jwt.proto

Package: jwt.options.gloo.solo.io

Types:

Source File: github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/jwt/jwt.proto

JwtStagedVhostExtension

"beforeExtAuth": .jwt.options.gloo.solo.io.VhostExtension
"afterExtAuth": .jwt.options.gloo.solo.io.VhostExtension

Field Type Description
beforeExtAuth .jwt.options.gloo.solo.io.VhostExtension JWT Virtual host config for the JWT filter that runs before the extauth filter.
afterExtAuth .jwt.options.gloo.solo.io.VhostExtension JWT Virtual host config for the JWT filter that runs after the extauth filter.

JwtStagedRouteExtension

"beforeExtAuth": .jwt.options.gloo.solo.io.RouteExtension
"afterExtAuth": .jwt.options.gloo.solo.io.RouteExtension

Field Type Description
beforeExtAuth .jwt.options.gloo.solo.io.RouteExtension JWT route config for the JWT filter that runs after the extauth filter.
afterExtAuth .jwt.options.gloo.solo.io.RouteExtension JWT route config for the JWT filter that runs after the extauth filter.

VhostExtension

"providers": map<string, .jwt.options.gloo.solo.io.Provider>
"allowMissingOrFailedJwt": bool

Field Type Description
providers map<string, .jwt.options.gloo.solo.io.Provider> Map of JWT provider name to Provider. If specified, multiple providers will be OR-ed together and will allow validation to any of the providers.
allowMissingOrFailedJwt bool Allow pass through of JWT requests for this virtual host, even if JWT token is missing or JWT auth failed. If this is false (default false), requests that fail JWT authentication will fail authorization immediately. For example, if a request requires either JWT auth OR another auth method, this can be enabled to allow a failed JWT auth request to pass through to the other auth method.

RouteExtension

"disable": bool

Field Type Description
disable bool Disable JWT checks on this route.

Provider

"jwks": .jwt.options.gloo.solo.io.Jwks
"audiences": []string
"issuer": string
"tokenSource": .jwt.options.gloo.solo.io.TokenSource
"keepToken": bool
"claimsToHeaders": []jwt.options.gloo.solo.io.ClaimToHeader

Field Type Description
jwks .jwt.options.gloo.solo.io.Jwks The source for the keys to validate JWTs.
audiences []string An incoming JWT must have an ‘aud’ claim and it must be in this list.
issuer string Issuer of the JWT. the ‘iss’ claim of the JWT must match this.
tokenSource .jwt.options.gloo.solo.io.TokenSource Where to find the JWT of the current provider.
keepToken bool Should the token forwarded upstream. if false, the header containing the token will be removed.
claimsToHeaders []jwt.options.gloo.solo.io.ClaimToHeader What claims should be copied to upstream headers.

Jwks

"remote": .jwt.options.gloo.solo.io.RemoteJwks
"local": .jwt.options.gloo.solo.io.LocalJwks

Field Type Description
remote .jwt.options.gloo.solo.io.RemoteJwks Use a remote JWKS server. Only one of remote or local can be set.
local .jwt.options.gloo.solo.io.LocalJwks Use an inline JWKS. Only one of local or remote can be set.

RemoteJwks

"url": string
"upstreamRef": .core.solo.io.ResourceRef
"cacheDuration": .google.protobuf.Duration

Field Type Description
url string The url used when accessing the upstream for Json Web Key Set. This is used to set the host and path in the request.
upstreamRef .core.solo.io.ResourceRef The Upstream representing the Json Web Key Set server.
cacheDuration .google.protobuf.Duration Duration after which the cached JWKS should be expired. If not specified, default cache duration is 5 minutes.

LocalJwks

"key": string

Field Type Description
key string Inline key. this can be json web key, key-set or PEM format.

TokenSource

Describes the location of a JWT token

"headers": []jwt.options.gloo.solo.io.TokenSource.HeaderSource
"queryParams": []string

Field Type Description
headers []jwt.options.gloo.solo.io.TokenSource.HeaderSource Try to retrieve token from these headers.
queryParams []string Try to retrieve token from these query params.

HeaderSource

Describes how to retrieve a JWT from a header

"header": string
"prefix": string

Field Type Description
header string The name of the header. for example, “authorization”.
prefix string Prefix before the token. for example, “Bearer “.

ClaimToHeader

Allows copying verified claims to headers sent upstream

"claim": string
"header": string
"append": bool

Field Type Description
claim string Claim name. for example, “sub”.
header string The header the claim will be copied to. for example, “x-sub”.
append bool If the header exists, append to it (true), or overwrite it (false).