envoy_config_filter_http_jwt_authn_v3alpha

package
v1.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 30, 2020 License: Apache-2.0 Imports: 7 Imported by: 0

README

JWT Authentication HTTP filter config

Overview

  1. The proto file in this folder defines an HTTP filter config for "jwt_authn" filter.

  2. This filter will verify the JWT in the HTTP request as:

    • The signature should be valid
    • JWT should not be expired
    • Issuer and audiences are valid and specified in the filter config.

  3. JWK is needed to verify JWT signature. It can be fetched from a remote server or read from a local file. If the JWKS is fetched remotely, it will be cached by the filter.

  4. If a JWT is valid, the user is authenticated and the request will be forwarded to the backend server. If a JWT is not valid, the request will be rejected with an error message.

The locations to extract JWT

JWT will be extracted from the HTTP headers or query parameters. The default location is the HTTP header:

Authorization: Bearer <token>

The next default location is in the query parameter as:

?access_token=<TOKEN>

If a custom location is desired, from_headers or from_params can be used to specify custom locations to extract JWT.

HTTP header to pass successfully verified JWT

If a JWT is valid, its payload will be passed to the backend in a new HTTP header specified in forward_payload_header field. Its value is base64 encoded JWT payload in JSON.

Further header options

In addition to the name field, which specifies the HTTP header name, the from_headers section can specify an optional value_prefix value, as in:

    from_headers:
      - name: bespoke
        value_prefix: jwt_value

The above will cause the jwt_authn filter to look for the JWT in the bespoke header, following the tag jwt_value.

Any non-JWT characters (i.e., anything other than alphanumerics, _, -, and .) will be skipped, and all following, contiguous, JWT-legal chars will be taken as the JWT.

This means all of the following will return a JWT of eyJFbnZveSI6ICJyb2NrcyJ9.e30.c2lnbmVk:

bespoke: jwt_value=eyJFbnZveSI6ICJyb2NrcyJ9.e30.c2lnbmVk

bespoke: {"jwt_value": "eyJFbnZveSI6ICJyb2NrcyJ9.e30.c2lnbmVk"}

bespoke: beta:true,jwt_value:"eyJFbnZveSI6ICJyb2NrcyJ9.e30.c2lnbmVk",trace=1234

The header name may be Authorization.

The value_prefix must match exactly, i.e., case-sensitively. If the value_prefix is not found, the header is skipped: not considered as a source for a JWT token.

If there are no JWT-legal characters after the value_prefix, the entire string after it is taken to be the JWT token. This is unlikely to succeed; the error will reported by the JWT parser.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type FilterStateRule 

type FilterStateRule struct {
	// The filter state name to retrieve the `Router::StringAccessor` object.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// A map of string keys to requirements. The string key is the string value
	// in the FilterState with the name specified in the *name* field above.
	Requires             map[string]*JwtRequirement `` /* 157-byte string literal not displayed */
	XXX_NoUnkeyedLiteral struct{}                   `json:"-"`
	XXX_unrecognized     []byte                     `json:"-"`
	XXX_sizecache        int32                      `json:"-"`
}

This message specifies Jwt requirements based on stream_info.filterState. This FilterState should use `Router::StringAccessor` object to set a string value. Other HTTP filters can use it to specify Jwt requirements dynamically.

Example:

.. code-block:: yaml 

name: jwt_selector
requires:
  issuer_1:
    provider_name: issuer1
  issuer_2:
    provider_name: issuer2

If a filter set "jwt_selector" with "issuer_1" to FilterState for a request, jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify.

func (*FilterStateRule) Descriptor 

func (*FilterStateRule) Descriptor() ([]byte, []int)

func (*FilterStateRule) GetName 

func (m *FilterStateRule) GetName() string

func (*FilterStateRule) GetRequires 

func (m *FilterStateRule) GetRequires() map[string]*JwtRequirement

func (*FilterStateRule) ProtoMessage 

func (*FilterStateRule) ProtoMessage()

func (*FilterStateRule) Reset 

func (m *FilterStateRule) Reset()

func (*FilterStateRule) String 

func (m *FilterStateRule) String() string

func (*FilterStateRule) XXX_DiscardUnknown 

func (m *FilterStateRule) XXX_DiscardUnknown()

func (*FilterStateRule) XXX_Marshal 

func (m *FilterStateRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*FilterStateRule) XXX_Merge 

func (m *FilterStateRule) XXX_Merge(src proto.Message)

func (*FilterStateRule) XXX_Size 

func (m *FilterStateRule) XXX_Size() int

func (*FilterStateRule) XXX_Unmarshal 

func (m *FilterStateRule) XXX_Unmarshal(b []byte) error

type JwtAuthentication 

type JwtAuthentication struct {
	// Map of provider names to JwtProviders.
	//
	// .. code-block:: yaml
	//
	//   providers:
	//     provider1:
	//        issuer: issuer1
	//        audiences:
	//        - audience1
	//        - audience2
	//        remote_jwks:
	//          http_uri:
	//            uri: https://example.com/.well-known/jwks.json
	//            cluster: example_jwks_cluster
	//      provider2:
	//        issuer: provider2
	//        local_jwks:
	//          inline_string: jwks_string
	//
	Providers map[string]*JwtProvider `` /* 159-byte string literal not displayed */
	// Specifies requirements based on the route matches. The first matched requirement will be
	// applied. If there are overlapped match conditions, please put the most specific match first.
	//
	// Examples
	//
	// .. code-block:: yaml
	//
	// rules:
	//   - match:
	//       prefix: /healthz
	//   - match:
	//       prefix: /baz
	//     requires:
	//       provider_name: provider1
	//   - match:
	//       prefix: /foo
	//     requires:
	//       requires_any:
	//         requirements:
	//           - provider_name: provider1
	//           - provider_name: provider2
	//   - match:
	//       prefix: /bar
	//     requires:
	//       requires_all:
	//         requirements:
	//           - provider_name: provider1
	//           - provider_name: provider2
	//
	Rules []*RequirementRule `protobuf:"bytes,2,rep,name=rules,proto3" json:"rules,omitempty"`
	// This message specifies Jwt requirements based on stream_info.filterState.
	// Other HTTP filters can use it to specify Jwt requirements dynamically.
	// The *rules* field above is checked first, if it could not find any matches,
	// check this one.
	FilterStateRules     *FilterStateRule `protobuf:"bytes,3,opt,name=filter_state_rules,json=filterStateRules,proto3" json:"filter_state_rules,omitempty"`
	XXX_NoUnkeyedLiteral struct{}         `json:"-"`
	XXX_unrecognized     []byte           `json:"-"`
	XXX_sizecache        int32            `json:"-"`
}

This is the Envoy HTTP filter config for JWT authentication.

For example:

.. code-block:: yaml 

providers:
   provider1:
     issuer: issuer1
     audiences:
     - audience1
     - audience2
     remote_jwks:
       http_uri:
         uri: https://example.com/.well-known/jwks.json
         cluster: example_jwks_cluster
   provider2:
     issuer: issuer2
     local_jwks:
       inline_string: jwks_string

rules:
   # Not jwt verification is required for /health path
   - match:
       prefix: /health

   # Jwt verification for provider1 is required for path prefixed with "prefix"
   - match:
       prefix: /prefix
     requires:
       provider_name: provider1

   # Jwt verification for either provider1 or provider2 is required for all other requests.
   - match:
       prefix: /
     requires:
       requires_any:
         requirements:
           - provider_name: provider1
           - provider_name: provider2

func (*JwtAuthentication) Descriptor 

func (*JwtAuthentication) Descriptor() ([]byte, []int)

func (*JwtAuthentication) GetFilterStateRules 

func (m *JwtAuthentication) GetFilterStateRules() *FilterStateRule

func (*JwtAuthentication) GetProviders 

func (m *JwtAuthentication) GetProviders() map[string]*JwtProvider

func (*JwtAuthentication) GetRules 

func (m *JwtAuthentication) GetRules() []*RequirementRule

func (*JwtAuthentication) ProtoMessage 

func (*JwtAuthentication) ProtoMessage()

func (*JwtAuthentication) Reset 

func (m *JwtAuthentication) Reset()

func (*JwtAuthentication) String 

func (m *JwtAuthentication) String() string

func (*JwtAuthentication) XXX_DiscardUnknown 

func (m *JwtAuthentication) XXX_DiscardUnknown()

func (*JwtAuthentication) XXX_Marshal 

func (m *JwtAuthentication) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*JwtAuthentication) XXX_Merge 

func (m *JwtAuthentication) XXX_Merge(src proto.Message)

func (*JwtAuthentication) XXX_Size 

func (m *JwtAuthentication) XXX_Size() int

func (*JwtAuthentication) XXX_Unmarshal 

func (m *JwtAuthentication) XXX_Unmarshal(b []byte) error

type JwtHeader 

type JwtHeader struct {
	// The HTTP header name.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// The value prefix. The value format is "value_prefix<token>"
	// For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
	// end.
	ValuePrefix          string   `protobuf:"bytes,2,opt,name=value_prefix,json=valuePrefix,proto3" json:"value_prefix,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

This message specifies a header location to extract JWT token.

func (*JwtHeader) Descriptor 

func (*JwtHeader) Descriptor() ([]byte, []int)

func (*JwtHeader) GetName 

func (m *JwtHeader) GetName() string

func (*JwtHeader) GetValuePrefix 

func (m *JwtHeader) GetValuePrefix() string

func (*JwtHeader) ProtoMessage 

func (*JwtHeader) ProtoMessage()

func (*JwtHeader) Reset 

func (m *JwtHeader) Reset()

func (*JwtHeader) String 

func (m *JwtHeader) String() string

func (*JwtHeader) XXX_DiscardUnknown 

func (m *JwtHeader) XXX_DiscardUnknown()

func (*JwtHeader) XXX_Marshal 

func (m *JwtHeader) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*JwtHeader) XXX_Merge 

func (m *JwtHeader) XXX_Merge(src proto.Message)

func (*JwtHeader) XXX_Size 

func (m *JwtHeader) XXX_Size() int

func (*JwtHeader) XXX_Unmarshal 

func (m *JwtHeader) XXX_Unmarshal(b []byte) error

type JwtProvider 

type JwtProvider struct {
	// Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
	// the JWT, usually a URL or an email address.
	//
	// Example: https://securetoken.google.com
	// Example: 1234567-compute@developer.gserviceaccount.com
	//
	Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"`
	// The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
	// allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
	// will not check audiences in the token.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//     audiences:
	//     - bookstore_android.apps.googleusercontent.com
	//     - bookstore_web.apps.googleusercontent.com
	//
	Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
	// `JSON Web Key Set (JWKS) <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed to
	// validate signature of a JWT. This field specifies where to fetch JWKS.
	//
	// Types that are valid to be assigned to JwksSourceSpecifier:
	//	*JwtProvider_RemoteJwks
	//	*JwtProvider_LocalJwks
	JwksSourceSpecifier isJwtProvider_JwksSourceSpecifier `protobuf_oneof:"jwks_source_specifier"`
	// If false, the JWT is removed in the request after a success verification. If true, the JWT is
	// not removed in the request. Default value is false.
	Forward bool `protobuf:"varint,5,opt,name=forward,proto3" json:"forward,omitempty"`
	// Two fields below define where to extract the JWT from an HTTP request.
	//
	// If no explicit location is specified, the following default locations are tried in order:
	//
	// 1. The Authorization header using the `Bearer schema
	// <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
	//
	//    Authorization: Bearer <token>.
	//
	// 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
	//
	// Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
	// its provider specified or from the default locations.
	//
	// Specify the HTTP headers to extract JWT token. For examples, following config:
	//
	// .. code-block:: yaml
	//
	//   from_headers:
	//   - name: x-goog-iap-jwt-assertion
	//
	// can be used to extract token from header::
	//
	//   x-goog-iap-jwt-assertion: <JWT>.
	//
	FromHeaders []*JwtHeader `protobuf:"bytes,6,rep,name=from_headers,json=fromHeaders,proto3" json:"from_headers,omitempty"`
	// JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
	//
	// For example, if config is:
	//
	// .. code-block:: yaml
	//
	//   from_params:
	//   - jwt_token
	//
	// The JWT format in query parameter is::
	//
	//    /path?jwt_token=<JWT>
	//
	FromParams []string `protobuf:"bytes,7,rep,name=from_params,json=fromParams,proto3" json:"from_params,omitempty"`
	// This field specifies the header name to forward a successfully verified JWT payload to the
	// backend. The forwarded data is::
	//
	//    base64_encoded(jwt_payload_in_JSON)
	//
	// If it is not specified, the payload will not be forwarded.
	ForwardPayloadHeader string `protobuf:"bytes,8,opt,name=forward_payload_header,json=forwardPayloadHeader,proto3" json:"forward_payload_header,omitempty"`
	// If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
	// in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
	// The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
	// and the value is the *protobuf::Struct* converted from JWT JSON payload.
	//
	// For example, if payload_in_metadata is *my_payload*:
	//
	// .. code-block:: yaml
	//
	//   envoy.filters.http.jwt_authn:
	//     my_payload:
	//       iss: https://example.com
	//       sub: test@example.com
	//       aud: https://example.com
	//       exp: 1501281058
	//
	PayloadInMetadata    string   `protobuf:"bytes,9,opt,name=payload_in_metadata,json=payloadInMetadata,proto3" json:"payload_in_metadata,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

Please see following for JWT authentication flow:

* `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_ * `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_ * `OpenID Connect <http://openid.net/connect>`_

A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:

* issuer: the principal that issues the JWT. It has to match the one from the token. * allowed audiences: the ones in the token have to be listed here. * how to fetch public key JWKS to verify the token signature. * how to extract JWT token in the request. * how to pass successfully verified token payload.

Example:

.. code-block:: yaml 

issuer: https://example.com
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
remote_jwks:
  http_uri:
    uri: https://example.com/.well-known/jwks.json
    cluster: example_jwks_cluster
  cache_duration:
    seconds: 300

[#next-free-field: 10]

func (*JwtProvider) Descriptor 

func (*JwtProvider) Descriptor() ([]byte, []int)

func (*JwtProvider) GetAudiences 

func (m *JwtProvider) GetAudiences() []string

func (*JwtProvider) GetForward 

func (m *JwtProvider) GetForward() bool

func (*JwtProvider) GetForwardPayloadHeader 

func (m *JwtProvider) GetForwardPayloadHeader() string

func (*JwtProvider) GetFromHeaders 

func (m *JwtProvider) GetFromHeaders() []*JwtHeader

func (*JwtProvider) GetFromParams 

func (m *JwtProvider) GetFromParams() []string

func (*JwtProvider) GetIssuer 

func (m *JwtProvider) GetIssuer() string

func (*JwtProvider) GetJwksSourceSpecifier 

func (m *JwtProvider) GetJwksSourceSpecifier() isJwtProvider_JwksSourceSpecifier

func (*JwtProvider) GetLocalJwks 

func (m *JwtProvider) GetLocalJwks() *core.DataSource

func (*JwtProvider) GetPayloadInMetadata 

func (m *JwtProvider) GetPayloadInMetadata() string

func (*JwtProvider) GetRemoteJwks 

func (m *JwtProvider) GetRemoteJwks() *RemoteJwks

func (*JwtProvider) ProtoMessage 

func (*JwtProvider) ProtoMessage()

func (*JwtProvider) Reset 

func (m *JwtProvider) Reset()

func (*JwtProvider) String 

func (m *JwtProvider) String() string

func (*JwtProvider) XXX_DiscardUnknown 

func (m *JwtProvider) XXX_DiscardUnknown()

func (*JwtProvider) XXX_Marshal 

func (m *JwtProvider) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*JwtProvider) XXX_Merge 

func (m *JwtProvider) XXX_Merge(src proto.Message)

func (*JwtProvider) XXX_OneofWrappers 

func (*JwtProvider) XXX_OneofWrappers() []interface{}

XXX_OneofWrappers is for the internal use of the proto package.

func (*JwtProvider) XXX_Size 

func (m *JwtProvider) XXX_Size() int

func (*JwtProvider) XXX_Unmarshal 

func (m *JwtProvider) XXX_Unmarshal(b []byte) error

type JwtProvider_LocalJwks 

type JwtProvider_LocalJwks struct {
	LocalJwks *core.DataSource `protobuf:"bytes,4,opt,name=local_jwks,json=localJwks,proto3,oneof"`
}

type JwtProvider_RemoteJwks 

type JwtProvider_RemoteJwks struct {
	RemoteJwks *RemoteJwks `protobuf:"bytes,3,opt,name=remote_jwks,json=remoteJwks,proto3,oneof"`
}

type JwtRequirement 

type JwtRequirement struct {
	// Types that are valid to be assigned to RequiresType:
	//	*JwtRequirement_ProviderName
	//	*JwtRequirement_ProviderAndAudiences
	//	*JwtRequirement_RequiresAny
	//	*JwtRequirement_RequiresAll
	//	*JwtRequirement_AllowMissingOrFailed
	RequiresType         isJwtRequirement_RequiresType `protobuf_oneof:"requires_type"`
	XXX_NoUnkeyedLiteral struct{}                      `json:"-"`
	XXX_unrecognized     []byte                        `json:"-"`
	XXX_sizecache        int32                         `json:"-"`
}

This message specifies a Jwt requirement. An empty message means JWT verification is not required. Here are some config examples:

.. code-block:: yaml 

# Example 1: not required with an empty message

# Example 2: require A
provider_name: provider-A

# Example 3: require A or B
requires_any:
  requirements:
    - provider_name: provider-A
    - provider_name: provider-B

# Example 4: require A and B
requires_all:
  requirements:
    - provider_name: provider-A
    - provider_name: provider-B

# Example 5: require A and (B or C)
requires_all:
  requirements:
    - provider_name: provider-A
    - requires_any:
      requirements:
        - provider_name: provider-B
        - provider_name: provider-C

# Example 6: require A or (B and C)
requires_any:
  requirements:
    - provider_name: provider-A
    - requires_all:
      requirements:
        - provider_name: provider-B
        - provider_name: provider-C

[#next-free-field: 6]

func (*JwtRequirement) Descriptor 

func (*JwtRequirement) Descriptor() ([]byte, []int)

func (*JwtRequirement) GetAllowMissingOrFailed 

func (m *JwtRequirement) GetAllowMissingOrFailed() *types.Empty

func (*JwtRequirement) GetProviderAndAudiences 

func (m *JwtRequirement) GetProviderAndAudiences() *ProviderWithAudiences

func (*JwtRequirement) GetProviderName 

func (m *JwtRequirement) GetProviderName() string

func (*JwtRequirement) GetRequiresAll 

func (m *JwtRequirement) GetRequiresAll() *JwtRequirementAndList

func (*JwtRequirement) GetRequiresAny 

func (m *JwtRequirement) GetRequiresAny() *JwtRequirementOrList

func (*JwtRequirement) GetRequiresType 

func (m *JwtRequirement) GetRequiresType() isJwtRequirement_RequiresType

func (*JwtRequirement) ProtoMessage 

func (*JwtRequirement) ProtoMessage()

func (*JwtRequirement) Reset 

func (m *JwtRequirement) Reset()

func (*JwtRequirement) String 

func (m *JwtRequirement) String() string

func (*JwtRequirement) XXX_DiscardUnknown 

func (m *JwtRequirement) XXX_DiscardUnknown()

func (*JwtRequirement) XXX_Marshal 

func (m *JwtRequirement) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*JwtRequirement) XXX_Merge 

func (m *JwtRequirement) XXX_Merge(src proto.Message)

func (*JwtRequirement) XXX_OneofWrappers 

func (*JwtRequirement) XXX_OneofWrappers() []interface{}

XXX_OneofWrappers is for the internal use of the proto package.

func (*JwtRequirement) XXX_Size 

func (m *JwtRequirement) XXX_Size() int

func (*JwtRequirement) XXX_Unmarshal 

func (m *JwtRequirement) XXX_Unmarshal(b []byte) error

type JwtRequirementAndList 

type JwtRequirementAndList struct {
	// Specify a list of JwtRequirement.
	Requirements         []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"`
	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
	XXX_unrecognized     []byte            `json:"-"`
	XXX_sizecache        int32             `json:"-"`
}

This message specifies a list of RequiredProvider. Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails.

func (*JwtRequirementAndList) Descriptor 

func (*JwtRequirementAndList) Descriptor() ([]byte, []int)

func (*JwtRequirementAndList) GetRequirements 

func (m *JwtRequirementAndList) GetRequirements() []*JwtRequirement

func (*JwtRequirementAndList) ProtoMessage 

func (*JwtRequirementAndList) ProtoMessage()

func (*JwtRequirementAndList) Reset 

func (m *JwtRequirementAndList) Reset()

func (*JwtRequirementAndList) String 

func (m *JwtRequirementAndList) String() string

func (*JwtRequirementAndList) XXX_DiscardUnknown 

func (m *JwtRequirementAndList) XXX_DiscardUnknown()

func (*JwtRequirementAndList) XXX_Marshal 

func (m *JwtRequirementAndList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*JwtRequirementAndList) XXX_Merge 

func (m *JwtRequirementAndList) XXX_Merge(src proto.Message)

func (*JwtRequirementAndList) XXX_Size 

func (m *JwtRequirementAndList) XXX_Size() int

func (*JwtRequirementAndList) XXX_Unmarshal 

func (m *JwtRequirementAndList) XXX_Unmarshal(b []byte) error

type JwtRequirementOrList 

type JwtRequirementOrList struct {
	// Specify a list of JwtRequirement.
	Requirements         []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"`
	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
	XXX_unrecognized     []byte            `json:"-"`
	XXX_sizecache        int32             `json:"-"`
}

This message specifies a list of RequiredProvider. Their results are OR-ed; if any one of them passes, the result is passed

func (*JwtRequirementOrList) Descriptor 

func (*JwtRequirementOrList) Descriptor() ([]byte, []int)

func (*JwtRequirementOrList) GetRequirements 

func (m *JwtRequirementOrList) GetRequirements() []*JwtRequirement

func (*JwtRequirementOrList) ProtoMessage 

func (*JwtRequirementOrList) ProtoMessage()

func (*JwtRequirementOrList) Reset 

func (m *JwtRequirementOrList) Reset()

func (*JwtRequirementOrList) String 

func (m *JwtRequirementOrList) String() string

func (*JwtRequirementOrList) XXX_DiscardUnknown 

func (m *JwtRequirementOrList) XXX_DiscardUnknown()

func (*JwtRequirementOrList) XXX_Marshal 

func (m *JwtRequirementOrList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*JwtRequirementOrList) XXX_Merge 

func (m *JwtRequirementOrList) XXX_Merge(src proto.Message)

func (*JwtRequirementOrList) XXX_Size 

func (m *JwtRequirementOrList) XXX_Size() int

func (*JwtRequirementOrList) XXX_Unmarshal 

func (m *JwtRequirementOrList) XXX_Unmarshal(b []byte) error

type JwtRequirement_AllowMissingOrFailed 

type JwtRequirement_AllowMissingOrFailed struct {
	AllowMissingOrFailed *types.Empty `protobuf:"bytes,5,opt,name=allow_missing_or_failed,json=allowMissingOrFailed,proto3,oneof"`
}

type JwtRequirement_ProviderAndAudiences 

type JwtRequirement_ProviderAndAudiences struct {
	ProviderAndAudiences *ProviderWithAudiences `protobuf:"bytes,2,opt,name=provider_and_audiences,json=providerAndAudiences,proto3,oneof"`
}

type JwtRequirement_ProviderName 

type JwtRequirement_ProviderName struct {
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3,oneof"`
}

type JwtRequirement_RequiresAll 

type JwtRequirement_RequiresAll struct {
	RequiresAll *JwtRequirementAndList `protobuf:"bytes,4,opt,name=requires_all,json=requiresAll,proto3,oneof"`
}

type JwtRequirement_RequiresAny 

type JwtRequirement_RequiresAny struct {
	RequiresAny *JwtRequirementOrList `protobuf:"bytes,3,opt,name=requires_any,json=requiresAny,proto3,oneof"`
}

type ProviderWithAudiences 

type ProviderWithAudiences struct {
	// Specify a required provider name.
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3" json:"provider_name,omitempty"`
	// This field overrides the one specified in the JwtProvider.
	Audiences            []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

Specify a required provider with audiences.

func (*ProviderWithAudiences) Descriptor 

func (*ProviderWithAudiences) Descriptor() ([]byte, []int)

func (*ProviderWithAudiences) GetAudiences 

func (m *ProviderWithAudiences) GetAudiences() []string

func (*ProviderWithAudiences) GetProviderName 

func (m *ProviderWithAudiences) GetProviderName() string

func (*ProviderWithAudiences) ProtoMessage 

func (*ProviderWithAudiences) ProtoMessage()

func (*ProviderWithAudiences) Reset 

func (m *ProviderWithAudiences) Reset()

func (*ProviderWithAudiences) String 

func (m *ProviderWithAudiences) String() string

func (*ProviderWithAudiences) XXX_DiscardUnknown 

func (m *ProviderWithAudiences) XXX_DiscardUnknown()

func (*ProviderWithAudiences) XXX_Marshal 

func (m *ProviderWithAudiences) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ProviderWithAudiences) XXX_Merge 

func (m *ProviderWithAudiences) XXX_Merge(src proto.Message)

func (*ProviderWithAudiences) XXX_Size 

func (m *ProviderWithAudiences) XXX_Size() int

func (*ProviderWithAudiences) XXX_Unmarshal 

func (m *ProviderWithAudiences) XXX_Unmarshal(b []byte) error

type RemoteJwks 

type RemoteJwks struct {
	// The HTTP URI to fetch the JWKS. For example:
	//
	// .. code-block:: yaml
	//
	//    http_uri:
	//      uri: https://www.googleapis.com/oauth2/v1/certs
	//      cluster: jwt.www.googleapis.com|443
	//
	HttpUri *core.HttpUri `protobuf:"bytes,1,opt,name=http_uri,json=httpUri,proto3" json:"http_uri,omitempty"`
	// Duration after which the cached JWKS should be expired. If not specified, default cache
	// duration is 5 minutes.
	CacheDuration        *types.Duration `protobuf:"bytes,2,opt,name=cache_duration,json=cacheDuration,proto3" json:"cache_duration,omitempty"`
	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
	XXX_unrecognized     []byte          `json:"-"`
	XXX_sizecache        int32           `json:"-"`
}

This message specifies how to fetch JWKS from remote and how to cache it.

func (*RemoteJwks) Descriptor 

func (*RemoteJwks) Descriptor() ([]byte, []int)

func (*RemoteJwks) GetCacheDuration 

func (m *RemoteJwks) GetCacheDuration() *types.Duration

func (*RemoteJwks) GetHttpUri 

func (m *RemoteJwks) GetHttpUri() *core.HttpUri

func (*RemoteJwks) ProtoMessage 

func (*RemoteJwks) ProtoMessage()

func (*RemoteJwks) Reset 

func (m *RemoteJwks) Reset()

func (*RemoteJwks) String 

func (m *RemoteJwks) String() string

func (*RemoteJwks) XXX_DiscardUnknown 

func (m *RemoteJwks) XXX_DiscardUnknown()

func (*RemoteJwks) XXX_Marshal 

func (m *RemoteJwks) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*RemoteJwks) XXX_Merge 

func (m *RemoteJwks) XXX_Merge(src proto.Message)

func (*RemoteJwks) XXX_Size 

func (m *RemoteJwks) XXX_Size() int

func (*RemoteJwks) XXX_Unmarshal 

func (m *RemoteJwks) XXX_Unmarshal(b []byte) error

type RequirementRule 

type RequirementRule struct {
	// The route matching parameter. Only when the match is satisfied, the "requires" field will
	// apply.
	//
	// For example: following match will match all requests.
	//
	// .. code-block:: yaml
	//
	//    match:
	//      prefix: /
	//
	Match *route.RouteMatch `protobuf:"bytes,1,opt,name=match,proto3" json:"match,omitempty"`
	// Specify a Jwt Requirement. Please detail comment in message JwtRequirement.
	Requires             *JwtRequirement `protobuf:"bytes,2,opt,name=requires,proto3" json:"requires,omitempty"`
	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
	XXX_unrecognized     []byte          `json:"-"`
	XXX_sizecache        int32           `json:"-"`
}

This message specifies a Jwt requirement for a specific Route condition. Example 1:

.. code-block:: yaml

  • match: prefix: /healthz

In above example, "requires" field is empty for /healthz prefix match, it means that requests matching the path prefix don't require JWT authentication.

Example 2:

.. code-block:: yaml

  • match: prefix: / requires: { provider_name: provider-A }

In above example, all requests matched the path prefix require jwt authentication from "provider-A".

func (*RequirementRule) Descriptor 

func (*RequirementRule) Descriptor() ([]byte, []int)

func (*RequirementRule) GetMatch 

func (m *RequirementRule) GetMatch() *route.RouteMatch

func (*RequirementRule) GetRequires 

func (m *RequirementRule) GetRequires() *JwtRequirement

func (*RequirementRule) ProtoMessage 

func (*RequirementRule) ProtoMessage()

func (*RequirementRule) Reset 

func (m *RequirementRule) Reset()

func (*RequirementRule) String 

func (m *RequirementRule) String() string

func (*RequirementRule) XXX_DiscardUnknown 

func (m *RequirementRule) XXX_DiscardUnknown()

func (*RequirementRule) XXX_Marshal 

func (m *RequirementRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*RequirementRule) XXX_Merge 

func (m *RequirementRule) XXX_Merge(src proto.Message)

func (*RequirementRule) XXX_Size 

func (m *RequirementRule) XXX_Size() int

func (*RequirementRule) XXX_Unmarshal 

func (m *RequirementRule) XXX_Unmarshal(b []byte) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.