Documentation ¶
Index ¶
- Variables
- type FilterStateRule
- func (*FilterStateRule) Descriptor() ([]byte, []int)deprecated
- func (x *FilterStateRule) GetName() string
- func (x *FilterStateRule) GetRequires() map[string]*JwtRequirement
- func (*FilterStateRule) ProtoMessage()
- func (x *FilterStateRule) ProtoReflect() protoreflect.Message
- func (x *FilterStateRule) Reset()
- func (x *FilterStateRule) String() string
- type JwtAuthentication
- func (*JwtAuthentication) Descriptor() ([]byte, []int)deprecated
- func (x *JwtAuthentication) GetBypassCorsPreflight() bool
- func (x *JwtAuthentication) GetFilterStateRules() *FilterStateRule
- func (x *JwtAuthentication) GetProviders() map[string]*JwtProvider
- func (x *JwtAuthentication) GetRules() []*RequirementRule
- func (*JwtAuthentication) ProtoMessage()
- func (x *JwtAuthentication) ProtoReflect() protoreflect.Message
- func (x *JwtAuthentication) Reset()
- func (x *JwtAuthentication) String() string
- type JwtHeader
- type JwtProvider
- func (*JwtProvider) Descriptor() ([]byte, []int)deprecated
- func (x *JwtProvider) GetAudiences() []string
- func (x *JwtProvider) GetForward() bool
- func (x *JwtProvider) GetForwardPayloadHeader() string
- func (x *JwtProvider) GetFromHeaders() []*JwtHeader
- func (x *JwtProvider) GetFromParams() []string
- func (x *JwtProvider) GetIssuer() string
- func (m *JwtProvider) GetJwksSourceSpecifier() isJwtProvider_JwksSourceSpecifier
- func (x *JwtProvider) GetLocalJwks() *core.DataSource
- func (x *JwtProvider) GetPayloadInMetadata() string
- func (x *JwtProvider) GetRemoteJwks() *RemoteJwks
- func (*JwtProvider) ProtoMessage()
- func (x *JwtProvider) ProtoReflect() protoreflect.Message
- func (x *JwtProvider) Reset()
- func (x *JwtProvider) String() string
- type JwtProvider_LocalJwks
- type JwtProvider_RemoteJwks
- type JwtRequirement
- func (*JwtRequirement) Descriptor() ([]byte, []int)deprecated
- func (x *JwtRequirement) GetAllowMissing() *emptypb.Empty
- func (x *JwtRequirement) GetAllowMissingOrFailed() *emptypb.Empty
- func (x *JwtRequirement) GetProviderAndAudiences() *ProviderWithAudiences
- func (x *JwtRequirement) GetProviderName() string
- func (x *JwtRequirement) GetRequiresAll() *JwtRequirementAndList
- func (x *JwtRequirement) GetRequiresAny() *JwtRequirementOrList
- func (m *JwtRequirement) GetRequiresType() isJwtRequirement_RequiresType
- func (*JwtRequirement) ProtoMessage()
- func (x *JwtRequirement) ProtoReflect() protoreflect.Message
- func (x *JwtRequirement) Reset()
- func (x *JwtRequirement) String() string
- type JwtRequirementAndList
- func (*JwtRequirementAndList) Descriptor() ([]byte, []int)deprecated
- func (x *JwtRequirementAndList) GetRequirements() []*JwtRequirement
- func (*JwtRequirementAndList) ProtoMessage()
- func (x *JwtRequirementAndList) ProtoReflect() protoreflect.Message
- func (x *JwtRequirementAndList) Reset()
- func (x *JwtRequirementAndList) String() string
- type JwtRequirementOrList
- func (*JwtRequirementOrList) Descriptor() ([]byte, []int)deprecated
- func (x *JwtRequirementOrList) GetRequirements() []*JwtRequirement
- func (*JwtRequirementOrList) ProtoMessage()
- func (x *JwtRequirementOrList) ProtoReflect() protoreflect.Message
- func (x *JwtRequirementOrList) Reset()
- func (x *JwtRequirementOrList) String() string
- type JwtRequirement_AllowMissing
- type JwtRequirement_AllowMissingOrFailed
- type JwtRequirement_ProviderAndAudiences
- type JwtRequirement_ProviderName
- type JwtRequirement_RequiresAll
- type JwtRequirement_RequiresAny
- type ProviderWithAudiences
- func (*ProviderWithAudiences) Descriptor() ([]byte, []int)deprecated
- func (x *ProviderWithAudiences) GetAudiences() []string
- func (x *ProviderWithAudiences) GetProviderName() string
- func (*ProviderWithAudiences) ProtoMessage()
- func (x *ProviderWithAudiences) ProtoReflect() protoreflect.Message
- func (x *ProviderWithAudiences) Reset()
- func (x *ProviderWithAudiences) String() string
- type RemoteJwks
- func (*RemoteJwks) Descriptor() ([]byte, []int)deprecated
- func (x *RemoteJwks) GetCacheDuration() *durationpb.Duration
- func (x *RemoteJwks) GetHttpUri() *core.HttpUri
- func (*RemoteJwks) ProtoMessage()
- func (x *RemoteJwks) ProtoReflect() protoreflect.Message
- func (x *RemoteJwks) Reset()
- func (x *RemoteJwks) String() string
- type RequirementRule
- func (*RequirementRule) Descriptor() ([]byte, []int)deprecated
- func (x *RequirementRule) GetMatch() *route.RouteMatch
- func (x *RequirementRule) GetRequires() *JwtRequirement
- func (*RequirementRule) ProtoMessage()
- func (x *RequirementRule) ProtoReflect() protoreflect.Message
- func (x *RequirementRule) Reset()
- func (x *RequirementRule) String() string
Constants ¶
This section is empty.
Variables ¶
var File_envoy_config_filter_http_jwt_authn_v2alpha_config_proto protoreflect.FileDescriptor
Functions ¶
This section is empty.
Types ¶
type FilterStateRule ¶
type FilterStateRule struct { // The filter state name to retrieve the `Router::StringAccessor` object. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. Requires map[string]*JwtRequirement `` /* 157-byte string literal not displayed */ // contains filtered or unexported fields }
This message specifies Jwt requirements based on stream_info.filterState. This FilterState should use `Router::StringAccessor` object to set a string value. Other HTTP filters can use it to specify Jwt requirements dynamically.
Example:
.. code-block:: yaml
name: jwt_selector requires: issuer_1: provider_name: issuer1 issuer_2: provider_name: issuer2
If a filter set "jwt_selector" with "issuer_1" to FilterState for a request, jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify.
func (*FilterStateRule) Descriptor
deprecated
func (*FilterStateRule) Descriptor() ([]byte, []int)
Deprecated: Use FilterStateRule.ProtoReflect.Descriptor instead.
func (*FilterStateRule) GetName ¶
func (x *FilterStateRule) GetName() string
func (*FilterStateRule) GetRequires ¶
func (x *FilterStateRule) GetRequires() map[string]*JwtRequirement
func (*FilterStateRule) ProtoMessage ¶
func (*FilterStateRule) ProtoMessage()
func (*FilterStateRule) ProtoReflect ¶
func (x *FilterStateRule) ProtoReflect() protoreflect.Message
func (*FilterStateRule) Reset ¶
func (x *FilterStateRule) Reset()
func (*FilterStateRule) String ¶
func (x *FilterStateRule) String() string
type JwtAuthentication ¶
type JwtAuthentication struct { // Map of provider names to JwtProviders. // // .. code-block:: yaml // // providers: // provider1: // issuer: issuer1 // audiences: // - audience1 // - audience2 // remote_jwks: // http_uri: // uri: https://example.com/.well-known/jwks.json // cluster: example_jwks_cluster // provider2: // issuer: provider2 // local_jwks: // inline_string: jwks_string Providers map[string]*JwtProvider `` /* 159-byte string literal not displayed */ // Specifies requirements based on the route matches. The first matched requirement will be // applied. If there are overlapped match conditions, please put the most specific match first. // // # Examples // // .. code-block:: yaml // // rules: // - match: // prefix: /healthz // - match: // prefix: /baz // requires: // provider_name: provider1 // - match: // prefix: /foo // requires: // requires_any: // requirements: // - provider_name: provider1 // - provider_name: provider2 // - match: // prefix: /bar // requires: // requires_all: // requirements: // - provider_name: provider1 // - provider_name: provider2 Rules []*RequirementRule `protobuf:"bytes,2,rep,name=rules,proto3" json:"rules,omitempty"` // This message specifies Jwt requirements based on stream_info.filterState. // Other HTTP filters can use it to specify Jwt requirements dynamically. // The *rules* field above is checked first, if it could not find any matches, // check this one. FilterStateRules *FilterStateRule `protobuf:"bytes,3,opt,name=filter_state_rules,json=filterStateRules,proto3" json:"filter_state_rules,omitempty"` // When set to true, bypass the `CORS preflight request // <http://www.w3.org/TR/cors/#cross-origin-request-with-preflight>`_ regardless of JWT // requirements specified in the rules. BypassCorsPreflight bool `protobuf:"varint,4,opt,name=bypass_cors_preflight,json=bypassCorsPreflight,proto3" json:"bypass_cors_preflight,omitempty"` // contains filtered or unexported fields }
This is the Envoy HTTP filter config for JWT authentication.
For example:
.. code-block:: yaml
providers: provider1: issuer: issuer1 audiences: - audience1 - audience2 remote_jwks: http_uri: uri: https://example.com/.well-known/jwks.json cluster: example_jwks_cluster provider2: issuer: issuer2 local_jwks: inline_string: jwks_string rules: # Not jwt verification is required for /health path - match: prefix: /health # Jwt verification for provider1 is required for path prefixed with "prefix" - match: prefix: /prefix requires: provider_name: provider1 # Jwt verification for either provider1 or provider2 is required for all other requests. - match: prefix: / requires: requires_any: requirements: - provider_name: provider1 - provider_name: provider2
func (*JwtAuthentication) Descriptor
deprecated
func (*JwtAuthentication) Descriptor() ([]byte, []int)
Deprecated: Use JwtAuthentication.ProtoReflect.Descriptor instead.
func (*JwtAuthentication) GetBypassCorsPreflight ¶
func (x *JwtAuthentication) GetBypassCorsPreflight() bool
func (*JwtAuthentication) GetFilterStateRules ¶
func (x *JwtAuthentication) GetFilterStateRules() *FilterStateRule
func (*JwtAuthentication) GetProviders ¶
func (x *JwtAuthentication) GetProviders() map[string]*JwtProvider
func (*JwtAuthentication) GetRules ¶
func (x *JwtAuthentication) GetRules() []*RequirementRule
func (*JwtAuthentication) ProtoMessage ¶
func (*JwtAuthentication) ProtoMessage()
func (*JwtAuthentication) ProtoReflect ¶
func (x *JwtAuthentication) ProtoReflect() protoreflect.Message
func (*JwtAuthentication) Reset ¶
func (x *JwtAuthentication) Reset()
func (*JwtAuthentication) String ¶
func (x *JwtAuthentication) String() string
type JwtHeader ¶
type JwtHeader struct { // The HTTP header name. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // The value prefix. The value format is "value_prefix<token>" // For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the // end. ValuePrefix string `protobuf:"bytes,2,opt,name=value_prefix,json=valuePrefix,proto3" json:"value_prefix,omitempty"` // contains filtered or unexported fields }
This message specifies a header location to extract JWT token.
func (*JwtHeader) ProtoReflect ¶
func (x *JwtHeader) ProtoReflect() protoreflect.Message
type JwtProvider ¶
type JwtProvider struct { // Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued // the JWT, usually a URL or an email address. // // Example: https://securetoken.google.com // Example: 1234567-compute@developer.gserviceaccount.com Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"` // The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are // allowed to access. A JWT containing any of these audiences will be accepted. If not specified, // will not check audiences in the token. // // Example: // // .. code-block:: yaml // // audiences: // - bookstore_android.apps.googleusercontent.com // - bookstore_web.apps.googleusercontent.com Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"` // `JSON Web Key Set (JWKS) <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed to // validate signature of a JWT. This field specifies where to fetch JWKS. // // Types that are assignable to JwksSourceSpecifier: // // *JwtProvider_RemoteJwks // *JwtProvider_LocalJwks JwksSourceSpecifier isJwtProvider_JwksSourceSpecifier `protobuf_oneof:"jwks_source_specifier"` // If false, the JWT is removed in the request after a success verification. If true, the JWT is // not removed in the request. Default value is false. Forward bool `protobuf:"varint,5,opt,name=forward,proto3" json:"forward,omitempty"` // Two fields below define where to extract the JWT from an HTTP request. // // If no explicit location is specified, the following default locations are tried in order: // // 1. The Authorization header using the `Bearer schema // <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example:: // // Authorization: Bearer <token>. // // 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter. // // Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations // its provider specified or from the default locations. // // Specify the HTTP headers to extract JWT token. For examples, following config: // // .. code-block:: yaml // // from_headers: // - name: x-goog-iap-jwt-assertion // // can be used to extract token from header:: // // “x-goog-iap-jwt-assertion: <JWT>“. FromHeaders []*JwtHeader `protobuf:"bytes,6,rep,name=from_headers,json=fromHeaders,proto3" json:"from_headers,omitempty"` // JWT is sent in a query parameter. `jwt_params` represents the query parameter names. // // For example, if config is: // // .. code-block:: yaml // // from_params: // - jwt_token // // The JWT format in query parameter is:: // // /path?jwt_token=<JWT> FromParams []string `protobuf:"bytes,7,rep,name=from_params,json=fromParams,proto3" json:"from_params,omitempty"` // This field specifies the header name to forward a successfully verified JWT payload to the // backend. The forwarded data is:: // // base64url_encoded(jwt_payload_in_JSON) // // If it is not specified, the payload will not be forwarded. ForwardPayloadHeader string `protobuf:"bytes,8,opt,name=forward_payload_header,json=forwardPayloadHeader,proto3" json:"forward_payload_header,omitempty"` // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** // The value is the *protobuf::Struct*. The value of this field will be the key for its *fields* // and the value is the *protobuf::Struct* converted from JWT JSON payload. // // For example, if payload_in_metadata is *my_payload*: // // .. code-block:: yaml // // envoy.filters.http.jwt_authn: // my_payload: // iss: https://example.com // sub: test@example.com // aud: https://example.com // exp: 1501281058 PayloadInMetadata string `protobuf:"bytes,9,opt,name=payload_in_metadata,json=payloadInMetadata,proto3" json:"payload_in_metadata,omitempty"` // contains filtered or unexported fields }
Please see following for JWT authentication flow:
* `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_ * `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_ * `OpenID Connect <http://openid.net/connect>`_
A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:
* issuer: the principal that issues the JWT. It has to match the one from the token. * allowed audiences: the ones in the token have to be listed here. * how to fetch public key JWKS to verify the token signature. * how to extract JWT token in the request. * how to pass successfully verified token payload.
Example:
.. code-block:: yaml
issuer: https://example.com audiences: - bookstore_android.apps.googleusercontent.com - bookstore_web.apps.googleusercontent.com remote_jwks: http_uri: uri: https://example.com/.well-known/jwks.json cluster: example_jwks_cluster cache_duration: seconds: 300
[#next-free-field: 10]
func (*JwtProvider) Descriptor
deprecated
func (*JwtProvider) Descriptor() ([]byte, []int)
Deprecated: Use JwtProvider.ProtoReflect.Descriptor instead.
func (*JwtProvider) GetAudiences ¶
func (x *JwtProvider) GetAudiences() []string
func (*JwtProvider) GetForward ¶
func (x *JwtProvider) GetForward() bool
func (*JwtProvider) GetForwardPayloadHeader ¶
func (x *JwtProvider) GetForwardPayloadHeader() string
func (*JwtProvider) GetFromHeaders ¶
func (x *JwtProvider) GetFromHeaders() []*JwtHeader
func (*JwtProvider) GetFromParams ¶
func (x *JwtProvider) GetFromParams() []string
func (*JwtProvider) GetIssuer ¶
func (x *JwtProvider) GetIssuer() string
func (*JwtProvider) GetJwksSourceSpecifier ¶
func (m *JwtProvider) GetJwksSourceSpecifier() isJwtProvider_JwksSourceSpecifier
func (*JwtProvider) GetLocalJwks ¶
func (x *JwtProvider) GetLocalJwks() *core.DataSource
func (*JwtProvider) GetPayloadInMetadata ¶
func (x *JwtProvider) GetPayloadInMetadata() string
func (*JwtProvider) GetRemoteJwks ¶
func (x *JwtProvider) GetRemoteJwks() *RemoteJwks
func (*JwtProvider) ProtoMessage ¶
func (*JwtProvider) ProtoMessage()
func (*JwtProvider) ProtoReflect ¶
func (x *JwtProvider) ProtoReflect() protoreflect.Message
func (*JwtProvider) Reset ¶
func (x *JwtProvider) Reset()
func (*JwtProvider) String ¶
func (x *JwtProvider) String() string
type JwtProvider_LocalJwks ¶
type JwtProvider_LocalJwks struct { // JWKS is in local data source. It could be either in a local file or embedded in the // inline_string. // // Example: local file // // .. code-block:: yaml // // local_jwks: // filename: /etc/envoy/jwks/jwks1.txt // // Example: inline_string // // .. code-block:: yaml // // local_jwks: // inline_string: ACADADADADA LocalJwks *core.DataSource `protobuf:"bytes,4,opt,name=local_jwks,json=localJwks,proto3,oneof"` }
type JwtProvider_RemoteJwks ¶
type JwtProvider_RemoteJwks struct { // JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP // URI and how the fetched JWKS should be cached. // // Example: // // .. code-block:: yaml // // remote_jwks: // http_uri: // uri: https://www.googleapis.com/oauth2/v1/certs // cluster: jwt.www.googleapis.com|443 // cache_duration: // seconds: 300 RemoteJwks *RemoteJwks `protobuf:"bytes,3,opt,name=remote_jwks,json=remoteJwks,proto3,oneof"` }
type JwtRequirement ¶
type JwtRequirement struct { // Types that are assignable to RequiresType: // // *JwtRequirement_ProviderName // *JwtRequirement_ProviderAndAudiences // *JwtRequirement_RequiresAny // *JwtRequirement_RequiresAll // *JwtRequirement_AllowMissingOrFailed // *JwtRequirement_AllowMissing RequiresType isJwtRequirement_RequiresType `protobuf_oneof:"requires_type"` // contains filtered or unexported fields }
This message specifies a Jwt requirement. An empty message means JWT verification is not required. Here are some config examples:
.. code-block:: yaml
# Example 1: not required with an empty message # Example 2: require A provider_name: provider-A # Example 3: require A or B requires_any: requirements: - provider_name: provider-A - provider_name: provider-B # Example 4: require A and B requires_all: requirements: - provider_name: provider-A - provider_name: provider-B # Example 5: require A and (B or C) requires_all: requirements: - provider_name: provider-A - requires_any: requirements: - provider_name: provider-B - provider_name: provider-C # Example 6: require A or (B and C) requires_any: requirements: - provider_name: provider-A - requires_all: requirements: - provider_name: provider-B - provider_name: provider-C # Example 7: A is optional (if token from A is provided, it must be valid, but also allows missing token.) requires_any: requirements: - provider_name: provider-A - allow_missing: {} # Example 8: A is optional and B is required. requires_all: requirements: - requires_any: requirements: - provider_name: provider-A - allow_missing: {} - provider_name: provider-B
[#next-free-field: 7]
func (*JwtRequirement) Descriptor
deprecated
func (*JwtRequirement) Descriptor() ([]byte, []int)
Deprecated: Use JwtRequirement.ProtoReflect.Descriptor instead.
func (*JwtRequirement) GetAllowMissing ¶
func (x *JwtRequirement) GetAllowMissing() *emptypb.Empty
func (*JwtRequirement) GetAllowMissingOrFailed ¶
func (x *JwtRequirement) GetAllowMissingOrFailed() *emptypb.Empty
func (*JwtRequirement) GetProviderAndAudiences ¶
func (x *JwtRequirement) GetProviderAndAudiences() *ProviderWithAudiences
func (*JwtRequirement) GetProviderName ¶
func (x *JwtRequirement) GetProviderName() string
func (*JwtRequirement) GetRequiresAll ¶
func (x *JwtRequirement) GetRequiresAll() *JwtRequirementAndList
func (*JwtRequirement) GetRequiresAny ¶
func (x *JwtRequirement) GetRequiresAny() *JwtRequirementOrList
func (*JwtRequirement) GetRequiresType ¶
func (m *JwtRequirement) GetRequiresType() isJwtRequirement_RequiresType
func (*JwtRequirement) ProtoMessage ¶
func (*JwtRequirement) ProtoMessage()
func (*JwtRequirement) ProtoReflect ¶
func (x *JwtRequirement) ProtoReflect() protoreflect.Message
func (*JwtRequirement) Reset ¶
func (x *JwtRequirement) Reset()
func (*JwtRequirement) String ¶
func (x *JwtRequirement) String() string
type JwtRequirementAndList ¶
type JwtRequirementAndList struct { // Specify a list of JwtRequirement. Requirements []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"` // contains filtered or unexported fields }
This message specifies a list of RequiredProvider. Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails.
func (*JwtRequirementAndList) Descriptor
deprecated
func (*JwtRequirementAndList) Descriptor() ([]byte, []int)
Deprecated: Use JwtRequirementAndList.ProtoReflect.Descriptor instead.
func (*JwtRequirementAndList) GetRequirements ¶
func (x *JwtRequirementAndList) GetRequirements() []*JwtRequirement
func (*JwtRequirementAndList) ProtoMessage ¶
func (*JwtRequirementAndList) ProtoMessage()
func (*JwtRequirementAndList) ProtoReflect ¶
func (x *JwtRequirementAndList) ProtoReflect() protoreflect.Message
func (*JwtRequirementAndList) Reset ¶
func (x *JwtRequirementAndList) Reset()
func (*JwtRequirementAndList) String ¶
func (x *JwtRequirementAndList) String() string
type JwtRequirementOrList ¶
type JwtRequirementOrList struct { // Specify a list of JwtRequirement. Requirements []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"` // contains filtered or unexported fields }
This message specifies a list of RequiredProvider. Their results are OR-ed; if any one of them passes, the result is passed
func (*JwtRequirementOrList) Descriptor
deprecated
func (*JwtRequirementOrList) Descriptor() ([]byte, []int)
Deprecated: Use JwtRequirementOrList.ProtoReflect.Descriptor instead.
func (*JwtRequirementOrList) GetRequirements ¶
func (x *JwtRequirementOrList) GetRequirements() []*JwtRequirement
func (*JwtRequirementOrList) ProtoMessage ¶
func (*JwtRequirementOrList) ProtoMessage()
func (*JwtRequirementOrList) ProtoReflect ¶
func (x *JwtRequirementOrList) ProtoReflect() protoreflect.Message
func (*JwtRequirementOrList) Reset ¶
func (x *JwtRequirementOrList) Reset()
func (*JwtRequirementOrList) String ¶
func (x *JwtRequirementOrList) String() string
type JwtRequirement_AllowMissing ¶
type JwtRequirement_AllowMissing struct { // The requirement is satisfied if JWT is missing, but failed if JWT is // presented but invalid. Similar to allow_missing_or_failed, this is used // to only verify JWTs and pass the verified payload to another filter. The // different is this mode will reject requests with invalid tokens. AllowMissing *emptypb.Empty `protobuf:"bytes,6,opt,name=allow_missing,json=allowMissing,proto3,oneof"` }
type JwtRequirement_AllowMissingOrFailed ¶
type JwtRequirement_AllowMissingOrFailed struct { // The requirement is always satisfied even if JWT is missing or the JWT // verification fails. A typical usage is: this filter is used to only verify // JWTs and pass the verified JWT payloads to another filter, the other filter // will make decision. In this mode, all JWT tokens will be verified. AllowMissingOrFailed *emptypb.Empty `protobuf:"bytes,5,opt,name=allow_missing_or_failed,json=allowMissingOrFailed,proto3,oneof"` }
type JwtRequirement_ProviderAndAudiences ¶
type JwtRequirement_ProviderAndAudiences struct { // Specify a required provider with audiences. ProviderAndAudiences *ProviderWithAudiences `protobuf:"bytes,2,opt,name=provider_and_audiences,json=providerAndAudiences,proto3,oneof"` }
type JwtRequirement_ProviderName ¶
type JwtRequirement_ProviderName struct { // Specify a required provider name. ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3,oneof"` }
type JwtRequirement_RequiresAll ¶
type JwtRequirement_RequiresAll struct { // Specify list of JwtRequirement. Their results are AND-ed. // All of them must pass, if one of them fails or missing, it fails. RequiresAll *JwtRequirementAndList `protobuf:"bytes,4,opt,name=requires_all,json=requiresAll,proto3,oneof"` }
type JwtRequirement_RequiresAny ¶
type JwtRequirement_RequiresAny struct { // Specify list of JwtRequirement. Their results are OR-ed. // If any one of them passes, the result is passed. RequiresAny *JwtRequirementOrList `protobuf:"bytes,3,opt,name=requires_any,json=requiresAny,proto3,oneof"` }
type ProviderWithAudiences ¶
type ProviderWithAudiences struct { // Specify a required provider name. ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3" json:"provider_name,omitempty"` // This field overrides the one specified in the JwtProvider. Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"` // contains filtered or unexported fields }
Specify a required provider with audiences.
func (*ProviderWithAudiences) Descriptor
deprecated
func (*ProviderWithAudiences) Descriptor() ([]byte, []int)
Deprecated: Use ProviderWithAudiences.ProtoReflect.Descriptor instead.
func (*ProviderWithAudiences) GetAudiences ¶
func (x *ProviderWithAudiences) GetAudiences() []string
func (*ProviderWithAudiences) GetProviderName ¶
func (x *ProviderWithAudiences) GetProviderName() string
func (*ProviderWithAudiences) ProtoMessage ¶
func (*ProviderWithAudiences) ProtoMessage()
func (*ProviderWithAudiences) ProtoReflect ¶
func (x *ProviderWithAudiences) ProtoReflect() protoreflect.Message
func (*ProviderWithAudiences) Reset ¶
func (x *ProviderWithAudiences) Reset()
func (*ProviderWithAudiences) String ¶
func (x *ProviderWithAudiences) String() string
type RemoteJwks ¶
type RemoteJwks struct { // The HTTP URI to fetch the JWKS. For example: // // .. code-block:: yaml // // http_uri: // uri: https://www.googleapis.com/oauth2/v1/certs // cluster: jwt.www.googleapis.com|443 HttpUri *core.HttpUri `protobuf:"bytes,1,opt,name=http_uri,json=httpUri,proto3" json:"http_uri,omitempty"` // Duration after which the cached JWKS should be expired. If not specified, default cache // duration is 5 minutes. CacheDuration *durationpb.Duration `protobuf:"bytes,2,opt,name=cache_duration,json=cacheDuration,proto3" json:"cache_duration,omitempty"` // contains filtered or unexported fields }
This message specifies how to fetch JWKS from remote and how to cache it.
func (*RemoteJwks) Descriptor
deprecated
func (*RemoteJwks) Descriptor() ([]byte, []int)
Deprecated: Use RemoteJwks.ProtoReflect.Descriptor instead.
func (*RemoteJwks) GetCacheDuration ¶
func (x *RemoteJwks) GetCacheDuration() *durationpb.Duration
func (*RemoteJwks) GetHttpUri ¶
func (x *RemoteJwks) GetHttpUri() *core.HttpUri
func (*RemoteJwks) ProtoMessage ¶
func (*RemoteJwks) ProtoMessage()
func (*RemoteJwks) ProtoReflect ¶
func (x *RemoteJwks) ProtoReflect() protoreflect.Message
func (*RemoteJwks) Reset ¶
func (x *RemoteJwks) Reset()
func (*RemoteJwks) String ¶
func (x *RemoteJwks) String() string
type RequirementRule ¶
type RequirementRule struct { // The route matching parameter. Only when the match is satisfied, the "requires" field will // apply. // // For example: following match will match all requests. // // .. code-block:: yaml // // match: // prefix: / Match *route.RouteMatch `protobuf:"bytes,1,opt,name=match,proto3" json:"match,omitempty"` // Specify a Jwt Requirement. Please detail comment in message JwtRequirement. Requires *JwtRequirement `protobuf:"bytes,2,opt,name=requires,proto3" json:"requires,omitempty"` // contains filtered or unexported fields }
This message specifies a Jwt requirement for a specific Route condition. Example 1:
.. code-block:: yaml
- match: prefix: /healthz
In above example, "requires" field is empty for /healthz prefix match, it means that requests matching the path prefix don't require JWT authentication.
Example 2:
.. code-block:: yaml
- match: prefix: / requires: { provider_name: provider-A }
In above example, all requests matched the path prefix require jwt authentication from "provider-A".
func (*RequirementRule) Descriptor
deprecated
func (*RequirementRule) Descriptor() ([]byte, []int)
Deprecated: Use RequirementRule.ProtoReflect.Descriptor instead.
func (*RequirementRule) GetMatch ¶
func (x *RequirementRule) GetMatch() *route.RouteMatch
func (*RequirementRule) GetRequires ¶
func (x *RequirementRule) GetRequires() *JwtRequirement
func (*RequirementRule) ProtoMessage ¶
func (*RequirementRule) ProtoMessage()
func (*RequirementRule) ProtoReflect ¶
func (x *RequirementRule) ProtoReflect() protoreflect.Message
func (*RequirementRule) Reset ¶
func (x *RequirementRule) Reset()
func (*RequirementRule) String ¶
func (x *RequirementRule) String() string