--- WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO source_repo: https://github.com/istio/api title: JWTRule description: Configuration to validate JWT. location: https://istio.io/docs/reference/config/security/jwt.html layout: protoc-gen-docs generator: protoc-gen-docs schema: istio.security.v1beta1.JWTRule aliases: [/docs/reference/config/security/v1beta1/jwt] number_of_entries: 2 ---

JWTRule

JSON Web Token (JWT) token format for authentication as defined by RFC 7519. See OAuth 2.0 and OIDC 1.0 for how this is used in the whole authentication flow.

Examples:

Spec for a JWT that is issued by https://example.com, with the audience claims must be either bookstore_android.apps.example.com or bookstore_web.apps.example.com. The token should be presented at the Authorization header (default). The JSON Web Key Set (JWKS) will be discovered following OpenID Connect protocol.

issuer: https://example.com
audiences:
- bookstore_android.apps.example.com
  bookstore_web.apps.example.com

This example specifies a token in a non-default location (x-goog-iap-jwt-assertion header). It also defines the URI to fetch JWKS explicitly.

issuer: https://example.com
jwksUri: https://example.com/.secret/jwks.json
fromHeaders:
- "x-goog-iap-jwt-assertion"
Field Type Description Required
issuer string

Identifies the issuer that issued the JWT. See issuer A JWT with different iss claim will be rejected.

Example: https://foobar.auth0.com Example: 1234567-compute@developer.gserviceaccount.com

 Yes
audiences string[]

The list of JWT audiences. that are allowed to access. A JWT containing any of these audiences will be accepted.

The service name will be accepted if audiences is empty.

Example:

audiences:
- bookstore_android.apps.example.com
  bookstore_web.apps.example.com
No
jwksUri string

URL of the provider’s public key set to validate signature of the JWT. See OpenID Discovery.

Optional if the key set document can either (a) be retrieved from OpenID Discovery of the issuer or (b) inferred from the email domain of the issuer (e.g. a Google service account).

Example: https://www.googleapis.com/oauth2/v1/certs

Note: Only one of jwksUri and jwks should be used.

 No
jwks string

JSON Web Key Set of public keys to validate signature of the JWT. See https://auth0.com/docs/jwks.

Note: Only one of jwksUri and jwks should be used.

 No
fromHeaders JWTHeader[]

List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in x-jwt-assertion header, and have “Bearer ” prefix:

  fromHeaders:
  - name: x-jwt-assertion
    prefix: "Bearer "
No
fromParams string[]

List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter my_token (e.g /path?my_token=), the config is:

  fromParams:
  - "my_token"
No
outputPayloadToHeader string

This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified, the payload will not be emitted.

 No
forwardOriginalToken bool

If set to true, the original token will be kept for the upstream request. Default is false.

 No

JWTHeader

This message specifies a header location to extract JWT token.

Field Type Description Required
name string

The HTTP header name.

 Yes
prefix string

The prefix that should be stripped before decoding the token. For example, for “Authorization: Bearer ”, prefix=“Bearer ” with a space at the end. If the header doesn’t have this exact prefix, it is considered invalid.

 No