// Copyright 2019 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";

import "google/api/field_behavior.proto";

// $schema: istio.security.v1beta1.JWTRule
// $title: JWTRule
// $description: Configuration to validate JWT.
// $location: https://istio.io/docs/reference/config/security/jwt.html
// $aliases: [/docs/reference/config/security/v1beta1/jwt]

package istio.security.v1beta1;

option go_package="istio.io/api/security/v1beta1";

// JSON Web Token (JWT) token format for authentication as defined by
// [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and
// [OIDC 1.0](http://openid.net/connect) for how this is used in the whole
// authentication flow.
//
// Examples:
//
// Spec for a JWT that is issued by `https://example.com`, with the audience claims must be either
// `bookstore_android.apps.example.com` or `bookstore_web.apps.example.com`.
// The token should be presented at the `Authorization` header (default). The Json web key set (JWKS)
// will be discovered followwing OpenID Connect protocol.
//
// ```yaml
// issuer: https://example.com
// audiences:
// - bookstore_android.apps.example.com
//   bookstore_web.apps.example.com
// ```
//
// This example specifies token in non-default location (`x-goog-iap-jwt-assertion` header). It also
// defines the URI to fetch JWKS explicitly.
//
// ```yaml
// issuer: https://example.com
// jwksUri: https://example.com/.secret/jwks.json
// jwtHeaders:
// - "x-goog-iap-jwt-assertion"
// ```
message JWTRule {
  // Identifies the issuer that issued the JWT. See
  // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
  // A JWT with different `iss` claim will be rejected.
  //
  // Example: https://foobar.auth0.com
  // Example: 1234567-compute@developer.gserviceaccount.com
  string issuer = 1 [(google.api.field_behavior) = REQUIRED];

  // The list of JWT
  // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
  // that are allowed to access. A JWT containing any of these
  // audiences will be accepted.
  //
  // The service name will be accepted if audiences is empty.
  //
  // Example:
  //
  // ```yaml
  // audiences:
  // - bookstore_android.apps.example.com
  //   bookstore_web.apps.example.com
  // ```
  repeated string audiences = 2;

  // URL of the provider's public key set to validate signature of the
  // JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
  //
  // Optional if the key set document can either (a) be retrieved from
  // [OpenID
  // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of
  // the issuer or (b) inferred from the email domain of the issuer (e.g. a
  // Google service account).
  //
  // Example: `https://www.googleapis.com/oauth2/v1/certs`
  //
  // Note: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does.
  string jwks_uri = 3;

  // JSON Web Key Set of public keys to validate signature of the JWT.
  // See https://auth0.com/docs/jwks.
  //
  // Note: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does.
  string jwks = 10;

  // The next two fields define how to extract the JWT from an HTTP request.
  //
  // If no explicit location is specified the following default
  // locations are tried in order:
  //
  //     1) The Authorization header using the Bearer schema,
  //        e.g. Authorization: Bearer <token>. (see
  //        [Authorization Request Header
  //        Field](https://tools.ietf.org/html/rfc6750#section-2.1))
  //
  //     2) The `access_token` query parameter (see
  //     [URI Query Parameter](https://tools.ietf.org/html/rfc6750#section-2.3))

  // List of header locations from which JWT is expected. For example, below is the location spec
  // if JWT is expected to be found in `x-jwt-assertion` header, and have "Bearer " prefix:
  // ```
  //   fromHeaders:
  //   - name: x-jwt-assertion
  //     prefix: "Bearer "
  // ```
  repeated JWTHeader from_headers = 6;

  // List of query parameters from which JWT is expected. For example, if JWT is provided via query
  // parameter `my_token` (e.g /path?my_token=<JWT>), the config is:
  // ```
  //   fromParams:
  //   - "my_token"
  // ```
  repeated string from_params = 7;

  // This field specifies the header name to output a successfully verified JWT payload to the
  // backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified,
  // the payload will not be emitted.
  string output_payload_to_header = 8;

  // If set to true, the orginal token will be kept for the ustream request. Default is false.
  bool forward_original_token = 9;
}

// This message specifies a header location to extract JWT token.
message JWTHeader {
  // The HTTP header name.
  string name = 1 [(google.api.field_behavior) = REQUIRED];

  // The prefix that should be stripped before decoding the token.
  // For example, for "Authorization: Bearer <token>", prefix="Bearer " with a space at the end.
  // If the header doesn't have this exact prefix, it is considerred invalid.
  string prefix = 2;
}