IdentityPropagation

microgateway.airlock.com/v1alpha1

IdentityPropagation specifies the desired identity propagation.

apiVersion: microgateway.airlock.com/v1alpha1
kind: IdentityPropagation
metadata:
  name: identity-propagation-example
spec:
  header:
    name: X-USER-NAME
    value:
      source:
        oidc:
          idToken:
            claim: "name"

apiVersion: microgateway.airlock.com/v1alpha1
kind: IdentityPropagation
metadata:
  name: default

IdentityPropagation

Field	Type	Description	Required	Default	Allowed Values
`metadata`	ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`	yes
spec	object	Specification of the desired identity propagation.	yes		`bearerToken{}`, `header{}`

IdentityPropagation.spec

Field	Type	Description	Required	Default	Allowed Values
bearerToken	object	BearerToken configures identity propagation via an authorization header containing a bearer token.	no
header	object	Header configures identity propagation via a request header.	no

IdentityPropagation.spec.bearerToken

Field	Type	Description	Required	Default	Allowed Values
source	object	Source from which to extract the token.	yes		`jwt{}`, `metadata{}`, `oidc{}`, `tokenExchange{}`

IdentityPropagation.spec.bearerToken.source

Field	Type	Description	Required	Allowed Values
jwt	object	JWT specifies to extract a value from a JWT.	no
metadata	object	Metadata specifies to extract a value from an Envoy dynamic filter metadata key.	no
oidc	object	OIDC specifies to extract a value from the result of an OpenID Connect flow.	no	`accessToken{}`, `idToken{}`
tokenExchange	object	TokenExchange specifies to use the token obtained via token exchange as value.	no

IdentityPropagation.spec.bearerToken.source.jwt

Field	Type	Description	Required	Default	Allowed Values
`claim`	string	The JWT claim to extract as value. If omitted, the entire JWT will be used as value.	no

IdentityPropagation.spec.bearerToken.source.metadata

Field	Type	Description	Required	Default	Allowed Values
`key`	string	Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`.	yes
`namespace`	string	Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`.	yes

IdentityPropagation.spec.bearerToken.source.oidc

Field	Type	Description	Required	Default	Allowed Values
accessToken	object	AccessToken specifies to extract the value from the OpenID Connect Access Token.	no
idToken	object	IDToken specifies to extract the value from the OpenID Connect ID Token.	no

IdentityPropagation.spec.bearerToken.source.oidc.idToken

Field	Type	Description	Required	Default	Allowed Values
`claim`	string	Claim selects the JWT claim from which to extract the value.	yes

IdentityPropagation.spec.bearerToken.source.tokenExchange

Field	Type	Description	Required	Default	Allowed Values
`claim`	string	Claim specifies the JWT claim to extract as value. If omitted, the entire token will be used as value. Note: If claim is specified, identity propagation will fail if the token obtained from the exchange is not a JWT.	no

IdentityPropagation.spec.header

Field	Type	Description	Required	Default	Allowed Values
`name`	string	Name of the header to set.	yes
value	object	Value to propagate to the application.	yes

IdentityPropagation.spec.header.value

Field	Type	Description	Required	Default	Allowed Values
source	object	Source from which to extract the value.	yes		`jwt{}`, `metadata{}`, `oidc{}`, `tokenExchange{}`

IdentityPropagation.spec.header.value.source

Field	Type	Description	Required	Allowed Values
jwt	object	JWT specifies to extract a value from a JWT.	no
metadata	object	Metadata specifies to extract a value from an Envoy dynamic filter metadata key.	no
oidc	object	OIDC specifies to extract a value from the result of an OpenID Connect flow.	no	`accessToken{}`, `idToken{}`
tokenExchange	object	TokenExchange specifies to use the token obtained via token exchange as value.	no

IdentityPropagation.spec.header.value.source.jwt

Field	Type	Description	Required	Default	Allowed Values
`claim`	string	The JWT claim to extract as value. If omitted, the entire JWT will be used as value.	no

IdentityPropagation.spec.header.value.source.metadata

Field	Type	Description	Required	Default	Allowed Values
`key`	string	Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`.	yes
`namespace`	string	Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`.	yes

IdentityPropagation.spec.header.value.source.oidc

Field	Type	Description	Required	Default	Allowed Values
accessToken	object	AccessToken specifies to extract the value from the OpenID Connect Access Token.	no
idToken	object	IDToken specifies to extract the value from the OpenID Connect ID Token.	no

IdentityPropagation.spec.header.value.source.oidc.idToken

Field	Type	Description	Required	Default	Allowed Values
`claim`	string	Claim selects the JWT claim from which to extract the value.	yes

IdentityPropagation.spec.header.value.source.tokenExchange

Field	Type	Description	Required	Default	Allowed Values
`claim`	string	Claim specifies the JWT claim to extract as value. If omitted, the entire token will be used as value. Note: If claim is specified, identity propagation will fail if the token obtained from the exchange is not a JWT.	no