diff --git a/docs/configuration.md b/docs/configuration.md index 73b3d69e8..cbae56283 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -227,19 +227,21 @@ Property **envoy-control.source.consul.tags.canary** | Service instance tag which indicate canary instance | canary ## JWT filter -Property | Description | Default value ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | --------- -**envoy-control.envoy.snapshot.jwt.forwardJwt** | If false, the JWT is removed in the request after a success verification. If true, the JWT is not removed in the request | true -**envoy-control.envoy.snapshot.jwt.forwardPayloadHeader** | the header name to forward a successfully verified JWT payload to the backend. The forwarded data is: `base64url_encoded(jwt_payload_in_JSON)` | x-oauth-token-validated -**envoy-control.envoy.snapshot.jwt.payloadInMetadata** | Key for token fields, the value is the protobuf::Struct converted from JWT JSON payload. | jwt -**envoy-control.envoy.snapshot.jwt.fieldRequiredInToken** | Name of the field that will be checked if its present in JWT. This field should be present in every token. | exp -**envoy-control.envoy.snapshot.jwt.defaultVerificationType** | Type of token validation, either ONLINE or OFFLINE (currently only OFFLINE supported) | offline -**envoy-control.envoy.snapshot.jwt.defaultOAuthPolicy** | Policy specifies a Jwt requirement. Allowed values are allowMissingOrFailed, allowMissing and strict. | strict -**envoy-control.envoy.snapshot.jwt.providers.{providerName}** | Provider of OAuth JWKs | empty map -**envoy-control.envoy.snapshot.jwt.providers.{providerName}.jwksUri** | Uri of the endpoint serving JWKs | http://localhost -**envoy-control.envoy.snapshot.jwt.providers.{providerName}.createCluster** | If true, cluster will be created for OAuth provider | false -**envoy-control.envoy.snapshot.jwt.providers.{providerName}.clusterName** | Name of the cluster | "" -**envoy-control.envoy.snapshot.jwt.providers.{providerName}.clusterPort** | Port of the cluster that will be created for provider | 443 -**envoy-control.envoy.snapshot.jwt.providers.{providerName}.cacheDuration** | Duration of caching public key fetched from provider | 300s -**envoy-control.envoy.snapshot.jwt.providers.{providerName}.connectionTimeout** | Connection timeout for request fetching JWKs | 1s -**envoy-control.envoy.snapshot.jwt.providers.{providerName}.matchings.{matching}** | Name of the token field that should be verified for given selector | empty map +Property | Description | Default value +--------------------------------------------------------------------------------------------- |--------------------------------------------------------------------------------------------------------------------------------------------------| --------- +**envoy-control.envoy.snapshot.jwt.forwardJwt** | If false, the JWT is removed in the request after a success verification. If true, the JWT is not removed in the request | true +**envoy-control.envoy.snapshot.jwt.forwardPayloadHeader** | the header name to forward a successfully verified JWT payload to the backend. The forwarded data is: `base64url_encoded(jwt_payload_in_JSON)` | x-oauth-token-validated +**envoy-control.envoy.snapshot.jwt.payloadInMetadata** | Key for token fields, the value is the protobuf::Struct converted from JWT JSON payload. | jwt +**envoy-control.envoy.snapshot.jwt.failedStatusInMetadata** | Key for non-verified JWT status, the value is the protobuf::Struct with `code` and `message` fields. | jwt_failure_reason +**envoy-control.envoy.snapshot.jwt.failedStatusInMetadataEnabled** | If true, metadata will contain expanded JWT status information. | true +**envoy-control.envoy.snapshot.jwt.fieldRequiredInToken** | Name of the field that will be checked if its present in JWT. This field should be present in every token. | exp +**envoy-control.envoy.snapshot.jwt.defaultVerificationType** | Type of token validation, either ONLINE or OFFLINE (currently only OFFLINE supported) | offline +**envoy-control.envoy.snapshot.jwt.defaultOAuthPolicy** | Policy specifies a Jwt requirement. Allowed values are allowMissingOrFailed, allowMissing and strict. | strict +**envoy-control.envoy.snapshot.jwt.providers.{providerName}** | Provider of OAuth JWKs | empty map +**envoy-control.envoy.snapshot.jwt.providers.{providerName}.jwksUri** | Uri of the endpoint serving JWKs | http://localhost +**envoy-control.envoy.snapshot.jwt.providers.{providerName}.createCluster** | If true, cluster will be created for OAuth provider | false +**envoy-control.envoy.snapshot.jwt.providers.{providerName}.clusterName** | Name of the cluster | "" +**envoy-control.envoy.snapshot.jwt.providers.{providerName}.clusterPort** | Port of the cluster that will be created for provider | 443 +**envoy-control.envoy.snapshot.jwt.providers.{providerName}.cacheDuration** | Duration of caching public key fetched from provider | 300s +**envoy-control.envoy.snapshot.jwt.providers.{providerName}.connectionTimeout** | Connection timeout for request fetching JWKs | 1s +**envoy-control.envoy.snapshot.jwt.providers.{providerName}.matchings.{matching}** | Name of the token field that should be verified for given selector | empty map