Downstream Authentication
Property |
DownstreamAuth (choice) |
options |
|
The downstream
object configures the authentication mechanism applied to downstream HTTP requests. Defining an authentication mechanism is required, but can be opted-out by explicitely configuring disabled
.
Choice Option |
DownstreamAuth (object) |
additionalProperties |
false |
properties |
clients , name , type |
Enabling authentication for all clients that access this API using a header or query string parameter. The header or query string parameter is matched against the md5 hashes provided in the clients
property.
Allowed Clients
Property |
clients (object) |
generic properties |
array |
The clients are matches based on the md5 hash.
Generic Property |
array |
Array Item |
string |
Parameter Name
The parameter name (header or query string parameter name) where the credentials are provided.
Parameter Type
Property |
type () |
enum |
query , header |
The parameter type that is used to transport the credentials
Basic Authentication
Choice Option |
DownstreamAuth (object) |
additionalProperties |
false |
properties |
clients , type |
Enabling basic authentication for all clients that access this API. The username and password in the Authorization
header are matched against the md5 hashes provided in the clients
property.
Allowed Clients
Property |
clients (object) |
generic properties |
array |
The clients are matches based on the md5 hash.
Generic Property |
array |
Array Item |
string |
Authentication Type
Constant basic
identifiying that HTTP Basic Authentication is used for authenticating downstream HTTP requests.
JSON Web Tokens (JWT)
Choice Option |
DownstreamAuth (object) |
additionalProperties |
false |
properties |
provider-config , type |
Enabling JWT based authentication for all clients that access this API.The signature, audiences, and issuer claims are verified. It will also check its time restrictions, such as expiration and nbf (not before) time. If the JWT verification fails, its request will be rejected. If the JWT verification succeeds, its payload can be forwarded to the upstream for further authorization if desired.
Provider Configuration
Property |
provider-config (object) |
additionalProperties |
true |
Configures how JWT should be verified. See the Envoy documentation for configuration details
issuer
: the principal that issued the JWT, usually a URL or an email address.
audiences
: a list of JWT audiences allowed to access. A JWT containing any of these audiences will be accepted. If not specified, the audiences in JWT will not be checked.
local_jwks
: fetch JWKS in local data source, either in a local file or embedded in the inline string.
remote_jwks
: fetch JWKS from a remote HTTP server, also specify cache duration.
forward
: if true, JWT will be forwarded to the upstream.
from_headers
: extract JWT from HTTP headers.
from_params
: extract JWT from query parameters.
from_cookies
: extract JWT from HTTP request cookies.
forward_payload_header
: forward the JWT payload in the specified HTTP header.
claim_to_headers
: copy JWT claim to HTTP header.
jwt_cache_config
: Enables JWT cache, its size can be specified by jwt_cache_size. Only valid JWT tokens are cached.
Authentication Type
Constant jwt
identifiying that JWT are used for authenticating downstream HTTP requests.
Mutual TLS
Enabling mutual TLS for all clients that access this API. The subject
or SAN
in the provided client certificate is matched against the list provided in the clients
property.
Allowed Clients
The clients are matches based on the client certificate subject or SAN
Certificate Subject / SubjectAlternativeName (SAN)
Generic Property |
array |
Array Item |
string |
minLength |
1 |
The clients are matches based on the client certificate subject or SAN
Trusted Certificate Authority (CA)
Property |
trusted-ca (string) |
|
|
A path to a PEM encoded file containing the trusted CAs. This file must be readable by the ProxyConf server and is automatically distributed to the Envoy instances using the SDS mechanism
Authentication Type
Constant mtls
identifiying that mutual TLS is used for authenticating downstream HTTP requests.
Disabled
Choice Option | DownstreamAuth (disabled) |
---|
Disabling any downstream authentication. This potentially allows untrusted traffic. It's recommended to further limit exposure by narrowing the allowed-source-ips
as much as possible.
Example |
---|
| security:
auth:
downstream: disabled
|