110 lines
6.0 KiB
JSON
110 lines
6.0 KiB
JSON
{
|
|
"openapi": "3.0.0",
|
|
"info": {
|
|
"title": "Request authentication configuration for workloads.",
|
|
"version": "v1beta1"
|
|
},
|
|
"components": {
|
|
"schemas": {
|
|
"istio.security.v1beta1.JWTRule": {
|
|
"description": "JSON Web Token (JWT) token format for authentication as defined by [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.",
|
|
"type": "object",
|
|
"properties": {
|
|
"issuer": {
|
|
"description": "Identifies the issuer that issued the JWT. See [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) A JWT with different `iss` claim will be rejected.",
|
|
"type": "string",
|
|
"format": "string"
|
|
},
|
|
"audiences": {
|
|
"description": "The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). that are allowed to access. A JWT containing any of these audiences will be accepted.",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
},
|
|
"jwksUri": {
|
|
"description": "URL of the provider's public key set to validate signature of the JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).",
|
|
"type": "string",
|
|
"format": "string"
|
|
},
|
|
"jwks": {
|
|
"description": "JSON Web Key Set of public keys to validate signature of the JWT. See https://auth0.com/docs/jwks.",
|
|
"type": "string",
|
|
"format": "string"
|
|
},
|
|
"fromHeaders": {
|
|
"description": "List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in `x-jwt-assertion` header, and have \"Bearer \" prefix: ``` fromHeaders: - name: x-jwt-assertion prefix: \"Bearer \" ```",
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/components/schemas/istio.security.v1beta1.JWTHeader"
|
|
}
|
|
},
|
|
"fromParams": {
|
|
"description": "List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter `my_token` (e.g /path?my_token=\u003cJWT\u003e), the config is: ``` fromParams: - \"my_token\" ```",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
},
|
|
"outputPayloadToHeader": {
|
|
"description": "This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified, the payload will not be emitted.",
|
|
"type": "string",
|
|
"format": "string"
|
|
},
|
|
"forwardOriginalToken": {
|
|
"description": "If set to true, the orginal token will be kept for the ustream request. Default is false.",
|
|
"type": "boolean"
|
|
}
|
|
}
|
|
},
|
|
"istio.security.v1beta1.JWTHeader": {
|
|
"description": "This message specifies a header location to extract JWT token.",
|
|
"type": "object",
|
|
"properties": {
|
|
"name": {
|
|
"description": "The HTTP header name.",
|
|
"type": "string",
|
|
"format": "string"
|
|
},
|
|
"prefix": {
|
|
"description": "The prefix that should be stripped before decoding the token. For example, for \"Authorization: Bearer \u003ctoken\u003e\", prefix=\"Bearer \" with a space at the end. If the header doesn't have this exact prefix, it is considerred invalid.",
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
}
|
|
},
|
|
"istio.security.v1beta1.RequestAuthentication": {
|
|
"description": "RequestAuthentication defines what request authentication methods are supported by a workload. If will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule. Examples: - Require JWT for all request for workloads that have label `app:httpbin`",
|
|
"type": "object",
|
|
"properties": {
|
|
"selector": {
|
|
"$ref": "#/components/schemas/istio.type.v1beta1.WorkloadSelector"
|
|
},
|
|
"jwtRules": {
|
|
"description": "Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token will be used to extract the authenticated identity. Each rule will be activated only when a token is presented at the location recorgnized by the rule. The token will be validated based on the JWT rule config. If validation fails, the request will be rejected. Note: if more than one token is presented (at different locations), the output principal is nondeterministic.",
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/components/schemas/istio.security.v1beta1.JWTRule"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"istio.type.v1beta1.WorkloadSelector": {
|
|
"description": "The selector determines the workloads to apply the RequestAuthentication on. If not set, the policy will be applied to all workloads in the same namespace as the policy.",
|
|
"type": "object",
|
|
"properties": {
|
|
"matchLabels": {
|
|
"description": "One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. The scope of label search is restricted to the configuration namespace in which the resource is present.",
|
|
"type": "object",
|
|
"additionalProperties": {
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
} |