config.proto
Package: solo.io.envoy.extensions.filters.http.jwt_authn.v3
Types:
- JwtProvider
- RemoteJwks
- JwksAsyncFetch
- JwtHeader
- ProviderWithAudiences
- JwtRequirement
- JwtRequirementOrList
- JwtRequirementAndList
- RequirementRule
- FilterStateRule
- JwtAuthentication
- PerRouteConfig
Source File: github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/filters/http/jwt_authn/v3/config.proto
JwtProvider
Please see following for JWT authentication flow:
JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>
_The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>
_OpenID Connect <http://openid.net/connect>
_
A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:
- issuer: the principal that issues the JWT. If specified, it has to match the iss field in JWT.
- allowed audiences: the ones in the token have to be listed here.
- how to fetch public key JWKS to verify the token signature.
- how to extract JWT token in the request.
- how to pass successfully verified token payload.
Example:
.. code-block:: yaml
issuer: https://example.com
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
remote_jwks:
http_uri:
uri: https://example.com/.well-known/jwks.json
cluster: example_jwks_cluster
timeout: 1s
cache_duration:
seconds: 300
[#next-free-field: 11]
"issuer": string
"audiences": []string
"remoteJwks": .solo.io.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks
"localJwks": .solo.io.envoy.config.core.v3.DataSource
"forward": bool
"fromHeaders": []solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtHeader
"fromParams": []string
"forwardPayloadHeader": string
"payloadInMetadata": string
"clockSkewSeconds": int
Field | Type | Description |
---|---|---|
issuer |
string |
Specify the principal <https://tools.ietf.org/html/rfc7519#section-4.1.1> _ that issued the JWT, usually a URL or an email address. It is optional. If specified, it has to match the *iss* field in JWT. If a JWT has *iss* field and this field is specified, they have to match, otherwise the JWT *iss* field is not checked. Note: *JwtRequirement* :ref:allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing> and :ref:allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed> are implemented differently than other *JwtRequirements*. Hence the usage of this field is different as follows if *allow_missing* or *allow_missing_or_failed* is used: * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*. * If a JWT doesn’t have *iss* field, one of *JwtProviders* should fill this field empty. * Multiple *JwtProviders* should not have same value in this field. Example: https://securetoken.google.com Example: 1234567-compute@developer.gserviceaccount.com. |
audiences |
[]string |
The list of JWT audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3> _ are allowed to access. A JWT containing any of these audiences will be accepted. If not specified, will not check audiences in the token. Example: .. code-block:: yaml audiences: - bookstore_android.apps.googleusercontent.com - bookstore_web.apps.googleusercontent.com. |
remoteJwks |
.solo.io.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks | JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP URI and how the fetched JWKS should be cached. Example: .. code-block:: yaml remote_jwks: http_uri: uri: https://www.googleapis.com/oauth2/v1/certs cluster: jwt.www.googleapis.com |
localJwks |
.solo.io.envoy.config.core.v3.DataSource | JWKS is in local data source. It could be either in a local file or embedded in the inline_string. Example: local file .. code-block:: yaml local_jwks: filename: /etc/envoy/jwks/jwks1.txt Example: inline_string .. code-block:: yaml local_jwks: inline_string: ACADADADADA. Only one of localJwks or remoteJwks can be set. |
forward |
bool |
If false, the JWT is removed in the request after a success verification. If true, the JWT is not removed in the request. Default value is false. |
fromHeaders |
[]solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtHeader | Two fields below define where to extract the JWT from an HTTP request. If no explicit location is specified, the following default locations are tried in order: 1. The Authorization header using the Bearer schema <https://tools.ietf.org/html/rfc6750#section-2.1> . Example:: Authorization: Bearer access_token <https://tools.ietf.org/html/rfc6750#section-2.3> x-goog-iap-jwt-assertion: <JWT> . |
fromParams |
[]string |
JWT is sent in a query parameter. jwt_params represents the query parameter names. For example, if config is: .. code-block:: yaml from_params: - jwt_token The JWT format in query parameter is:: /path?jwt_token= |
forwardPayloadHeader |
string |
This field specifies the header name to forward a successfully verified JWT payload to the backend. The forwarded data is:: base64url_encoded(jwt_payload_in_JSON) If it is not specified, the payload will not be forwarded. |
payloadInMetadata |
string |
If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: namespace is the jwt_authn filter name as envoy.filters.http.jwt_authn The value is the protobuf::Struct. The value of this field will be the key for its fields and the value is the protobuf::Struct converted from JWT JSON payload. For example, if payload_in_metadata is my_payload: .. code-block:: yaml envoy.filters.http.jwt_authn: my_payload: iss: https://example.com sub: test@example.com aud: https://example.com exp: 1501281058. |
clockSkewSeconds |
int |
Specify the clock skew in seconds when verifying JWT time constraint, such as exp , and nbf . If not specified, default is 60 seconds. |
RemoteJwks
This message specifies how to fetch JWKS from remote and how to cache it.
"httpUri": .solo.io.envoy.config.core.v3.HttpUri
"cacheDuration": .google.protobuf.Duration
"asyncFetch": .solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwksAsyncFetch
Field | Type | Description |
---|---|---|
httpUri |
.solo.io.envoy.config.core.v3.HttpUri | The HTTP URI to fetch the JWKS. For example: .. code-block:: yaml http_uri: uri: https://www.googleapis.com/oauth2/v1/certs cluster: jwt.www.googleapis.com |
cacheDuration |
.google.protobuf.Duration | Duration after which the cached JWKS should be expired. If not specified, default cache duration is 5 minutes. |
asyncFetch |
.solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwksAsyncFetch | Fetch Jwks asynchronously in the main thread before the listener is activated. Fetched Jwks can be used by all worker threads. If this feature is not enabled: * The Jwks is fetched on-demand when the requests come. During the fetching, first few requests are paused until the Jwks is fetched. * Each worker thread fetches its own Jwks since Jwks cache is per worker thread. If this feature is enabled: * Fetched Jwks is done in the main thread before the listener is activated. Its fetched Jwks can be used by all worker threads. Each worker thread doesn’t need to fetch its own. * Jwks is ready when the requests come, not need to wait for the Jwks fetching. |
JwksAsyncFetch
Fetch Jwks asynchronously in the main thread when the filter config is parsed. The listener is activated only after the Jwks is fetched. When the Jwks is expired in the cache, it is fetched again in the main thread. The fetched Jwks from the main thread can be used by all worker threads.
"fastListener": bool
Field | Type | Description |
---|---|---|
fastListener |
bool |
If false, the listener is activated after the initial fetch is completed. The initial fetch result can be either successful or failed. If true, it is activated without waiting for the initial fetch to complete. Default is false. |
JwtHeader
This message specifies a header location to extract JWT token.
"name": string
"valuePrefix": string
Field | Type | Description |
---|---|---|
name |
string |
The HTTP header name. |
valuePrefix |
string |
The value prefix. The value format is “value_prefix |
ProviderWithAudiences
Specify a required provider with audiences.
"providerName": string
"audiences": []string
Field | Type | Description |
---|---|---|
providerName |
string |
Specify a required provider name. |
audiences |
[]string |
This field overrides the one specified in the JwtProvider. |
JwtRequirement
This message specifies a Jwt requirement. An empty message means JWT verification is not required. Here are some config examples:
.. code-block:: yaml
Example 1: not required with an empty message
Example 2: require A
provider_name: provider-A
Example 3: require A or B
requires_any: requirements: - provider_name: provider-A - provider_name: provider-B
Example 4: require A and B
requires_all: requirements: - provider_name: provider-A - provider_name: provider-B
Example 5: require A and (B or C)
requires_all: requirements: - provider_name: provider-A - requires_any: requirements: - provider_name: provider-B - provider_name: provider-C
Example 6: require A or (B and C)
requires_any: requirements: - provider_name: provider-A - requires_all: requirements: - provider_name: provider-B - provider_name: provider-C
Example 7: A is optional (if token from A is provided, it must be valid, but also allows
missing token.) requires_any: requirements:
- provider_name: provider-A
- allow_missing: {}
Example 8: A is optional and B is required.
requires_all: requirements:
- requires_any:
requirements:
- provider_name: provider-A
- allow_missing: {}
- provider_name: provider-B
[#next-free-field: 7]
"providerName": string
"providerAndAudiences": .solo.io.envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences
"requiresAny": .solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList
"requiresAll": .solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList
"allowMissingOrFailed": .google.protobuf.Empty
"allowMissing": .google.protobuf.Empty
Field | Type | Description |
---|---|---|
providerName |
string |
Specify a required provider name. Only one of providerName , providerAndAudiences , requiresAny , requiresAll , allowMissingOrFailed , or allowMissing can be set. |
providerAndAudiences |
.solo.io.envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences | Specify a required provider with audiences. Only one of providerAndAudiences , providerName , requiresAny , requiresAll , allowMissingOrFailed , or allowMissing can be set. |
requiresAny |
.solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList | Specify list of JwtRequirement. Their results are OR-ed. If any one of them passes, the result is passed. Only one of requiresAny , providerName , providerAndAudiences , requiresAll , allowMissingOrFailed , or allowMissing can be set. |
requiresAll |
.solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList | Specify list of JwtRequirement. Their results are AND-ed. All of them must pass, if one of them fails or missing, it fails. Only one of requiresAll , providerName , providerAndAudiences , requiresAny , allowMissingOrFailed , or allowMissing can be set. |
allowMissingOrFailed |
.google.protobuf.Empty | The requirement is always satisfied even if JWT is missing or the JWT verification fails. A typical usage is: this filter is used to only verify JWTs and pass the verified JWT payloads to another filter, the other filter will make decision. In this mode, all JWT tokens will be verified. Only one of allowMissingOrFailed , providerName , providerAndAudiences , requiresAny , requiresAll , or allowMissing can be set. |
allowMissing |
.google.protobuf.Empty | The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid. Similar to allow_missing_or_failed, this is used to only verify JWTs and pass the verified payload to another filter. The different is this mode will reject requests with invalid tokens. Only one of allowMissing , providerName , providerAndAudiences , requiresAny , requiresAll , or allowMissingOrFailed can be set. |
JwtRequirementOrList
This message specifies a list of RequiredProvider. Their results are OR-ed; if any one of them passes, the result is passed
"requirements": []solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement
Field | Type | Description |
---|---|---|
requirements |
[]solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement | Specify a list of JwtRequirement. |
JwtRequirementAndList
This message specifies a list of RequiredProvider. Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails.
"requirements": []solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement
Field | Type | Description |
---|---|---|
requirements |
[]solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement | Specify a list of JwtRequirement. |
RequirementRule
This message specifies a Jwt requirement for a specific Route condition. Example 1:
.. code-block:: yaml
- match: prefix: /healthz
In above example, “requires” field is empty for /healthz prefix match, it means that requests matching the path prefix don’t require JWT authentication.
Example 2:
.. code-block:: yaml
- match: prefix: / requires: { provider_name: provider-A }
In above example, all requests matched the path prefix require jwt authentication from “provider-A”.
"match": .solo.io.envoy.config.route.v3.RouteMatch
"requires": .solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement
"requirementName": string
Field | Type | Description |
---|---|---|
match |
.solo.io.envoy.config.route.v3.RouteMatch | The route matching parameter. Only when the match is satisfied, the “requires” field will apply. For example: following match will match all requests. .. code-block:: yaml match: prefix: /. |
requires |
.solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement | Specify a Jwt requirement. Please see detail comment in message JwtRequirement. Only one of requires or requirementName can be set. |
requirementName |
string |
Use requirement_name to specify a Jwt requirement. This requirement_name MUST be specified at the :ref:requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map> in JwtAuthentication . Only one of requirementName or requires can be set. |
FilterStateRule
This message specifies Jwt requirements based on stream_info.filterState.
This FilterState should use Router::StringAccessor
object to set a string value.
Other HTTP filters can use it to specify Jwt requirements dynamically.
Example:
.. code-block:: yaml
name: jwt_selector requires: issuer_1: provider_name: issuer1 issuer_2: provider_name: issuer2
If a filter set “jwt_selector” with “issuer_1” to FilterState for a request, jwt_authn filter will use JwtRequirement{“provider_name”: “issuer1”} to verify.
"name": string
"requires": map<string, .solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement>
Field | Type | Description |
---|---|---|
name |
string |
The filter state name to retrieve the Router::StringAccessor object. |
requires |
map<string, .solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement> |
A map of string keys to requirements. The string key is the string value in the FilterState with the name specified in the name field above. |
JwtAuthentication
This is the Envoy HTTP filter config for JWT authentication.
For example:
.. code-block:: yaml
providers: provider1: issuer: issuer1 audiences: - audience1 - audience2 remote_jwks: http_uri: uri: https://example.com/.well-known/jwks.json cluster: example_jwks_cluster timeout: 1s provider2: issuer: issuer2 local_jwks: inline_string: jwks_string
rules: # Not jwt verification is required for /health path - match: prefix: /health
# Jwt verification for provider1 is required for path prefixed with "prefix"
- match:
prefix: /prefix
requires:
provider_name: provider1
# Jwt verification for either provider1 or provider2 is required for all other requests.
- match:
prefix: /
requires:
requires_any:
requirements:
- provider_name: provider1
- provider_name: provider2
[#next-free-field: 6]
"providers": map<string, .solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtProvider>
"rules": []solo.io.envoy.extensions.filters.http.jwt_authn.v3.RequirementRule
"filterStateRules": .solo.io.envoy.extensions.filters.http.jwt_authn.v3.FilterStateRule
"bypassCorsPreflight": bool
"requirementMap": map<string, .solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement>
Field | Type | Description |
---|---|---|
providers |
map<string, .solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtProvider> |
Map of provider names to JwtProviders. .. code-block:: yaml providers: provider1: issuer: issuer1 audiences: - audience1 - audience2 remote_jwks: http_uri: uri: https://example.com/.well-known/jwks.json cluster: example_jwks_cluster timeout: 1s provider2: issuer: provider2 local_jwks: inline_string: jwks_string. |
rules |
[]solo.io.envoy.extensions.filters.http.jwt_authn.v3.RequirementRule | Specifies requirements based on the route matches. The first matched requirement will be applied. If there are overlapped match conditions, please put the most specific match first. Examples .. code-block:: yaml rules: - match: prefix: /healthz - match: prefix: /baz requires: provider_name: provider1 - match: prefix: /foo requires: requires_any: requirements: - provider_name: provider1 - provider_name: provider2 - match: prefix: /bar requires: requires_all: requirements: - provider_name: provider1 - provider_name: provider2. |
filterStateRules |
.solo.io.envoy.extensions.filters.http.jwt_authn.v3.FilterStateRule | This message specifies Jwt requirements based on stream_info.filterState. Other HTTP filters can use it to specify Jwt requirements dynamically. The rules field above is checked first, if it could not find any matches, check this one. |
bypassCorsPreflight |
bool |
When set to true, bypass the CORS preflight request <http://www.w3.org/TR/cors/#cross-origin-request-with-preflight> _ regardless of JWT requirements specified in the rules. |
requirementMap |
map<string, .solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement> |
A map of unique requirement_names to JwtRequirements. :ref:requirement_name <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.PerRouteConfig.requirement_name> in PerRouteConfig uses this map to specify a JwtRequirement. |
PerRouteConfig
Specify per-route config.
"disabled": bool
"requirementName": string
Field | Type | Description |
---|---|---|
disabled |
bool |
Disable Jwt Authentication for this route. Only one of disabled or requirementName can be set. |
requirementName |
string |
Use requirement_name to specify a JwtRequirement. This requirement_name MUST be specified at the :ref:requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map> in JwtAuthentication . If no, the requests using this route will be rejected with 403. Only one of requirementName or disabled can be set. |