{
  "openapi": "3.0.0",
  "info": {
    "title": "Configuration to validate JWT.",
    "version": "v1beta1"
  },
  "components": {
    "schemas": {
      "istio.security.v1beta1.JWTRule": {
        "description": "JSON Web Token (JWT) token format for authentication as defined by [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.",
        "type": "object",
        "properties": {
          "issuer": {
            "description": "Identifies the issuer that issued the JWT. See [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) A JWT with different `iss` claim will be rejected.",
            "type": "string",
            "format": "string"
          },
          "audiences": {
            "description": "The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). that are allowed to access. A JWT containing any of these audiences will be accepted.",
            "type": "array",
            "items": {
              "type": "string",
              "format": "string"
            }
          },
          "jwksUri": {
            "description": "URL of the provider's public key set to validate signature of the JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).",
            "type": "string",
            "format": "string"
          },
          "jwks": {
            "description": "JSON Web Key Set of public keys to validate signature of the JWT. See https://auth0.com/docs/jwks.",
            "type": "string",
            "format": "string"
          },
          "fromHeaders": {
            "description": "List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in `x-jwt-assertion` header, and have \"Bearer \" prefix: ``` fromHeaders: - name: x-jwt-assertion prefix: \"Bearer \" ```",
            "type": "array",
            "items": {
              "$ref": "#/components/schemas/istio.security.v1beta1.JWTHeader"
            }
          },
          "fromParams": {
            "description": "List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter `my_token` (e.g /path?my_token=\u003cJWT\u003e), the config is: ``` fromParams: - \"my_token\" ```",
            "type": "array",
            "items": {
              "type": "string",
              "format": "string"
            }
          },
          "outputPayloadToHeader": {
            "description": "This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified, the payload will not be emitted.",
            "type": "string",
            "format": "string"
          },
          "forwardOriginalToken": {
            "description": "If set to true, the orginal token will be kept for the ustream request. Default is false.",
            "type": "boolean"
          }
        }
      },
      "istio.security.v1beta1.JWTHeader": {
        "description": "This message specifies a header location to extract JWT token.",
        "type": "object",
        "properties": {
          "name": {
            "description": "The HTTP header name.",
            "type": "string",
            "format": "string"
          },
          "prefix": {
            "description": "The prefix that should be stripped before decoding the token. For example, for \"Authorization: Bearer \u003ctoken\u003e\", prefix=\"Bearer \" with a space at the end. If the header doesn't have this exact prefix, it is considerred invalid.",
            "type": "string",
            "format": "string"
          }
        }
      }
    }
  }
}