ApiConfig

A Configurable API Proxy configuration.

JSON representation
{
  "basepath": string,
  "target": {
    object (Target)
  },
  "authentication": {
    object (AuthenticationRequirement)
  },
  "consumerAuthorization": {
    object (ConsumerAuthorization)
  },
  "operations": [
    {
      object (ApiOperation)
    }
  ],
  "cors": {
    object (CorsPolicy)
  }
}
Fields
basepath

string

Base path of this Proxy.

target

object (Target)

The default Target.

authentication

object (AuthenticationRequirement)

Optional. The default authentication requirements.

consumerAuthorization

object (ConsumerAuthorization)

Optional. The default consumer authorization requirement.

operations[]

object (ApiOperation)

Optional. List of API operations. The API Operation with the most specific matching rule wins independent of the order of Operations. If none are specified, a default API Operation matching all requests will be generated.

cors

object (CorsPolicy)

Optional. The default CORS policy.

Target

Settings for routing to a Target.

JSON representation
{

  // Union field endpoint can be only one of the following:
  "targetServerId": string,
  "uri": string
  // End of list of possible types for union field endpoint.
}
Fields
Union field endpoint. The target endpoint, sometimes referred to as a "backend" or "cluster." endpoint can be only one of the following:
targetServerId

string

The resource ID of a Target Server.

uri

string

URI of the resource where requests should be routed. May contain Deployment Parameter variables.

Supported URI schemes: * http/https: An HTTP URL, for example "https://example.com:8080/v1"

AuthenticationRequirement

An authentication requirement.

JSON representation
{
  "disabled": boolean,

  // Union field requires can be only one of the following:
  "jwt": {
    object (JwtAuthentication)
  },
  "any": {
    object (AuthenticationRequirements)
  },
  "all": {
    object (AuthenticationRequirements)
  }
  // End of list of possible types for union field requires.
}
Fields
disabled

boolean

If true, this AuthenticationRequirement is ignored.

Union field requires. The requirement. requires can be only one of the following:
jwt

object (JwtAuthentication)

A JWT based authentication requirement.

any

object (AuthenticationRequirements)

Any of these authentication requirements must be met. Up to two levels of recursion may be specified, for example [Any (All (JWT-A, JWT-B), Any (JWT-C, JWT-D)].

all

object (AuthenticationRequirements)

All of these authentication requirements must be met. Up to two levels of recursion may be specified, for example [All (All (JWT-A, JWT-B), Any (JWT-C, JWT-D)].

JwtAuthentication

A JWT authentication requirement.

JSON representation
{
  "id": string,
  "audiences": [
    string
  ],
  "forwardPayloadHeader": string,
  "issuer": string,
  "in": [
    {
      object (ApiOperationParameter)
    }
  ],
  "locations": [
    {
      object (ApiOperationParameter)
    }
  ],
  "remoteJwks": {
    object (RemoteJwks)
  }
}
Fields
id

string

Identifier of this JWT requirement, unique within the Proxy.

audiences[]

string

Optional. A list of JWT audiences ("aud" claim) allowed to access. A JWT containing any of these audiences will be accepted. If not specified, the audiences in JWT will not be checked.

forwardPayloadHeader

string

Optional. Header name that will contain decoded JWT payload in requests forwarded to target. May contain Deployment Parameter variables.

issuer

string

JWT issuer ("iss" claim). May contain Deployment Parameter variables.

locations[]

object (ApiOperationParameter)

Optional. Locations where JWT may be found. First match wins. If not specified, the standard OAuth 2.0 Authorization Bearer Token will be used.

remoteJwks

object (RemoteJwks)

Remote JWKS.

RemoteJwks

A remote JWKS source.

JSON representation
{
  "cacheDuration": string,

  // Union field endpoint can be only one of the following:
  "uri": string,
  "targetServer": {
    object (TargetServer)
  }
  // End of list of possible types for union field endpoint.
}
Fields
cacheDuration

string (Duration format)

Optional. Duration to cache the JWKS for before attempting to refresh. Default value if not specified is one hour.

A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Union field endpoint. The JWKS endpoint. endpoint can be only one of the following:
uri

string

The full URI of the remote endpoint, including path component of the HTTP request URL.

targetServer

object (TargetServer)

A Target Server and optional request URL path component.

TargetServer

Reference to a Target Server and request URL path component.

JSON representation
{
  "id": string,
  "path": string
}
Fields
id

string

ID of the Target Server.

path

string

Optional. Path component of the URL used for HTTP requests to this Target Server.

ApiOperationParameter

An API Operation parameter.

JSON representation
{
  "transformation": {
    object (StringTransformation)
  },

  // Union field match can be only one of the following:
  "query": string,
  "header": string,
  "jwtClaim": {
    object (JwtClaim)
  }
  // End of list of possible types for union field match.
}
Fields
transformation

object (StringTransformation)

Optional. Transformation of the parameter value.

Union field match. How to match the parameter. match can be only one of the following:
query

string

Exact name of an HTTP query string parameter.

header

string

Exact name of an HTTP header.

jwtClaim

object (JwtClaim)

A JWT claim.

JwtClaim

Reference to a JWT claim.

JSON representation
{
  "requirement": string,
  "name": string
}
Fields
requirement

string

ID of the JWT requirement.

name

string

The name of the claim.

StringTransformation

Generic string transformation using simple template syntax. Example: Given template = "Bearer {token}" and substitution = "{token}" with input value "Bearer ABCD", the output will be "ABCD".

JSON representation
{
  "template": string,
  "substitution": string
}
Fields
template

string

String template. Up to three variables may be specified. Example: "Bearer {token}"

substitution

string

Substitution string, using variables declared in the template. Up to three variable references may be specified. Example: "{token}"

AuthenticationRequirements

A list of authentication requirements.

JSON representation
{
  "requirements": [
    {
      object (AuthenticationRequirement)
    }
  ]
}
Fields
requirements[]

object (AuthenticationRequirement)

Authentication requirements.

ConsumerAuthorization

Configuration of API consumer authorization.

JSON representation
{
  "in": [
    {
      object (ApiOperationParameter)
    }
  ],
  "locations": [
    {
      object (ApiOperationParameter)
    }
  ],
  "failOpen": boolean,
  "quotaIdentifier": enum (QuotaIdentifier),
  "disabled": boolean
}
Fields
in[]
(deprecated)

object (ApiOperationParameter)

Optional. Location of API consumer credential (API Key). First match wins.

locations[]

object (ApiOperationParameter)

Location of API consumer credential (API Key). First match wins.

failOpen

boolean

Allow requests to be forwarded even if the consumer credential cannot be verified by the API credential provider due to service unavailability.

quotaIdentifier

enum (QuotaIdentifier)

The quota identifier for matched requests. If not specified, APP will be used.

disabled

boolean

If true, this ConsumerAuthorization is ignored.

ApiOperation

An API Operation associates a set of rules with a set of request matching settings.

JSON representation
{
  "id": string,
  "httpMatch": [
    {
      object (HttpMatch)
    }
  ],
  "target": {
    object (Target)
  },
  "authentication": {
    object (AuthenticationRequirement)
  },
  "consumerAuthorization": {
    object (ConsumerAuthorization)
  }
}
Fields
id

string

Identifier of this operation, unique within the API Proxy.

httpMatch[]

object (HttpMatch)

Optional. HTTP matching rules for this API operation. If omitted, this Operation matches all requests.

target

object (Target)

Optional. The Target for this Operation. If specified, this overrides the default.

authentication

object (AuthenticationRequirement)

Optional. The authentication requirements for this Operation. If specified, this overrides the default.

consumerAuthorization

object (ConsumerAuthorization)

Optional. Consumer authorization requirement for this Operation. If specified, this overrides the default.

HttpMatch

An HTTP request matching rule.

JSON representation
{
  "pathTemplate": string,
  "method": enum (Method)
}
Fields
pathTemplate

string

URL path template using to match incoming requests.

method

enum (Method)

Optional. The HTTP method to match. Omit to match all methods.

CorsPolicy

Settings for handling CORS preflight requests.

JSON representation
{
  "allowOrigins": [
    string
  ],
  "allowOriginRegexes": [
    string
  ],
  "allowMethods": [
    string
  ],
  "allowHeaders": [
    string
  ],
  "exposeHeaders": [
    string
  ],
  "maxAge": string,
  "allowCredentials": boolean
}
Fields
allowOrigins[]

string

Specifies the list of origins that will be allowed to do CORS requests. An origin is allowed if it exactly matches any value in the list.

allowOriginRegexes[]

string

Specifies the regular expression patterns that match allowed origins. For regular expression grammar please see github.com/google/re2/wiki/Syntax. An origin is allowed if it matches any pattern in the list.

allowMethods[]

string

Specifies the content for the Access-Control-Allow-Methods header.

allowHeaders[]

string

Specifies the content for the Access-Control-Allow-Headers header.

exposeHeaders[]

string

Specifies the content for the Access-Control-Expose-Headers header.

maxAge

string (int64 format)

Specifies how long results of a preflight request can be cached in seconds. This translates to the Access-Control-Max-Age header.

allowCredentials

boolean

In response to a preflight request, setting this to true indicates that the actual request can include user credentials. This translates to the Access-Control-Allow-Credentials header.