Skip to content

Downstream Authentication

Property DownstreamAuth (choice)
options

The downstream object configures the authentication mechanism applied to downstream HTTP requests. Defining an authentication mechanism is required, but can be opted-out by explicitely configuring disabled.

Header or Query Parameter

Choice Option DownstreamAuth (object)
additionalProperties false
properties clients, name, type

Enabling authentication for all clients that access this API using a header or query string parameter. The header or query string parameter is matched against the md5 hashes provided in the clients property.

Allowed Clients

Property clients (object)
generic properties array

The clients are matches based on the md5 hash.

Generic Property array
Array Item string

Parameter Name

Property name (string)

The parameter name (header or query string parameter name) where the credentials are provided.

Parameter Type

Property type ()
enum query, header

The parameter type that is used to transport the credentials

Basic Authentication

Choice Option DownstreamAuth (object)
additionalProperties false
properties clients, type

Enabling basic authentication for all clients that access this API. The username and password in the Authorization header are matched against the md5 hashes provided in the clients property.

Allowed Clients

Property clients (object)
generic properties array

The clients are matches based on the md5 hash.

Generic Property array
Array Item string

Authentication Type

Constantbasic (string)

Constant basic identifiying that HTTP Basic Authentication is used for authenticating downstream HTTP requests.

JSON Web Tokens (JWT)

Choice Option DownstreamAuth (object)
additionalProperties false
properties provider-config, type

Enabling JWT based authentication for all clients that access this API.The signature, audiences, and issuer claims are verified. It will also check its time restrictions, such as expiration and nbf (not before) time. If the JWT verification fails, its request will be rejected. If the JWT verification succeeds, its payload can be forwarded to the upstream for further authorization if desired.

Provider Configuration

Property provider-config (object)
additionalProperties true

Configures how JWT should be verified. See the Envoy documentation for configuration details

  • issuer: the principal that issued the JWT, usually a URL or an email address.
  • audiences: a list of JWT audiences allowed to access. A JWT containing any of these audiences will be accepted. If not specified, the audiences in JWT will not be checked.
  • local_jwks: fetch JWKS in local data source, either in a local file or embedded in the inline string.
  • remote_jwks: fetch JWKS from a remote HTTP server, also specify cache duration.
  • forward: if true, JWT will be forwarded to the upstream.
  • from_headers: extract JWT from HTTP headers.
  • from_params: extract JWT from query parameters.
  • from_cookies: extract JWT from HTTP request cookies.
  • forward_payload_header: forward the JWT payload in the specified HTTP header.
  • claim_to_headers: copy JWT claim to HTTP header.
  • jwt_cache_config: Enables JWT cache, its size can be specified by jwt_cache_size. Only valid JWT tokens are cached.

Authentication Type

Constantjwt (string)

Constant jwt identifiying that JWT are used for authenticating downstream HTTP requests.

Mutual TLS

Choice Option DownstreamAuth (object)
additionalProperties false
properties clients, trusted-ca, type

Enabling mutual TLS for all clients that access this API. The subject or SAN in the provided client certificate is matched against the list provided in the clients property.

Allowed Clients

Property clients (object)
generic properties Certificate Subject / SubjectAlternativeName (SAN)

The clients are matches based on the client certificate subject or SAN

Certificate Subject / SubjectAlternativeName (SAN)

Generic Property array
Array Item string
minLength 1

The clients are matches based on the client certificate subject or SAN

Trusted Certificate Authority (CA)

Property trusted-ca (string)

A path to a PEM encoded file containing the trusted CAs. This file must be readable by the ProxyConf server and is automatically distributed to the Envoy instances using the SDS mechanism

Authentication Type

Constantmtls (string)

Constant mtls identifiying that mutual TLS is used for authenticating downstream HTTP requests.

Disabled

Choice OptionDownstreamAuth (disabled)

Disabling any downstream authentication. This potentially allows untrusted traffic. It's recommended to further limit exposure by narrowing the allowed-source-ips as much as possible.

Example
1
2
3
security:
  auth:
    downstream: disabled