Docs Support

English
Deutsch
Español – América Latina
Français
Português – Brasil
中文 – 简体
日本語
한국어

Contact Us Start free

AuthProvider

JSON representation
JwtLocation
- JSON representation

Configuration for an authentication provider, including support for JSON Web Token (JWT).

JSON representation
{ "id": string, "issuer": string, "jwksUri": string, "audiences": string, "authorizationUrl": string, "jwtLocations": [ { object (`JwtLocation`) } ] }

Fields
`id`	`string` The unique identifier of the auth provider. It will be referred to by `AuthRequirement.provider_id`. Example: "bookstore_auth".
`issuer`	`string` Identifies the principal that issued the JWT. See https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1 Usually a URL or an email address. Example: https://securetoken.google.com Example: 1234567-compute@developer.gserviceaccount.com
`jwksUri`	`string` URL of the provider's public key set to validate signature of the JWT. See OpenID Discovery. Optional if the key set document: - can be retrieved from [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html of the issuer. - can be inferred from the email domain of the issuer (e.g. a Google service account). Example: https://www.googleapis.com/oauth2/v1/certs
`audiences`	`string` The list of JWT audiences. that are allowed to access. A JWT containing any of these audiences will be accepted. When this setting is absent, JWTs with audiences: - "https://[service.name]/`google.protobuf.Api.name`" - "https://[service.name]/" will be accepted. For example, if no audiences are in the setting, LibraryService API will accept JWTs with the following audiences: - https://library-example.googleapis.com/google.example.library.v1.LibraryService - https://library-example.googleapis.com/ Example: `audiences: bookstore_android.apps.googleusercontent.com, bookstore_web.apps.googleusercontent.com`
`authorizationUrl`	`string` Redirect URL if JWT token is required but not present or is expired. Implement authorizationUrl of securityDefinitions in OpenAPI spec.
`jwtLocations[]`	`object (JwtLocation)` Defines the locations to extract the JWT. JWT locations can be either from HTTP headers or URL query parameters. The rule is that the first match wins. The checking order is: checking all headers first, then URL query parameters. If not specified, default to use following 3 locations: 1) Authorization: Bearer 2) x-goog-iap-jwt-assertion 3) access_token query parameter Default locations can be specified as followings: jwtLocations: - header: Authorization valuePrefix: "Bearer " - header: x-goog-iap-jwt-assertion - query: access_token

JwtLocation

Specifies a location to extract JWT from an API request.

JSON representation
{ "valuePrefix": string, // Union field `in` can be only one of the following: "header": string, "query": string // End of list of possible types for union field `in`. }

Fields
`valuePrefix`	`string` The value prefix. The value format is "valuePrefix{token}" Only applies to "in" header type. Must be empty for "in" query type. If not empty, the header value has to match (case sensitive) this prefix. If not matched, JWT will not be extracted. If matched, JWT will be extracted after the prefix is removed. For example, for "Authorization: Bearer {JWT}", valuePrefix="Bearer " with a space at the end.
Union field `in`. `in` can be only one of the following:
`header`	`string` Specifies HTTP header name to extract JWT token.
`query`	`string` Specifies URL query parameter name to extract JWT token.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2020-08-13 UTC.