Package : envoy.extensions.filters.http.jwt_authn.v3

Top

config.proto

Table of Contents

FilterStateRule

Field Type Label Description
name string The filter state name to retrieve the Router::StringAccessor object.
requires []envoy.extensions.filters.http.jwt_authn.v3.FilterStateRule.RequiresEntry repeated A map of string keys to requirements. The string key is the string value in the FilterState with the name specified in the name field above.

FilterStateRule.RequiresEntry

Field Type Label Description
key string
value envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement

JwtAuthentication

Field Type Label Description
providers []envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication.ProvidersEntry repeated Map of provider names to JwtProviders.
.. code-block:: yaml
providers: provider1: issuer: issuer1 audiences: - audience1 - audience2 remote_jwks: http_uri: uri: https://example.com/.well-known/jwks.json cluster: example_jwks_cluster timeout: 1s provider2: issuer: provider2 local_jwks: inline_string: jwks_string
rules []envoy.extensions.filters.http.jwt_authn.v3.RequirementRule repeated Specifies requirements based on the route matches. The first matched requirement will be applied. If there are overlapped match conditions, please put the most specific match first.
Examples
.. code-block:: yaml
rules: - match: prefix: /healthz - match: prefix: /baz requires: provider_name: provider1 - match: prefix: /foo requires: requires_any: requirements: - provider_name: provider1 - provider_name: provider2 - match: prefix: /bar requires: requires_all: requirements: - provider_name: provider1 - provider_name: provider2
filterStateRules envoy.extensions.filters.http.jwt_authn.v3.FilterStateRule This message specifies Jwt requirements based on stream_info.filterState. Other HTTP filters can use it to specify Jwt requirements dynamically. The rules field above is checked first, if it could not find any matches, check this one.
bypassCorsPreflight bool When set to true, bypass the CORS preflight request <http://www.w3.org/TR/cors/#cross-origin-request-with-preflight>_ regardless of JWT requirements specified in the rules.
requirementMap []envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication.RequirementMapEntry repeated A map of unique requirement_names to JwtRequirements. :ref:requirement_name <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.PerRouteConfig.requirement_name> in PerRouteConfig uses this map to specify a JwtRequirement.

JwtAuthentication.ProvidersEntry

Field Type Label Description
key string
value envoy.extensions.filters.http.jwt_authn.v3.JwtProvider

JwtAuthentication.RequirementMapEntry

Field Type Label Description
key string
value envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement

JwtHeader

Field Type Label Description
name string The HTTP header name.
valuePrefix string The value prefix. The value format is “value_prefix” For example, for “Authorization: Bearer ”, value_prefix="Bearer " with a space at the end.

JwtProvider

Field Type Label Description
issuer string Specify the principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>_ that issued the JWT, usually a URL or an email address.
It is optional. If specified, it has to match the *iss* field in JWT.
If a JWT has *iss* field and this field is specified, they have to match, otherwise the JWT *iss* field is not checked.
Note: *JwtRequirement* :ref:allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing> and :ref:allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed> are implemented differently than other *JwtRequirements*. Hence the usage of this field is different as follows if *allow_missing* or *allow_missing_or_failed* is used:
* If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*. * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty. * Multiple *JwtProviders* should not have same value in this field.
Example: https://securetoken.google.com Example: 1234567-compute@developer.gserviceaccount.com
audiences []string repeated The list of JWT audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>_ are allowed to access. A JWT containing any of these audiences will be accepted. If not specified, will not check audiences in the token.
Example:
.. code-block:: yaml
audiences: - bookstore_android.apps.googleusercontent.com - bookstore_web.apps.googleusercontent.com
remoteJwks envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP URI and how the fetched JWKS should be cached.
Example:
.. code-block:: yaml
remote_jwks: http_uri: uri: https://www.googleapis.com/oauth2/v1/certs cluster: jwt.www.googleapis.com
localJwks envoy.config.core.v3.DataSource JWKS is in local data source. It could be either in a local file or embedded in the inline_string.
Example: local file
.. code-block:: yaml
local_jwks: filename: /etc/envoy/jwks/jwks1.txt
Example: inline_string
.. code-block:: yaml
local_jwks: inline_string: ACADADADADA
forward bool If false, the JWT is removed in the request after a success verification. If true, the JWT is not removed in the request. Default value is false.
fromHeaders []envoy.extensions.filters.http.jwt_authn.v3.JwtHeader repeated Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the Bearer schema <https://tools.ietf.org/html/rfc6750#section-2.1>_. Example::
Authorization: Bearer .
2. access_token <https://tools.ietf.org/html/rfc6750#section-2.3>_ query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
.. code-block:: yaml
from_headers: - name: x-goog-iap-jwt-assertion
can be used to extract token from header::
x-goog-iap-jwt-assertion: <JWT>.
fromParams []string repeated JWT is sent in a query parameter. jwt_params represents the query parameter names.
For example, if config is:
.. code-block:: yaml
from_params: - jwt_token
The JWT format in query parameter is::
/path?jwt_token=
forwardPayloadHeader string This field specifies the header name to forward a successfully verified JWT payload to the backend. The forwarded data is::
base64url_encoded(jwt_payload_in_JSON)
If it is not specified, the payload will not be forwarded.
payloadInMetadata string If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: namespace is the jwt_authn filter name as envoy.filters.http.jwt_authn The value is the protobuf::Struct. The value of this field will be the key for its fields and the value is the protobuf::Struct converted from JWT JSON payload.
For example, if payload_in_metadata is my_payload:
.. code-block:: yaml
envoy.filters.http.jwt_authn: my_payload: iss: https://example.com sub: test@example.com aud: https://example.com exp: 1501281058
clockSkewSeconds uint32 Specify the clock skew in seconds when verifying JWT time constraint, such as exp, and nbf. If not specified, default is 60 seconds.

JwtRequirement

Field Type Label Description
providerName string Specify a required provider name.
providerAndAudiences envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences Specify a required provider with audiences.
requiresAny envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList Specify list of JwtRequirement. Their results are OR-ed. If any one of them passes, the result is passed.
requiresAll envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList Specify list of JwtRequirement. Their results are AND-ed. All of them must pass, if one of them fails or missing, it fails.
allowMissingOrFailed google.protobuf.Empty The requirement is always satisfied even if JWT is missing or the JWT verification fails. A typical usage is: this filter is used to only verify JWTs and pass the verified JWT payloads to another filter, the other filter will make decision. In this mode, all JWT tokens will be verified.
allowMissing google.protobuf.Empty The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid. Similar to allow_missing_or_failed, this is used to only verify JWTs and pass the verified payload to another filter. The different is this mode will reject requests with invalid tokens.

JwtRequirementAndList

Field Type Label Description
requirements []envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement repeated Specify a list of JwtRequirement.

JwtRequirementOrList

Field Type Label Description
requirements []envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement repeated Specify a list of JwtRequirement.

PerRouteConfig

Field Type Label Description
disabled bool Disable Jwt Authentication for this route.
requirementName string Use requirement_name to specify a JwtRequirement. This requirement_name MUST be specified at the :ref:requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map> in JwtAuthentication. If no, the requests using this route will be rejected with 403.

ProviderWithAudiences

Field Type Label Description
providerName string Specify a required provider name.
audiences []string repeated This field overrides the one specified in the JwtProvider.

RemoteJwks

Field Type Label Description
httpUri envoy.config.core.v3.HttpUri The HTTP URI to fetch the JWKS. For example:
.. code-block:: yaml
http_uri: uri: https://www.googleapis.com/oauth2/v1/certs cluster: jwt.www.googleapis.com
cacheDuration google.protobuf.Duration Duration after which the cached JWKS should be expired. If not specified, default cache duration is 5 minutes.

RequirementRule

Field Type Label Description
match envoy.config.route.v3.RouteMatch The route matching parameter. Only when the match is satisfied, the “requires” field will apply.
For example: following match will match all requests.
.. code-block:: yaml
match: prefix: /
requires envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement Specify a Jwt requirement. Please see detail comment in message JwtRequirement.
requirementName string Use requirement_name to specify a Jwt requirement. This requirement_name MUST be specified at the :ref:requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map> in JwtAuthentication.