Documentation ¶
Index ¶
- Variables
- type DataSource
- func (*DataSource) Descriptor() ([]byte, []int)deprecated
- func (x *DataSource) GetFilename() string
- func (x *DataSource) GetInlineBytes() []byte
- func (x *DataSource) GetInlineString() string
- func (m *DataSource) GetSpecifier() isDataSource_Specifier
- func (*DataSource) ProtoMessage()
- func (x *DataSource) ProtoReflect() protoreflect.Message
- func (x *DataSource) Reset()
- func (x *DataSource) String() string
- type DataSource_Filename
- type DataSource_InlineBytes
- type DataSource_InlineString
- type HttpUri
- func (*HttpUri) Descriptor() ([]byte, []int)deprecated
- func (x *HttpUri) GetCluster() string
- func (m *HttpUri) GetHttpUpstreamType() isHttpUri_HttpUpstreamType
- func (x *HttpUri) GetTimeout() *duration.Duration
- func (x *HttpUri) GetUri() string
- func (*HttpUri) ProtoMessage()
- func (x *HttpUri) ProtoReflect() protoreflect.Message
- func (x *HttpUri) Reset()
- func (x *HttpUri) String() string
- type HttpUri_Cluster
- type JwtAuthentication
- func (*JwtAuthentication) Descriptor() ([]byte, []int)deprecated
- func (x *JwtAuthentication) GetAllowMissingOrFailed() bool
- func (x *JwtAuthentication) GetRules() []*JwtRule
- func (*JwtAuthentication) ProtoMessage()
- func (x *JwtAuthentication) ProtoReflect() protoreflect.Message
- func (x *JwtAuthentication) Reset()
- func (x *JwtAuthentication) String() string
- type JwtHeader
- type JwtRule
- func (*JwtRule) Descriptor() ([]byte, []int)deprecated
- func (x *JwtRule) GetAudiences() []string
- func (x *JwtRule) GetForward() bool
- func (x *JwtRule) GetForwardPayloadHeader() string
- func (x *JwtRule) GetFromHeaders() []*JwtHeader
- func (x *JwtRule) GetFromParams() []string
- func (x *JwtRule) GetIssuer() string
- func (m *JwtRule) GetJwksSourceSpecifier() isJwtRule_JwksSourceSpecifier
- func (x *JwtRule) GetLocalJwks() *DataSource
- func (x *JwtRule) GetRemoteJwks() *RemoteJwks
- func (*JwtRule) ProtoMessage()
- func (x *JwtRule) ProtoReflect() protoreflect.Message
- func (x *JwtRule) Reset()
- func (x *JwtRule) String() string
- type JwtRule_LocalJwks
- type JwtRule_RemoteJwks
- type RemoteJwks
- func (*RemoteJwks) Descriptor() ([]byte, []int)deprecated
- func (x *RemoteJwks) GetCacheDuration() *duration.Duration
- func (x *RemoteJwks) GetHttpUri() *HttpUri
- func (*RemoteJwks) ProtoMessage()
- func (x *RemoteJwks) ProtoReflect() protoreflect.Message
- func (x *RemoteJwks) Reset()
- func (x *RemoteJwks) String() string
Constants ¶
This section is empty.
Variables ¶
var File_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto protoreflect.FileDescriptor
Functions ¶
This section is empty.
Types ¶
type DataSource ¶
type DataSource struct { // Types that are assignable to Specifier: // // *DataSource_Filename // *DataSource_InlineBytes // *DataSource_InlineString Specifier isDataSource_Specifier `protobuf_oneof:"specifier"` // contains filtered or unexported fields }
Copied from @envoy/api/envoy/api/v2/core/base.proto Data source consisting of either a file or an inline value.
func (*DataSource) Descriptor
deprecated
func (*DataSource) Descriptor() ([]byte, []int)
Deprecated: Use DataSource.ProtoReflect.Descriptor instead.
func (*DataSource) GetFilename ¶
func (x *DataSource) GetFilename() string
func (*DataSource) GetInlineBytes ¶
func (x *DataSource) GetInlineBytes() []byte
func (*DataSource) GetInlineString ¶
func (x *DataSource) GetInlineString() string
func (*DataSource) GetSpecifier ¶
func (m *DataSource) GetSpecifier() isDataSource_Specifier
func (*DataSource) ProtoMessage ¶
func (*DataSource) ProtoMessage()
func (*DataSource) ProtoReflect ¶
func (x *DataSource) ProtoReflect() protoreflect.Message
func (*DataSource) Reset ¶
func (x *DataSource) Reset()
func (*DataSource) String ¶
func (x *DataSource) String() string
type DataSource_Filename ¶
type DataSource_Filename struct { // Local filesystem data source. Filename string `protobuf:"bytes,1,opt,name=filename,proto3,oneof"` }
type DataSource_InlineBytes ¶
type DataSource_InlineBytes struct { // Bytes inlined in the configuration. InlineBytes []byte `protobuf:"bytes,2,opt,name=inline_bytes,json=inlineBytes,proto3,oneof"` }
type DataSource_InlineString ¶
type DataSource_InlineString struct { // String inlined in the configuration. InlineString string `protobuf:"bytes,3,opt,name=inline_string,json=inlineString,proto3,oneof"` }
type HttpUri ¶
type HttpUri struct { // The HTTP server URI. It should be a full FQDN with protocol, host and path. // // Example: // // .. code-block:: yaml // // uri: https://www.googleapis.com/oauth2/v1/certs Uri string `protobuf:"bytes,1,opt,name=uri,proto3" json:"uri,omitempty"` // Specify how `uri` is to be fetched. Today, this requires an explicit // cluster, but in the future we may support dynamic cluster creation or // inline DNS resolution. See `issue // <https://github.com/envoyproxy/envoy/issues/1606>`_. // // Types that are assignable to HttpUpstreamType: // // *HttpUri_Cluster HttpUpstreamType isHttpUri_HttpUpstreamType `protobuf_oneof:"http_upstream_type"` // Sets the maximum duration in milliseconds that a response can take to arrive upon request. Timeout *duration.Duration `protobuf:"bytes,3,opt,name=timeout,proto3" json:"timeout,omitempty"` // contains filtered or unexported fields }
Copied from @envoy/api/envoy/api/v2/core/http_uri.proto Envoy external URI descriptor
func (*HttpUri) Descriptor
deprecated
func (*HttpUri) GetCluster ¶
func (*HttpUri) GetHttpUpstreamType ¶
func (m *HttpUri) GetHttpUpstreamType() isHttpUri_HttpUpstreamType
func (*HttpUri) GetTimeout ¶
func (*HttpUri) ProtoMessage ¶
func (*HttpUri) ProtoMessage()
func (*HttpUri) ProtoReflect ¶
func (x *HttpUri) ProtoReflect() protoreflect.Message
type HttpUri_Cluster ¶
type HttpUri_Cluster struct { // A cluster is created in the Envoy "cluster_manager" config // section. This field specifies the cluster name. // // Example: // // .. code-block:: yaml // // cluster: jwks_cluster Cluster string `protobuf:"bytes,2,opt,name=cluster,proto3,oneof"` }
type JwtAuthentication ¶
type JwtAuthentication struct { // List of JWT rules to valide. Rules []*JwtRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"` // If true, the request is allowed if JWT is missing or JWT verification fails. // Default is false, a request without JWT or failed JWT verification is not allowed. AllowMissingOrFailed bool `` /* 126-byte string literal not displayed */ // contains filtered or unexported fields }
This is the Envoy HTTP filter config for JWT authentication. [#not-implemented-hide:]
func (*JwtAuthentication) Descriptor
deprecated
func (*JwtAuthentication) Descriptor() ([]byte, []int)
Deprecated: Use JwtAuthentication.ProtoReflect.Descriptor instead.
func (*JwtAuthentication) GetAllowMissingOrFailed ¶
func (x *JwtAuthentication) GetAllowMissingOrFailed() bool
func (*JwtAuthentication) GetRules ¶
func (x *JwtAuthentication) GetRules() []*JwtRule
func (*JwtAuthentication) ProtoMessage ¶
func (*JwtAuthentication) ProtoMessage()
func (*JwtAuthentication) ProtoReflect ¶
func (x *JwtAuthentication) ProtoReflect() protoreflect.Message
func (*JwtAuthentication) Reset ¶
func (x *JwtAuthentication) Reset()
func (*JwtAuthentication) String ¶
func (x *JwtAuthentication) String() string
type JwtHeader ¶
type JwtHeader struct { // The HTTP header name. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // The value prefix. The value format is "value_prefix<token>" // For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the // end. ValuePrefix string `protobuf:"bytes,2,opt,name=value_prefix,json=valuePrefix,proto3" json:"value_prefix,omitempty"` // contains filtered or unexported fields }
This message specifies a header location to extract JWT token.
func (*JwtHeader) Descriptor
deprecated
func (*JwtHeader) GetValuePrefix ¶
func (*JwtHeader) ProtoMessage ¶
func (*JwtHeader) ProtoMessage()
func (*JwtHeader) ProtoReflect ¶
func (x *JwtHeader) ProtoReflect() protoreflect.Message
type JwtRule ¶
type JwtRule struct { // Identifies the principal that issued the JWT. See `here // // <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_. Usually a URL or an email address. // // Example: https://securetoken.google.com // Example: 1234567-compute@developer.gserviceaccount.com Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"` // The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_. that are // allowed to access. A JWT containing any of these audiences will be accepted. If not specified, // will not check audiences in the token. // // Example: // // .. code-block:: yaml // // audiences: // - bookstore_android.apps.googleusercontent.com // bookstore_web.apps.googleusercontent.com Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"` // `JSON Web Key Set <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed. to validate // signature of the JWT. This field specifies where to fetch JWKS. // // Types that are assignable to JwksSourceSpecifier: // // *JwtRule_RemoteJwks // *JwtRule_LocalJwks JwksSourceSpecifier isJwtRule_JwksSourceSpecifier `protobuf_oneof:"jwks_source_specifier"` // If false, the JWT is removed in the request after a success verification. If true, the JWT is // not removed in the request. Default value is false. Forward bool `protobuf:"varint,5,opt,name=forward,proto3" json:"forward,omitempty"` // Specify the HTTP headers to extract JWT token. For examples, following config: // // .. code-block:: yaml // // from_headers: // - name: x-goog-iap-jwt-assertion // // can be used to extract token from header:: // // x-goog-iap-jwt-assertion: <JWT>. FromHeaders []*JwtHeader `protobuf:"bytes,6,rep,name=from_headers,json=fromHeaders,proto3" json:"from_headers,omitempty"` // JWT is sent in a query parameter. `jwt_params` represents the query parameter names. // // For example, if config is: // // .. code-block:: yaml // // from_params: // - jwt_token // // The JWT format in query parameter is:: // // /path?jwt_token=<JWT> FromParams []string `protobuf:"bytes,7,rep,name=from_params,json=fromParams,proto3" json:"from_params,omitempty"` // This field specifies the header name to forward a successfully verified JWT payload to the // backend. The forwarded data is:: // // base64_encoded(jwt_payload_in_JSON) // // If it is not specified, the payload will not be forwarded. // Multiple JWTs in a request from different issuers will be supported. Multiple JWTs from the // same issuer will not be supported. Each issuer can config this `forward_payload_header`. If // multiple JWTs from different issuers want to forward their payloads, their // `forward_payload_header` should be different. ForwardPayloadHeader string `protobuf:"bytes,8,opt,name=forward_payload_header,json=forwardPayloadHeader,proto3" json:"forward_payload_header,omitempty"` // contains filtered or unexported fields }
This message specifies how a JSON Web Token (JWT) can be verified. See the [JWT format definition](https://tools.ietf.org/html/rfc7519) for details. Please see [OAuth2.0](https://tools.ietf.org/html/rfc6749) and [OIDC1.0](http://openid.net/connect) for the authentication flow.
Example:
```yaml
issuer: https://example.com audiences: - bookstore_android.apps.googleusercontent.com bookstore_web.apps.googleusercontent.com remote_jwks: - http_uri: - uri: https://example.com/.well-known/jwks.json cluster: example_jwks_cluster cache_duration: - seconds: 300
```
func (*JwtRule) Descriptor
deprecated
func (*JwtRule) GetAudiences ¶
func (*JwtRule) GetForward ¶
func (*JwtRule) GetForwardPayloadHeader ¶
func (*JwtRule) GetFromHeaders ¶
func (*JwtRule) GetFromParams ¶
func (*JwtRule) GetJwksSourceSpecifier ¶
func (m *JwtRule) GetJwksSourceSpecifier() isJwtRule_JwksSourceSpecifier
func (*JwtRule) GetLocalJwks ¶
func (x *JwtRule) GetLocalJwks() *DataSource
func (*JwtRule) GetRemoteJwks ¶
func (x *JwtRule) GetRemoteJwks() *RemoteJwks
func (*JwtRule) ProtoMessage ¶
func (*JwtRule) ProtoMessage()
func (*JwtRule) ProtoReflect ¶
func (x *JwtRule) ProtoReflect() protoreflect.Message
type JwtRule_LocalJwks ¶
type JwtRule_LocalJwks struct { // JWKS is in local data source. It could be either in a local file or embedded in the // inline_string. // // Example: local file // // .. code-block:: yaml // // local_jwks: // - filename: /etc/envoy/jwks/jwks1.txt // // Example: inline_string // // .. code-block:: yaml // // local_jwks: // - inline_string: "ACADADADADA" LocalJwks *DataSource `protobuf:"bytes,4,opt,name=local_jwks,json=localJwks,proto3,oneof"` }
type JwtRule_RemoteJwks ¶
type JwtRule_RemoteJwks struct { // JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP // URI and how the fetched JWKS should be cached. // // Example: // // .. code-block:: yaml // // remote_jwks: // - http_uri: // - uri: https://www.googleapis.com/oauth2/v1/certs // cluster: jwt.www.googleapis.com|443 // cache_duration: // - seconds: 300 RemoteJwks *RemoteJwks `protobuf:"bytes,3,opt,name=remote_jwks,json=remoteJwks,proto3,oneof"` }
type RemoteJwks ¶
type RemoteJwks struct { // The HTTP URI to fetch the JWKS. For example: // // .. code-block:: yaml // // http_uri: // - uri: https://www.googleapis.com/oauth2/v1/certs // cluster: jwt.www.googleapis.com|443 HttpUri *HttpUri `protobuf:"bytes,1,opt,name=http_uri,json=httpUri,proto3" json:"http_uri,omitempty"` // Duration after which the cached JWKS should be expired. If not specified, default cache // duration is 5 minutes. CacheDuration *duration.Duration `protobuf:"bytes,2,opt,name=cache_duration,json=cacheDuration,proto3" json:"cache_duration,omitempty"` // contains filtered or unexported fields }
This message specifies how to fetch JWKS from remote and how to cache it.
func (*RemoteJwks) Descriptor
deprecated
func (*RemoteJwks) Descriptor() ([]byte, []int)
Deprecated: Use RemoteJwks.ProtoReflect.Descriptor instead.
func (*RemoteJwks) GetCacheDuration ¶
func (x *RemoteJwks) GetCacheDuration() *duration.Duration
func (*RemoteJwks) GetHttpUri ¶
func (x *RemoteJwks) GetHttpUri() *HttpUri
func (*RemoteJwks) ProtoMessage ¶
func (*RemoteJwks) ProtoMessage()
func (*RemoteJwks) ProtoReflect ¶
func (x *RemoteJwks) ProtoReflect() protoreflect.Message
func (*RemoteJwks) Reset ¶
func (x *RemoteJwks) Reset()
func (*RemoteJwks) String ¶
func (x *RemoteJwks) String() string