This message specifies a header location to extract JWT token.
Field
Type
Description
Required
name
string
The HTTP header name.
Yes
prefix
string
The prefix that should be stripped before decoding the token.
For example, for “Authorization: Bearer ”, prefix=“Bearer ” with a space at the end.
If the header doesn’t have this exact prefix, it is considerred invalid.
No
JWTRule
JSON Web Token (JWT) token format for authentication as defined by
RFC 7519. See OAuth 2.0 and
OIDC 1.0 for how this is used in the whole
authentication flow.
Examples:
Spec for a JWT that is issued by https://example.com, with the audience claims must be either
bookstore_android.apps.example.com or bookstore_web.apps.example.com.
The token should be presented at the Authorization header (default). The Json web key set (JWKS)
will be discovered followwing OpenID Connect protocol.
URL of the provider’s public key set to validate signature of the
JWT. See OpenID Discovery.
Optional if the key set document can either (a) be retrieved from
OpenID
Discovery of
the issuer or (b) inferred from the email domain of the issuer (e.g. a
Google service account).
List of header locations from which JWT is expected. For example, below is the location spec
if JWT is expected to be found in x-jwt-assertion header, and have “Bearer ” prefix:
List of query parameters from which JWT is expected. For example, if JWT is provided via query
parameter my_token (e.g /path?my_token=), the config is:
fromParams:
- "my_token"
No
outputPayloadToHeader
string
This field specifies the header name to output a successfully verified JWT payload to the
backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified,
the payload will not be emitted.
No
forwardOriginalToken
bool
If set to true, the orginal token will be kept for the ustream request. Default is false.