api/envoy/v12/http/backend_auth/config.proto (57 lines of code) (raw):
// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package espv2.api.envoy.v12.http.backend_auth;
import "api/envoy/v12/http/common/base.proto";
import "validate/validate.proto";
// This config will be use in RouteEntry perFilterConfig
// If a route entry doesn't have this config, it doesn't need to send the jwt
// token to the backend.
message PerRouteFilterConfig {
// Audience used to create the JWT token sent to the backend.
// https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#jwt_audience_disable_auth
// It has to be in the `jwt_audience_list`.
string jwt_audience = 1 [(validate.rules).string = {
min_bytes: 1,
// Does not contain query params ('?', '&'), fragments ('#'), or invalid
// HTTP_HEADER_VALUE ('\r', '\n', '\0') characters.
pattern: '^[^?&#\\r\\n\\0]+$',
}];
}
message FilterConfig {
// Supported audience list. Each audience has its token.
// The tokens from this list will be prefetched.
repeated string jwt_audience_list = 1 [(validate.rules).repeated = {
min_items: 1
items {
string {
min_len: 1,
// Does not contain query params ('?', '&'), fragments ('#'), or invalid
// HTTP_HEADER_VALUE ('\r', '\n', '\0') characters.
pattern: '^[^?&#\\r\\n\\0]+$',
}
}
}];
oneof id_token_info {
option (validate.required) = true;
// The Instance Metadata Server uri used to fetch id token from Instance
// Metadata Server.
espv2.api.envoy.v12.http.common.HttpUri imds_token = 2;
// Information used to fetch id token from Google Cloud IAM.
espv2.api.envoy.v12.http.common.IamTokenInfo iam_token = 3;
}
// How the filter config will handle failures when fetching ID tokens.
espv2.api.envoy.v12.http.common.DependencyErrorBehavior dep_error_behavior =
4;
}