Configuration for an authentication provider, including support for JSON Web Token (JWT).
JSON representation |
---|
{
"id": string,
"issuer": string,
"jwksUri": string,
"audiences": string,
"authorizationUrl": string,
"jwtLocations": [
{
object ( |
Fields | |
---|---|
id |
The unique identifier of the auth provider. It will be referred to by Example: "bookstore_auth". |
issuer |
Identifies the principal that issued the JWT. See https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1 Usually a URL or an email address. Example: https://securetoken.google.com Example: 1234567-compute@developer.gserviceaccount.com |
jwksUri |
URL of the provider's public key set to validate signature of the JWT. See OpenID Discovery. Optional if the key set document: - can be retrieved from OpenID Discovery of the issuer. - can be inferred from the email domain of the issuer (e.g. a Google service account). |
audiences |
The list of JWT audiences. that are allowed to access. A JWT containing any of these audiences will be accepted. When this setting is absent, JWTs with audiences: - "https://[service.name]/ Example:
|
authorizationUrl |
Redirect URL if JWT token is required but not present or is expired. Implement authorizationUrl of securityDefinitions in OpenAPI spec. |
jwtLocations[] |
Defines the locations to extract the JWT. For now it is only used by the Cloud Endpoints to store the OpenAPI extension x-google-jwt-locations JWT locations can be one of HTTP headers, URL query parameters or cookies. The rule is that the first match wins. If not specified, default to use following 3 locations: 1) Authorization: Bearer 2) x-goog-iap-jwt-assertion 3) access_token query parameter Default locations can be specified as followings: jwtLocations: - header: Authorization valuePrefix: "Bearer " - header: x-goog-iap-jwt-assertion - query: access_token |
JwtLocation
Specifies a location to extract JWT from an API request.
JSON representation |
---|
{ "valuePrefix": string, // Union field |
Fields | |
---|---|
valuePrefix |
The value prefix. The value format is "valuePrefix{token}" Only applies to "in" header type. Must be empty for "in" query type. If not empty, the header value has to match (case sensitive) this prefix. If not matched, JWT will not be extracted. If matched, JWT will be extracted after the prefix is removed. For example, for "Authorization: Bearer {JWT}", valuePrefix="Bearer " with a space at the end. |
Union field
|
|
header |
Specifies HTTP header name to extract JWT token. |
query |
Specifies URL query parameter name to extract JWT token. |
cookie |
Specifies cookie name to extract JWT token. |