JWT Authentication¶
JWT Authentication configuration overview.
config.filter.http.jwt_authn.v2alpha.JwtProvider¶
[config.filter.http.jwt_authn.v2alpha.JwtProvider proto]
Please see following for JWT authentication flow:
A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:
- issuer: the principal that issues the JWT. It has to match the one from the token.
- allowed audiences: the ones in the token have to be listed here.
- how to fetch public key JWKS to verify the token signature.
- how to extract JWT token in the request.
- how to pass successfully verified token payload.
Example:
issuer: https://example.com
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
remote_jwks:
http_uri:
uri: https://example.com/.well-known/jwks.json
cluster: example_jwks_cluster
cache_duration:
seconds: 300
{
"issuer": "...",
"audiences": [],
"remote_jwks": "{...}",
"local_jwks": "{...}",
"forward": "...",
"from_headers": [],
"from_params": [],
"forward_payload_header": "...",
"payload_in_metadata": "..."
}
- issuer
(string, REQUIRED) Specify the principal that issued the JWT, usually a URL or an email address.
Example: https://securetoken.google.com Example: 1234567-compute@developer.gserviceaccount.com
- audiences
(string) The list of JWT audiences are allowed to access. A JWT containing any of these audiences will be accepted. If not specified, will not check audiences in the token.
Example:
audiences: - bookstore_android.apps.googleusercontent.com - bookstore_web.apps.googleusercontent.com
- remote_jwks
(config.filter.http.jwt_authn.v2alpha.RemoteJwks) JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP URI and how the fetched JWKS should be cached.
Example:
remote_jwks: http_uri: uri: https://www.googleapis.com/oauth2/v1/certs cluster: jwt.www.googleapis.com|443 cache_duration: seconds: 300
JSON Web Key Set (JWKS) is needed to validate signature of a JWT. This field specifies where to fetch JWKS.
Precisely one of remote_jwks, local_jwks must be set.
- local_jwks
(core.DataSource) JWKS is in local data source. It could be either in a local file or embedded in the inline_string.
Example: local file
local_jwks: filename: /etc/envoy/jwks/jwks1.txt
Example: inline_string
local_jwks: inline_string: ACADADADADA
JSON Web Key Set (JWKS) is needed to validate signature of a JWT. This field specifies where to fetch JWKS.
Precisely one of remote_jwks, local_jwks must be set.
- forward
- (bool) If false, the JWT is removed in the request after a success verification. If true, the JWT is not removed in the request. Default value is false.
- from_headers
(config.filter.http.jwt_authn.v2alpha.JwtHeader) Two fields below define where to extract the JWT from an HTTP request.
If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the Bearer schema. Example:
Authorization: Bearer <token>.
- access_token query parameter.
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations its provider specified or from the default locations.
Specify the HTTP headers to extract JWT token. For examples, following config:
from_headers: - name: x-goog-iap-jwt-assertion
can be used to extract token from header:
x-goog-iap-jwt-assertion: <JWT>.
- from_params
(string) JWT is sent in a query parameter. jwt_params represents the query parameter names.
For example, if config is:
from_params: - jwt_token
The JWT format in query parameter is:
/path?jwt_token=<JWT>
- forward_payload_header
(string) This field specifies the header name to forward a successfully verified JWT payload to the backend. The forwarded data is:
base64_encoded(jwt_payload_in_JSON)
If it is not specified, the payload will not be forwarded.
- payload_in_metadata
(string) If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata in the format as: namespace is the jwt_authn filter name as envoy.filters.http.jwt_authn The value is the protobuf::Struct. The value of this field will be the key for its fields and the value is the protobuf::Struct converted from JWT JSON payload.
For example, if payload_in_metadata is my_payload:
envoy.filters.http.jwt_authn: my_payload: iss: https://example.com sub: test@example.com aud: https://example.com exp: 1501281058
config.filter.http.jwt_authn.v2alpha.RemoteJwks¶
[config.filter.http.jwt_authn.v2alpha.RemoteJwks proto]
This message specifies how to fetch JWKS from remote and how to cache it.
{
"http_uri": "{...}",
"cache_duration": "{...}"
}
- http_uri
(core.HttpUri) The HTTP URI to fetch the JWKS. For example:
http_uri: uri: https://www.googleapis.com/oauth2/v1/certs cluster: jwt.www.googleapis.com|443
- cache_duration
- (Duration) Duration after which the cached JWKS should be expired. If not specified, default cache duration is 5 minutes.
config.filter.http.jwt_authn.v2alpha.JwtHeader¶
[config.filter.http.jwt_authn.v2alpha.JwtHeader proto]
This message specifies a header location to extract JWT token.
{
"name": "...",
"value_prefix": "..."
}
- name
- (string, REQUIRED) The HTTP header name.
- value_prefix
- (string) The value prefix. The value format is “value_prefix<token>” For example, for “Authorization: Bearer <token>”, value_prefix=”Bearer ” with a space at the end.
config.filter.http.jwt_authn.v2alpha.ProviderWithAudiences¶
[config.filter.http.jwt_authn.v2alpha.ProviderWithAudiences proto]
Specify a required provider with audiences.
{
"provider_name": "...",
"audiences": []
}
- provider_name
- (string) Specify a required provider name.
- audiences
- (string) This field overrides the one specified in the JwtProvider.
config.filter.http.jwt_authn.v2alpha.JwtRequirement¶
[config.filter.http.jwt_authn.v2alpha.JwtRequirement proto]
This message specifies a Jwt requirement. An empty message means JWT verification is not required. Here are some config examples:
# Example 1: not required with an empty message
# Example 2: require A
provider_name: provider-A
# Example 3: require A or B
requires_any:
requirements:
- provider_name: provider-A
- provider_name: provider-B
# Example 4: require A and B
requires_all:
requirements:
- provider_name: provider-A
- provider_name: provider-B
# Example 5: require A and (B or C)
requires_all:
requirements:
- provider_name: provider-A
- requires_any:
requirements:
- provider_name: provider-B
- provider_name: provider-C
# Example 6: require A or (B and C)
requires_any:
requirements:
- provider_name: provider-A
- requires_all:
requirements:
- provider_name: provider-B
- provider_name: provider-C
{
"provider_name": "...",
"provider_and_audiences": "{...}",
"requires_any": "{...}",
"requires_all": "{...}",
"allow_missing_or_failed": "{...}"
}
- provider_name
(string) Specify a required provider name.
Only one of provider_name, provider_and_audiences, requires_any, requires_all, allow_missing_or_failed may be set.
- provider_and_audiences
(config.filter.http.jwt_authn.v2alpha.ProviderWithAudiences) Specify a required provider with audiences.
Only one of provider_name, provider_and_audiences, requires_any, requires_all, allow_missing_or_failed may be set.
- requires_any
(config.filter.http.jwt_authn.v2alpha.JwtRequirementOrList) Specify list of JwtRequirement. Their results are OR-ed. If any one of them passes, the result is passed.
Only one of provider_name, provider_and_audiences, requires_any, requires_all, allow_missing_or_failed may be set.
- requires_all
(config.filter.http.jwt_authn.v2alpha.JwtRequirementAndList) Specify list of JwtRequirement. Their results are AND-ed. All of them must pass, if one of them fails or missing, it fails.
Only one of provider_name, provider_and_audiences, requires_any, requires_all, allow_missing_or_failed may be set.
- allow_missing_or_failed
(Empty) The requirement is always satisfied even if JWT is missing or the JWT verification fails. A typical usage is: this filter is used to only verify JWTs and pass the verified JWT payloads to another filter, the other filter will make decision. In this mode, all JWT tokens will be verified.
Only one of provider_name, provider_and_audiences, requires_any, requires_all, allow_missing_or_failed may be set.
config.filter.http.jwt_authn.v2alpha.JwtRequirementOrList¶
[config.filter.http.jwt_authn.v2alpha.JwtRequirementOrList proto]
This message specifies a list of RequiredProvider. Their results are OR-ed; if any one of them passes, the result is passed
{
"requirements": []
}
- requirements
- (config.filter.http.jwt_authn.v2alpha.JwtRequirement, REQUIRED) Specify a list of JwtRequirement.
config.filter.http.jwt_authn.v2alpha.JwtRequirementAndList¶
[config.filter.http.jwt_authn.v2alpha.JwtRequirementAndList proto]
This message specifies a list of RequiredProvider. Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails.
{
"requirements": []
}
- requirements
- (config.filter.http.jwt_authn.v2alpha.JwtRequirement, REQUIRED) Specify a list of JwtRequirement.
config.filter.http.jwt_authn.v2alpha.RequirementRule¶
[config.filter.http.jwt_authn.v2alpha.RequirementRule proto]
This message specifies a Jwt requirement for a specific Route condition. Example 1:
- match:
prefix: /healthz
In above example, “requires” field is empty for /healthz prefix match, it means that requests matching the path prefix don’t require JWT authentication.
Example 2:
- match:
prefix: /
requires: { provider_name: provider-A }
In above example, all requests matched the path prefix require jwt authentication from “provider-A”.
{
"match": "{...}",
"requires": "{...}"
}
- match
(route.RouteMatch, REQUIRED) The route matching parameter. Only when the match is satisfied, the “requires” field will apply.
For example: following match will match all requests.
match: prefix: /
- requires
- (config.filter.http.jwt_authn.v2alpha.JwtRequirement) Specify a Jwt Requirement. Please detail comment in message JwtRequirement.
config.filter.http.jwt_authn.v2alpha.JwtAuthentication¶
[config.filter.http.jwt_authn.v2alpha.JwtAuthentication proto]
This is the Envoy HTTP filter config for JWT authentication.
For example:
providers:
provider1:
issuer: issuer1
audiences:
- audience1
- audience2
remote_jwks:
http_uri:
uri: https://example.com/.well-known/jwks.json
cluster: example_jwks_cluster
provider2:
issuer: issuer2
local_jwks:
inline_string: jwks_string
rules:
# Not jwt verification is required for /health path
- match:
prefix: /health
# Jwt verification for provider1 is required for path prefixed with "prefix"
- match:
prefix: /prefix
requires:
provider_name: provider1
# Jwt verification for either provider1 or provider2 is required for all other requests.
- match:
prefix: /
requires:
requires_any:
requirements:
- provider_name: provider1
- provider_name: provider2
{
"providers": "{...}",
"rules": []
}
- providers
(map<string, config.filter.http.jwt_authn.v2alpha.JwtProvider>) Map of provider names to JwtProviders.
providers: provider1: issuer: issuer1 audiences: - audience1 - audience2 remote_jwks: http_uri: uri: https://example.com/.well-known/jwks.json cluster: example_jwks_cluster provider2: issuer: provider2 local_jwks: inline_string: jwks_string
- rules
(config.filter.http.jwt_authn.v2alpha.RequirementRule) Specifies requirements based on the route matches. The first matched requirement will be applied. If there are overlapped match conditions, please put the most specific match first.
Examples
- rules:
- match:
- prefix: /healthz
- match:
- prefix: /baz
- requires:
- provider_name: provider1
- match:
- prefix: /foo
- requires:
- requires_any:
- requirements:
- provider_name: provider1
- provider_name: provider2
- match:
- prefix: /bar
- requires:
- requires_all:
- requirements:
- provider_name: provider1
- provider_name: provider2