Navigation :
Getting Started
What is Gloo Gateway?
Setup
Guides
Operations
Reference
-
Open Source Attribution
-
API Reference
-- address.proto
-- address.proto
-- advanced_http.proto
-- advanced_http.proto
-- als.proto
-- annotations.proto
-- any.proto
-- api.proto
-- apple_dns_resolver.proto
-- artifact.proto
-- authority.proto
-- aws.proto
-- aws_ec2.proto
-- azure.proto
-- backoff.proto
-- base.proto
-- base.proto
-- buffer.proto
-- caching.proto
-- cares_dns_resolver.proto
-- cidr.proto
-- cipher_detection_input.proto
-- circuit_breaker.proto
-- cluster.proto
-- config.proto
-- config.proto
-- connection.proto
-- connection_limit.proto
-- consul.proto
-- context_params.proto
-- core.proto
-- cors.proto
-- csrf.proto
-- custom_tag.proto
-- datadog.proto
-- deprecation.proto
-- descriptor.proto
-- discovery.proto
-- dlp.proto
-- domain.proto
-- duration.proto
-- dynamic_forward_proxy.proto
-- empty.proto
-- endpoint.proto
-- envoy.glooe.solo.io.project
-- envoy_glooe_solo_io.project
-- event_service_config.proto
-- ext.proto
-- extauth.proto
-- extension.proto
-- extension.proto
-- extensions.proto
-- external_options.proto
-- extproc.proto
-- failover.proto
-- failover.proto
-- fault.proto
-- field_mask.proto
-- filter.proto
-- gateway.proto
-- gateway.solo.io.project
-- gateway_solo_io.project
-- gcp.proto
-- gloo.solo.io.project
-- gloo_solo_io.project
-- gloo_validation.proto
-- glooe.solo.io.project
-- glooe_solo_io.project
-- graphql.proto
-- graphql.proto
-- graphql.proto
-- grpc.proto
-- grpc_json.proto
-- grpc_output_sink.proto
-- grpc_service.proto
-- grpc_web.proto
-- gzip.proto
-- hcm.proto
-- header_validation.proto
-- headers.proto
-- health_check.proto
-- health_check.proto
-- healthcheck.proto
-- http.proto
-- http.proto
-- http_gateway.proto
-- http_inputs.proto
-- http_output_sink.proto
-- http_path.proto
-- http_uri.proto
-- http_uri.proto
-- ingress.proto
-- instance.proto
-- ip.proto
-- jwt.proto
-- kubernetes.proto
-- lbhash.proto
-- load_balancer.proto
-- local_ratelimit.proto
-- matchable_http_gateway.proto
-- matchable_tcp_gateway.proto
-- matcher.proto
-- matchers.proto
-- metadata.proto
-- metadata.proto
-- metrics.proto
-- migrate.proto
-- migrate.proto
-- mutation_rules.proto
-- opencensus.proto
-- opentelemetry.proto
-- options.proto
-- orca.proto
-- outlier_detection.proto
-- parameters.proto
-- percent.proto
-- percent.proto
-- pipe.proto
-- placement.proto
-- processing_mode.proto
-- protocol.proto
-- protocol_upgrade.proto
-- proxy.proto
-- proxy_endpoint.proto
-- proxy_protocol.proto
-- proxy_protocol.proto
-- proxy_protocol.proto
-- proxylatency.proto
-- proxyprotocol.proto
-- query_options.proto
-- query_options.proto
-- range.proto
-- range.proto
-- range.proto
-- range.proto
-- ratelimit.proto
-- ratelimit.proto
-- ratelimit.proto
-- rbac.proto
-- ref.proto
-- regex.proto
-- regex.proto
-- resolver.proto
-- resource.proto
-- resource_locator.proto
-- resource_name.proto
-- rest.proto
-- retries.proto
-- route.proto
-- route_components.proto
-- route_table.proto
-- router.proto
-- sanitize.proto
-- secret.proto
-- security.proto
-- selectors.proto
-- semantic_version.proto
-- semantic_version.proto
-- sensitive.proto
-- sensitive.proto
-- server_name_matcher.proto
-- service.proto
-- service_spec.proto
-- settings.proto
-- shadowing.proto
-- snap.proto
-- socket_option.proto
-- socket_option.proto
-- solo-discovery-service.proto
-- solo-kit.proto
-- solo_jwt_authn.proto
-- solo_xff_offset_filter.proto
-- source_context.proto
-- ssl.proto
-- ssl.proto
-- stages.proto
-- stateful_session.proto
-- statefulsession.proto
-- statefulsession.proto
-- static.proto
-- stats.proto
-- status.proto
-- status.proto
-- status.proto
-- status.proto
-- stitching.proto
-- string.proto
-- string.proto
-- struct.proto
-- subset.proto
-- subset_spec.proto
-- tap.proto
-- tap.proto
-- tcp.proto
-- timestamp.proto
-- tls_cipher_inspector.proto
-- trace.proto
-- tracing.proto
-- transformation.proto
-- transformation.proto
-- transformation.proto
-- type.proto
-- typed_struct.proto
-- upstream.proto
-- upstream_proxy_protocol.proto
-- upstream_wait_filter.proto
-- version.proto
-- versioning.proto
-- versioning.proto
-- virtual_service.proto
-- waf.proto
-- waf.proto
-- wasm.proto
-- wasm.proto
-- wasm.proto
-- wrappers.proto
-- xslt_transformer.proto
-- zipkin.proto
-
Command Line Reference
-
Changelog
-
Helm Chart Values
-
Security Updates
- Security Posture
- Gloo Gateway Port Reference
- Release Support
-
Cheatsheets
Contribution Guide
Get help and support
jwt.proto
Package: jwt.options.gloo.solo.io
Types:
JwtStagedVhostExtension
"beforeExtAuth": .jwt.options.gloo.solo.io.VhostExtension
"afterExtAuth": .jwt.options.gloo.solo.io.VhostExtension
JwtStagedRouteExtension
"beforeExtAuth": .jwt.options.gloo.solo.io.RouteExtension
"afterExtAuth": .jwt.options.gloo.solo.io.RouteExtension
VhostExtension
"providers": map<string, .jwt.options.gloo.solo.io.Provider>
"allowMissingOrFailedJwt": bool
Field
Type
Description
providers
map<string, .jwt.options.gloo.solo.io.Provider>
Map of JWT provider name to Provider. If specified, multiple providers will be OR
-ed together and will allow validation to any of the providers.
allowMissingOrFailedJwt
bool
Allow pass through of JWT requests for this virtual host, even if JWT token is missing or JWT auth failed. If this is false (default false), requests that fail JWT authentication will fail authorization immediately. For example, if a request requires either JWT auth OR another auth method, this can be enabled to allow a failed JWT auth request to pass through to the other auth method.
RouteExtension
Field
Type
Description
disable
bool
Disable JWT checks on this route.
Provider
"jwks": .jwt.options.gloo.solo.io.Jwks
"audiences": [] string
"issuer": string
"tokenSource": .jwt.options.gloo.solo.io.TokenSource
"keepToken": bool
"claimsToHeaders": [] jwt.options.gloo.solo.io.ClaimToHeader
"clockSkewSeconds": .google.protobuf.UInt32Value
Field
Type
Description
jwks
.jwt.options.gloo.solo.io.Jwks
The source for the keys to validate JWTs.
audiences
[]string
An incoming JWT must have an ‘aud’ claim and it must be in this list.
issuer
string
Issuer of the JWT. the ‘iss’ claim of the JWT must match this.
tokenSource
.jwt.options.gloo.solo.io.TokenSource
Where to find the JWT of the current provider.
keepToken
bool
Should the token forwarded upstream. if false, the header containing the token will be removed.
claimsToHeaders
[]jwt.options.gloo.solo.io.ClaimToHeader
What claims should be copied to upstream headers.
clockSkewSeconds
.google.protobuf.UInt32Value
Optional: ClockSkewSeconds is used to verify time constraints, such as exp
and npf
. Default is 60s.
Jwks
"remote": .jwt.options.gloo.solo.io.RemoteJwks
"local": .jwt.options.gloo.solo.io.LocalJwks
RemoteJwks
"url": string
"upstreamRef": .core.solo.io.ResourceRef
"cacheDuration": .google.protobuf.Duration
"asyncFetch": .solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwksAsyncFetch
Field
Type
Description
url
string
The url used when accessing the upstream for Json Web Key Set. This is used to set the host and path in the request.
upstreamRef
.core.solo.io.ResourceRef
The Upstream representing the Json Web Key Set server.
cacheDuration
.google.protobuf.Duration
Duration after which the cached JWKS should be expired. If not specified, default cache duration is 5 minutes.
asyncFetch
.solo.io.envoy.extensions.filters.http.jwt_authn.v3.JwksAsyncFetch
Fetch Jwks asynchronously in the main thread before the listener is activated. Fetched Jwks can be used by all worker threads. If this feature is not enabled: * The Jwks is fetched on-demand when the requests come. During the fetching, first few requests are paused until the Jwks is fetched. * Each worker thread fetches its own Jwks since Jwks cache is per worker thread. If this feature is enabled: * Fetched Jwks is done in the main thread before the listener is activated. Its fetched Jwks can be used by all worker threads. Each worker thread doesn’t need to fetch its own. * Jwks is ready when the requests come, not need to wait for the Jwks fetching.
LocalJwks
Field
Type
Description
key
string
Inline key. this can be json web key, key-set or PEM format.
TokenSource
Describes the location of a JWT token
"headers": [] jwt.options.gloo.solo.io.TokenSource.HeaderSource
"queryParams": [] string
Describes how to retrieve a JWT from a header
"header": string
"prefix": string
Field
Type
Description
header
string
The name of the header. for example, “authorization”.
prefix
string
Prefix before the token. for example, “Bearer “.
Allows copying verified claims to headers sent upstream
"claim": string
"header": string
"append": bool
Field
Type
Description
claim
string
Claim name. for example, “sub”.
header
string
The header the claim will be copied to. for example, “x-sub”.
append
bool
If the header exists, append to it (true), or overwrite it (false).