yaml 

# Example 1: not required with an empty message

# Example 2: require A
provider_name: provider-A

# Example 3: require A or B
requires_any:
  requirements:
    - provider_name: provider-A
    - provider_name: provider-B

# Example 4: require A and B
requires_all:
  requirements:
    - provider_name: provider-A
    - provider_name: provider-B

# Example 5: require A and (B or C)
requires_all:
  requirements:
    - provider_name: provider-A
    - requires_any:
      requirements:
        - provider_name: provider-B
        - provider_name: provider-C

# Example 6: require A or (B and C)
requires_any:
  requirements:
    - provider_name: provider-A
    - requires_all:
      requirements:
        - provider_name: provider-B
        - provider_name: provider-C

# Example 7: A is optional (if token from A is provided, it must be valid, but also allows
missing token.)
requires_any:
  requirements:
  - provider_name: provider-A
  - allow_missing: {}

# Example 8: A is optional and B is required.
requires_all:
  requirements:
  - requires_any:
      requirements:
      - provider_name: provider-A
      - allow_missing: {}
  - provider_name: provider-B

[#next-free-field: 7]

func (*JwtRequirement) ClearAllowMissing 

func (x *JwtRequirement) ClearAllowMissing()

func (*JwtRequirement) ClearAllowMissingOrFailed 

func (x *JwtRequirement) ClearAllowMissingOrFailed()

func (*JwtRequirement) ClearProviderAndAudiences 

func (x *JwtRequirement) ClearProviderAndAudiences()

func (*JwtRequirement) ClearProviderName 

func (x *JwtRequirement) ClearProviderName()

func (*JwtRequirement) ClearRequiresAll 

func (x *JwtRequirement) ClearRequiresAll()

func (*JwtRequirement) ClearRequiresAny 

func (x *JwtRequirement) ClearRequiresAny()

func (*JwtRequirement) ClearRequiresType 

func (x *JwtRequirement) ClearRequiresType()

func (*JwtRequirement) GetAllowMissing 

func (x *JwtRequirement) GetAllowMissing() *emptypb.Empty

func (*JwtRequirement) GetAllowMissingOrFailed 

func (x *JwtRequirement) GetAllowMissingOrFailed() *emptypb.Empty

func (*JwtRequirement) GetProviderAndAudiences 

func (x *JwtRequirement) GetProviderAndAudiences() *ProviderWithAudiences

func (*JwtRequirement) GetProviderName 

func (x *JwtRequirement) GetProviderName() string

func (*JwtRequirement) GetRequiresAll 

func (x *JwtRequirement) GetRequiresAll() *JwtRequirementAndList

func (*JwtRequirement) GetRequiresAny 

func (x *JwtRequirement) GetRequiresAny() *JwtRequirementOrList

func (*JwtRequirement) GetRequiresType 

func (x *JwtRequirement) GetRequiresType() isJwtRequirement_RequiresType

func (*JwtRequirement) HasAllowMissing 

func (x *JwtRequirement) HasAllowMissing() bool

func (*JwtRequirement) HasAllowMissingOrFailed 

func (x *JwtRequirement) HasAllowMissingOrFailed() bool

func (*JwtRequirement) HasProviderAndAudiences 

func (x *JwtRequirement) HasProviderAndAudiences() bool

func (*JwtRequirement) HasProviderName 

func (x *JwtRequirement) HasProviderName() bool

func (*JwtRequirement) HasRequiresAll 

func (x *JwtRequirement) HasRequiresAll() bool

func (*JwtRequirement) HasRequiresAny 

func (x *JwtRequirement) HasRequiresAny() bool

func (*JwtRequirement) HasRequiresType 

func (x *JwtRequirement) HasRequiresType() bool

func (*JwtRequirement) ProtoMessage 

func (*JwtRequirement) ProtoMessage()

func (*JwtRequirement) ProtoReflect 

func (x *JwtRequirement) ProtoReflect() protoreflect.Message

func (*JwtRequirement) Reset 

func (x *JwtRequirement) Reset()

func (*JwtRequirement) SetAllowMissing 

func (x *JwtRequirement) SetAllowMissing(v *emptypb.Empty)

func (*JwtRequirement) SetAllowMissingOrFailed 

func (x *JwtRequirement) SetAllowMissingOrFailed(v *emptypb.Empty)

func (*JwtRequirement) SetProviderAndAudiences 

func (x *JwtRequirement) SetProviderAndAudiences(v *ProviderWithAudiences)

func (*JwtRequirement) SetProviderName 

func (x *JwtRequirement) SetProviderName(v string)

func (*JwtRequirement) SetRequiresAll 

func (x *JwtRequirement) SetRequiresAll(v *JwtRequirementAndList)

func (*JwtRequirement) SetRequiresAny 

func (x *JwtRequirement) SetRequiresAny(v *JwtRequirementOrList)

func (*JwtRequirement) String 

func (x *JwtRequirement) String() string

func (*JwtRequirement) WhichRequiresType 

func (x *JwtRequirement) WhichRequiresType() case_JwtRequirement_RequiresType

type JwtRequirementAndList 

type JwtRequirementAndList struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a list of RequiredProvider. Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails.

func (*JwtRequirementAndList) GetRequirements 

func (x *JwtRequirementAndList) GetRequirements() []*JwtRequirement

func (*JwtRequirementAndList) ProtoMessage 

func (*JwtRequirementAndList) ProtoMessage()

func (*JwtRequirementAndList) ProtoReflect 

func (x *JwtRequirementAndList) ProtoReflect() protoreflect.Message

func (*JwtRequirementAndList) Reset 

func (x *JwtRequirementAndList) Reset()

func (*JwtRequirementAndList) SetRequirements 

func (x *JwtRequirementAndList) SetRequirements(v []*JwtRequirement)

func (*JwtRequirementAndList) String 

func (x *JwtRequirementAndList) String() string

type JwtRequirementAndList_builder 

type JwtRequirementAndList_builder struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement
	// contains filtered or unexported fields
}

func (JwtRequirementAndList_builder) Build 

func (b0 JwtRequirementAndList_builder) Build() *JwtRequirementAndList

type JwtRequirementOrList 

type JwtRequirementOrList struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a list of RequiredProvider. Their results are OR-ed; if any one of them passes, the result is passed

func (*JwtRequirementOrList) GetRequirements 

func (x *JwtRequirementOrList) GetRequirements() []*JwtRequirement

func (*JwtRequirementOrList) ProtoMessage 

func (*JwtRequirementOrList) ProtoMessage()

func (*JwtRequirementOrList) ProtoReflect 

func (x *JwtRequirementOrList) ProtoReflect() protoreflect.Message

func (*JwtRequirementOrList) Reset 

func (x *JwtRequirementOrList) Reset()

func (*JwtRequirementOrList) SetRequirements 

func (x *JwtRequirementOrList) SetRequirements(v []*JwtRequirement)

func (*JwtRequirementOrList) String 

func (x *JwtRequirementOrList) String() string

type JwtRequirementOrList_builder 

type JwtRequirementOrList_builder struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement
	// contains filtered or unexported fields
}

func (JwtRequirementOrList_builder) Build 

func (b0 JwtRequirementOrList_builder) Build() *JwtRequirementOrList

type JwtRequirement_AllowMissing 

type JwtRequirement_AllowMissing struct {
	// The requirement is satisfied if JWT is missing, but failed if JWT is
	// presented but invalid. Similar to allow_missing_or_failed, this is used
	// to only verify JWTs and pass the verified payload to another filter. The
	// different is this mode will reject requests with invalid tokens.
	AllowMissing *emptypb.Empty `protobuf:"bytes,6,opt,name=allow_missing,json=allowMissing,proto3,oneof"`
}

type JwtRequirement_AllowMissingOrFailed 

type JwtRequirement_AllowMissingOrFailed struct {
	// The requirement is always satisfied even if JWT is missing or the JWT
	// verification fails. A typical usage is: this filter is used to only verify
	// JWTs and pass the verified JWT payloads to another filter, the other filter
	// will make decision. In this mode, all JWTs will be verified.
	AllowMissingOrFailed *emptypb.Empty `protobuf:"bytes,5,opt,name=allow_missing_or_failed,json=allowMissingOrFailed,proto3,oneof"`
}

type JwtRequirement_ProviderAndAudiences 

type JwtRequirement_ProviderAndAudiences struct {
	// Specify a required provider with audiences.
	ProviderAndAudiences *ProviderWithAudiences `protobuf:"bytes,2,opt,name=provider_and_audiences,json=providerAndAudiences,proto3,oneof"`
}

type JwtRequirement_ProviderName 

type JwtRequirement_ProviderName struct {
	// Specify a required provider name.
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3,oneof"`
}

type JwtRequirement_RequiresAll 

type JwtRequirement_RequiresAll struct {
	// Specify list of JwtRequirement. Their results are AND-ed.
	// All of them must pass, if one of them fails or missing, it fails.
	RequiresAll *JwtRequirementAndList `protobuf:"bytes,4,opt,name=requires_all,json=requiresAll,proto3,oneof"`
}

type JwtRequirement_RequiresAny 

type JwtRequirement_RequiresAny struct {
	// Specify list of JwtRequirement. Their results are OR-ed.
	// If any one of them passes, the result is passed.
	RequiresAny *JwtRequirementOrList `protobuf:"bytes,3,opt,name=requires_any,json=requiresAny,proto3,oneof"`
}

type JwtRequirement_builder 

type JwtRequirement_builder struct {

	// Fields of oneof RequiresType:
	// Specify a required provider name.
	ProviderName *string
	// Specify a required provider with audiences.
	ProviderAndAudiences *ProviderWithAudiences
	// Specify list of JwtRequirement. Their results are OR-ed.
	// If any one of them passes, the result is passed.
	RequiresAny *JwtRequirementOrList
	// Specify list of JwtRequirement. Their results are AND-ed.
	// All of them must pass, if one of them fails or missing, it fails.
	RequiresAll *JwtRequirementAndList
	// The requirement is always satisfied even if JWT is missing or the JWT
	// verification fails. A typical usage is: this filter is used to only verify
	// JWTs and pass the verified JWT payloads to another filter, the other filter
	// will make decision. In this mode, all JWTs will be verified.
	AllowMissingOrFailed *emptypb.Empty
	// The requirement is satisfied if JWT is missing, but failed if JWT is
	// presented but invalid. Similar to allow_missing_or_failed, this is used
	// to only verify JWTs and pass the verified payload to another filter. The
	// different is this mode will reject requests with invalid tokens.
	AllowMissing *emptypb.Empty
	// contains filtered or unexported fields
}

func (JwtRequirement_builder) Build 

func (b0 JwtRequirement_builder) Build() *JwtRequirement

type PerRouteConfig 

type PerRouteConfig struct {

	// Types that are valid to be assigned to RequirementSpecifier:
	//
	//	*PerRouteConfig_Disabled
	//	*PerRouteConfig_RequirementName
	RequirementSpecifier isPerRouteConfig_RequirementSpecifier `protobuf_oneof:"requirement_specifier"`
	// contains filtered or unexported fields
}

Specify per-route config.

func (*PerRouteConfig) ClearDisabled 

func (x *PerRouteConfig) ClearDisabled()

func (*PerRouteConfig) ClearRequirementName 

func (x *PerRouteConfig) ClearRequirementName()

func (*PerRouteConfig) ClearRequirementSpecifier 

func (x *PerRouteConfig) ClearRequirementSpecifier()

func (*PerRouteConfig) GetDisabled 

func (x *PerRouteConfig) GetDisabled() bool

func (*PerRouteConfig) GetRequirementName 

func (x *PerRouteConfig) GetRequirementName() string

func (*PerRouteConfig) GetRequirementSpecifier 

func (x *PerRouteConfig) GetRequirementSpecifier() isPerRouteConfig_RequirementSpecifier

func (*PerRouteConfig) HasDisabled 

func (x *PerRouteConfig) HasDisabled() bool

func (*PerRouteConfig) HasRequirementName 

func (x *PerRouteConfig) HasRequirementName() bool

func (*PerRouteConfig) HasRequirementSpecifier 

func (x *PerRouteConfig) HasRequirementSpecifier() bool

func (*PerRouteConfig) ProtoMessage 

func (*PerRouteConfig) ProtoMessage()

func (*PerRouteConfig) ProtoReflect 

func (x *PerRouteConfig) ProtoReflect() protoreflect.Message

func (*PerRouteConfig) Reset 

func (x *PerRouteConfig) Reset()

func (*PerRouteConfig) SetDisabled 

func (x *PerRouteConfig) SetDisabled(v bool)

func (*PerRouteConfig) SetRequirementName 

func (x *PerRouteConfig) SetRequirementName(v string)

func (*PerRouteConfig) String 

func (x *PerRouteConfig) String() string

func (*PerRouteConfig) WhichRequirementSpecifier 

func (x *PerRouteConfig) WhichRequirementSpecifier() case_PerRouteConfig_RequirementSpecifier

type PerRouteConfig_Disabled 

type PerRouteConfig_Disabled struct {
	// Disable Jwt Authentication for this route.
	Disabled bool `protobuf:"varint,1,opt,name=disabled,proto3,oneof"`
}

type PerRouteConfig_RequirementName 

type PerRouteConfig_RequirementName struct {
	// Use requirement_name to specify a JwtRequirement.
	// This requirement_name MUST be specified at the
	// :ref:`requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map>`
	// in “JwtAuthentication“. If no, the requests using this route will be rejected with 403.
	RequirementName string `protobuf:"bytes,2,opt,name=requirement_name,json=requirementName,proto3,oneof"`
}

type PerRouteConfig_builder 

type PerRouteConfig_builder struct {

	// Fields of oneof RequirementSpecifier:
	// Disable Jwt Authentication for this route.
	Disabled *bool
	// Use requirement_name to specify a JwtRequirement.
	// This requirement_name MUST be specified at the
	// :ref:`requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map>`
	// in “JwtAuthentication“. If no, the requests using this route will be rejected with 403.
	RequirementName *string
	// contains filtered or unexported fields
}

func (PerRouteConfig_builder) Build 

func (b0 PerRouteConfig_builder) Build() *PerRouteConfig

type ProviderWithAudiences 

type ProviderWithAudiences struct {

	// Specify a required provider name.
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3" json:"provider_name,omitempty"`
	// This field overrides the one specified in the JwtProvider.
	Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
	// contains filtered or unexported fields
}

Specify a required provider with audiences.

func (*ProviderWithAudiences) GetAudiences 

func (x *ProviderWithAudiences) GetAudiences() []string

func (*ProviderWithAudiences) GetProviderName 

func (x *ProviderWithAudiences) GetProviderName() string

func (*ProviderWithAudiences) ProtoMessage 

func (*ProviderWithAudiences) ProtoMessage()

func (*ProviderWithAudiences) ProtoReflect 

func (x *ProviderWithAudiences) ProtoReflect() protoreflect.Message

func (*ProviderWithAudiences) Reset 

func (x *ProviderWithAudiences) Reset()

func (*ProviderWithAudiences) SetAudiences 

func (x *ProviderWithAudiences) SetAudiences(v []string)

func (*ProviderWithAudiences) SetProviderName 

func (x *ProviderWithAudiences) SetProviderName(v string)

func (*ProviderWithAudiences) String 

func (x *ProviderWithAudiences) String() string

type ProviderWithAudiences_builder 

type ProviderWithAudiences_builder struct {

	// Specify a required provider name.
	ProviderName string
	// This field overrides the one specified in the JwtProvider.
	Audiences []string
	// contains filtered or unexported fields
}

func (ProviderWithAudiences_builder) Build 

func (b0 ProviderWithAudiences_builder) Build() *ProviderWithAudiences

type RemoteJwks 

type RemoteJwks struct {

	// The HTTP URI to fetch the JWKS. For example:
	//
	// .. code-block:: yaml
	//
	//	http_uri:
	//	  uri: https://www.googleapis.com/oauth2/v1/certs
	//	  cluster: jwt.www.googleapis.com|443
	//	  timeout: 1s
	HttpUri *v31.HttpUri `protobuf:"bytes,1,opt,name=http_uri,json=httpUri,proto3" json:"http_uri,omitempty"`
	// Duration after which the cached JWKS should be expired. If not specified, default cache
	// duration is 10 minutes.
	CacheDuration *durationpb.Duration `protobuf:"bytes,2,opt,name=cache_duration,json=cacheDuration,proto3" json:"cache_duration,omitempty"`
	// Fetch Jwks asynchronously in the main thread before the listener is activated.
	// Fetched Jwks can be used by all worker threads.
	//
	// If this feature is not enabled:
	//
	//   - The Jwks is fetched on-demand when the requests come. During the fetching, first
	//     few requests are paused until the Jwks is fetched.
	//   - Each worker thread fetches its own Jwks since Jwks cache is per worker thread.
	//
	// If this feature is enabled:
	//
	//   - Fetched Jwks is done in the main thread before the listener is activated. Its fetched
	//     Jwks can be used by all worker threads. Each worker thread doesn't need to fetch its own.
	//   - Jwks is ready when the requests come, not need to wait for the Jwks fetching.
	AsyncFetch *JwksAsyncFetch `protobuf:"bytes,3,opt,name=async_fetch,json=asyncFetch,proto3" json:"async_fetch,omitempty"`
	// Retry policy for fetching Jwks. optional. turned off by default.
	//
	// For example:
	//
	// .. code-block:: yaml
	//
	//	retry_policy:
	//	  retry_back_off:
	//	    base_interval: 0.01s
	//	    max_interval: 20s
	//	  num_retries: 10
	//
	// will yield a randomized truncated exponential backoff policy with an initial delay of 10ms
	// 10 maximum attempts spaced at most 20s seconds.
	//
	// .. code-block:: yaml
	//
	//	retry_policy:
	//	  num_retries:1
	//
	// uses the default :ref:`retry backoff strategy <envoy_v3_api_msg_config.core.v3.BackoffStrategy>`.
	// with the default base interval is 1000 milliseconds. and the default maximum interval of 10 times the base interval.
	//
	// if num_retries is omitted, the default is to allow only one retry.
	//
	// If enabled, the retry policy will apply to all Jwks fetching approaches, e.g. on demand or asynchronously in background.
	RetryPolicy *v31.RetryPolicy `protobuf:"bytes,4,opt,name=retry_policy,json=retryPolicy,proto3" json:"retry_policy,omitempty"`
	// contains filtered or unexported fields
}

This message specifies how to fetch JWKS from remote and how to cache it.

func (*RemoteJwks) ClearAsyncFetch 

func (x *RemoteJwks) ClearAsyncFetch()

func (*RemoteJwks) ClearCacheDuration 

func (x *RemoteJwks) ClearCacheDuration()

func (*RemoteJwks) ClearHttpUri 

func (x *RemoteJwks) ClearHttpUri()

func (*RemoteJwks) ClearRetryPolicy 

func (x *RemoteJwks) ClearRetryPolicy()

func (*RemoteJwks) GetAsyncFetch 

func (x *RemoteJwks) GetAsyncFetch() *JwksAsyncFetch

func (*RemoteJwks) GetCacheDuration 

func (x *RemoteJwks) GetCacheDuration() *durationpb.Duration

func (*RemoteJwks) GetHttpUri 

func (x *RemoteJwks) GetHttpUri() *v31.HttpUri

func (*RemoteJwks) GetRetryPolicy 

func (x *RemoteJwks) GetRetryPolicy() *v31.RetryPolicy

func (*RemoteJwks) HasAsyncFetch 

func (x *RemoteJwks) HasAsyncFetch() bool

func (*RemoteJwks) HasCacheDuration 

func (x *RemoteJwks) HasCacheDuration() bool

func (*RemoteJwks) HasHttpUri 

func (x *RemoteJwks) HasHttpUri() bool

func (*RemoteJwks) HasRetryPolicy 

func (x *RemoteJwks) HasRetryPolicy() bool

func (*RemoteJwks) ProtoMessage 

func (*RemoteJwks) ProtoMessage()

func (*RemoteJwks) ProtoReflect 

func (x *RemoteJwks) ProtoReflect() protoreflect.Message

func (*RemoteJwks) Reset 

func (x *RemoteJwks) Reset()

func (*RemoteJwks) SetAsyncFetch 

func (x *RemoteJwks) SetAsyncFetch(v *JwksAsyncFetch)

func (*RemoteJwks) SetCacheDuration 

func (x *RemoteJwks) SetCacheDuration(v *durationpb.Duration)

func (*RemoteJwks) SetHttpUri 

func (x *RemoteJwks) SetHttpUri(v *v31.HttpUri)

func (*RemoteJwks) SetRetryPolicy 

func (x *RemoteJwks) SetRetryPolicy(v *v31.RetryPolicy)

func (*RemoteJwks) String 

func (x *RemoteJwks) String() string

type RemoteJwks_builder 

type RemoteJwks_builder struct {

	// The HTTP URI to fetch the JWKS. For example:
	//
	// .. code-block:: yaml
	//
	//	http_uri:
	//	  uri: https://www.googleapis.com/oauth2/v1/certs
	//	  cluster: jwt.www.googleapis.com|443
	//	  timeout: 1s
	HttpUri *v31.HttpUri
	// Duration after which the cached JWKS should be expired. If not specified, default cache
	// duration is 10 minutes.
	CacheDuration *durationpb.Duration
	// Fetch Jwks asynchronously in the main thread before the listener is activated.
	// Fetched Jwks can be used by all worker threads.
	//
	// If this feature is not enabled:
	//
	//   - The Jwks is fetched on-demand when the requests come. During the fetching, first
	//     few requests are paused until the Jwks is fetched.
	//   - Each worker thread fetches its own Jwks since Jwks cache is per worker thread.
	//
	// If this feature is enabled:
	//
	//   - Fetched Jwks is done in the main thread before the listener is activated. Its fetched
	//     Jwks can be used by all worker threads. Each worker thread doesn't need to fetch its own.
	//   - Jwks is ready when the requests come, not need to wait for the Jwks fetching.
	AsyncFetch *JwksAsyncFetch
	// Retry policy for fetching Jwks. optional. turned off by default.
	//
	// For example:
	//
	// .. code-block:: yaml
	//
	//	retry_policy:
	//	  retry_back_off:
	//	    base_interval: 0.01s
	//	    max_interval: 20s
	//	  num_retries: 10
	//
	// will yield a randomized truncated exponential backoff policy with an initial delay of 10ms
	// 10 maximum attempts spaced at most 20s seconds.
	//
	// .. code-block:: yaml
	//
	//	retry_policy:
	//	  num_retries:1
	//
	// uses the default :ref:`retry backoff strategy <envoy_v3_api_msg_config.core.v3.BackoffStrategy>`.
	// with the default base interval is 1000 milliseconds. and the default maximum interval of 10 times the base interval.
	//
	// if num_retries is omitted, the default is to allow only one retry.
	//
	// If enabled, the retry policy will apply to all Jwks fetching approaches, e.g. on demand or asynchronously in background.
	RetryPolicy *v31.RetryPolicy
	// contains filtered or unexported fields
}

func (RemoteJwks_builder) Build 

func (b0 RemoteJwks_builder) Build() *RemoteJwks

type RequirementRule 

type RequirementRule struct {

	// The route matching parameter. Only when the match is satisfied, the "requires" field will
	// apply.
	//
	// For example: following match will match all requests.
	//
	// .. code-block:: yaml
	//
	//	match:
	//	  prefix: /
	Match *v32.RouteMatch `protobuf:"bytes,1,opt,name=match,proto3" json:"match,omitempty"`
	// Specify a Jwt requirement.
	// If not specified, Jwt verification is disabled.
	//
	// Types that are valid to be assigned to RequirementType:
	//
	//	*RequirementRule_Requires
	//	*RequirementRule_RequirementName
	RequirementType isRequirementRule_RequirementType `protobuf_oneof:"requirement_type"`
	// contains filtered or unexported fields
}

This message specifies a Jwt requirement for a specific Route condition. Example 1:

.. code-block:: yaml

  • match: prefix: /healthz

In above example, "requires" field is empty for /healthz prefix match, it means that requests matching the path prefix don't require JWT authentication.

Example 2:

.. code-block:: yaml

  • match: prefix: / requires: { provider_name: provider-A }

In above example, all requests matched the path prefix require jwt authentication from "provider-A".

func (*RequirementRule) ClearMatch 

func (x *RequirementRule) ClearMatch()

func (*RequirementRule) ClearRequirementName 

func (x *RequirementRule) ClearRequirementName()

func (*RequirementRule) ClearRequirementType 

func (x *RequirementRule) ClearRequirementType()

func (*RequirementRule) ClearRequires 

func (x *RequirementRule) ClearRequires()

func (*RequirementRule) GetMatch 

func (x *RequirementRule) GetMatch() *v32.RouteMatch

func (*RequirementRule) GetRequirementName 

func (x *RequirementRule) GetRequirementName() string

func (*RequirementRule) GetRequirementType 

func (x *RequirementRule) GetRequirementType() isRequirementRule_RequirementType

func (*RequirementRule) GetRequires 

func (x *RequirementRule) GetRequires() *JwtRequirement

func (*RequirementRule) HasMatch 

func (x *RequirementRule) HasMatch() bool

func (*RequirementRule) HasRequirementName 

func (x *RequirementRule) HasRequirementName() bool

func (*RequirementRule) HasRequirementType 

func (x *RequirementRule) HasRequirementType() bool

func (*RequirementRule) HasRequires 

func (x *RequirementRule) HasRequires() bool

func (*RequirementRule) ProtoMessage 

func (*RequirementRule) ProtoMessage()

func (*RequirementRule) ProtoReflect 

func (x *RequirementRule) ProtoReflect() protoreflect.Message

func (*RequirementRule) Reset 

func (x *RequirementRule) Reset()

func (*RequirementRule) SetMatch 

func (x *RequirementRule) SetMatch(v *v32.RouteMatch)

func (*RequirementRule) SetRequirementName 

func (x *RequirementRule) SetRequirementName(v string)

func (*RequirementRule) SetRequires 

func (x *RequirementRule) SetRequires(v *JwtRequirement)

func (*RequirementRule) String 

func (x *RequirementRule) String() string

func (*RequirementRule) WhichRequirementType 

func (x *RequirementRule) WhichRequirementType() case_RequirementRule_RequirementType

type RequirementRule_RequirementName 

type RequirementRule_RequirementName struct {
	// Use requirement_name to specify a Jwt requirement.
	// This requirement_name MUST be specified at the
	// :ref:`requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map>`
	// in “JwtAuthentication“.
	RequirementName string `protobuf:"bytes,3,opt,name=requirement_name,json=requirementName,proto3,oneof"`
}

type RequirementRule_Requires 

type RequirementRule_Requires struct {
	// Specify a Jwt requirement. Please see detail comment in message JwtRequirement.
	Requires *JwtRequirement `protobuf:"bytes,2,opt,name=requires,proto3,oneof"`
}

type RequirementRule_builder 

type RequirementRule_builder struct {

	// The route matching parameter. Only when the match is satisfied, the "requires" field will
	// apply.
	//
	// For example: following match will match all requests.
	//
	// .. code-block:: yaml
	//
	//	match:
	//	  prefix: /
	Match *v32.RouteMatch

	// Fields of oneof RequirementType:
	// Specify a Jwt requirement. Please see detail comment in message JwtRequirement.
	Requires *JwtRequirement
	// Use requirement_name to specify a Jwt requirement.
	// This requirement_name MUST be specified at the
	// :ref:`requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map>`
	// in “JwtAuthentication“.
	RequirementName *string
	// contains filtered or unexported fields
}

func (RequirementRule_builder) Build 

func (b0 RequirementRule_builder) Build() *RequirementRule

Source Files

  • config.pb.go

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.