auth_config.proto

syntax = "proto3";
package enterprise.gloo.solo.io;

option go_package = "github.com/solo-io/solo-apis/pkg/api/enterprise.gloo.solo.io/v1";

import "github.com/solo-io/solo-kit/api/v1/ref.proto";

import "extproto/ext.proto";
option (extproto.equal_all) = true;
option (extproto.hash_all) = true;
option (extproto.clone_all) = true;

import "github.com/solo-io/solo-kit/api/v1/solo-kit.proto";
import "github.com/solo-io/solo-kit/api/external/envoy/api/v2/discovery.proto";
import "google/api/annotations.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "google/protobuf/empty.proto";

// This is the user-facing auth configuration. When processed by Gloo, certain configuration types (i.a. oauth, opa)
// will be translated, e.g. to resolve resource references. See the `ExtAuthConfig.AuthConfig` for the final config
// format that will be included in the extauth snapshot.
message AuthConfigSpec {


    reserved 1;


    message Config {

        // optional: used when defining complex boolean logic, if `boolean_expr` is defined below. Also used
        // in logging. If omitted, an automatically generated name will be used (e.g. config_0, of the
        // pattern 'config_$INDEX_IN_CHAIN'). In the case of plugin auth, this field is ignored in favor of
        // the name assigned on the plugin config itself.
        google.protobuf.StringValue name = 9;

        oneof auth_config {
            // +kubebuilder:validation:XValidation:rule="has(self.apr) ? !has(self.encryption) && !has(self.userList) : has(self.encryption) && has(self.userList)",message="Either apr or both encryption and userSource must be set; apr may not be set alongside either encryption or userSource"
            BasicAuth basic_auth = 1;
            OAuth oauth = 2 [deprecated = true];
            OAuth2 oauth2 = 8;
            ApiKeyAuth api_key_auth = 4;
            AuthPlugin plugin_auth = 5 [deprecated = true];
            OpaAuth opa_auth = 6;
            Ldap ldap = 7;
            // This is a "dummy" extauth service which can be used to support multiple auth mechanisms with JWT authentication.
            // If Jwt authentication is to be used in the [boolean expression](https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/solo-apis/api/gloo/enterprise.gloo/v1/auth_config.proto.sk/#authconfig) in an AuthConfig, you can use this auth config type to include Jwt as an Auth config.
            // In addition, `allow_missing_or_failed_jwt` must be set on the Virtual Host or Route that uses JWT auth or else the JWT filter will short circuit this behaviour.
            google.protobuf.Empty jwt = 11;
            // +kubebuilder:validation:XValidation:rule="has(self.grpc) || has(self.http)",message="Must specify grpc or http"
            PassThroughAuth pass_through_auth = 12;
            HmacAuth hmac_auth = 13;
            OpaServerAuth opa_server_auth = 14;
            PortalAuth portal_auth = 15;
        }
    }

    // List of auth configs to be checked for requests on a route referencing this auth config,
    // By default, every config must be authorized for the entire request to be authorized. This
    // behavior can be changed by defining names for each config and defining `boolean_expr` below.
    //
    // State is shared between successful requests on the chain, i.e., the headers returned from each
    // successful auth service get appended into the final auth response.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinItems=1
    repeated Config configs = 3;

    // How to handle processing of named configs within an auth config chain.
    // An example config might be: `( basic1 || basic2 || (oidc1 && !oidc2) )`
    // The boolean expression is evaluated left to right but honors parenthesis and short-circuiting.
    google.protobuf.StringValue boolean_expr = 10;

    // How the service should handle a redirect response from an OIDC issuer. In the default false mode,
    // the redirect will be considered a successful response, and the client will receive a 302 with a location header.
    // If this is set to true, the client will instead receive a 401 unauthorized response. This is useful in cases where
    // API calls are being made or other such occurrences where the client cannot handle the redirect.
    bool fail_on_redirect = 11;
}

// Auth configurations defined on virtual hosts, routes, and weighted destinations will be unmarshalled to this message.
message ExtAuthExtension {
    oneof spec {
        //  Set to true to disable auth on the virtual host/route.
        bool disable = 1;
        // A reference to an AuthConfig. This is used to configure the Gloo Edge Enterprise extauth server.
        core.solo.io.ResourceRef config_ref = 2;
        // Use this field if you are running your own custom extauth server.
        CustomAuth custom_auth = 3;
    }
}

// Global external auth settings
message Settings {
    // The upstream to ask about auth decisions
    core.solo.io.ResourceRef extauthz_server_ref = 1;

    oneof service_type {
        // If this is set, communication to the upstream will be via HTTP and not GRPC (default).
        HttpService http_service = 2;

        // Optional, if set the communication to the upstream will be via GRPC.
        GrpcService grpc_service = 11;
    }


    // If the auth server trusted id of the user, it will be set in this header.
    // Specifically this means that this header will be sanitized form the incoming request.
    string user_id_header = 3;

    // Timeout for the ext auth service to respond. Defaults to 200ms
    google.protobuf.Duration request_timeout = 4;

    // In case of a failure or timeout querying the auth server, normally a request is denied.
    // if this is set to true, the request will be allowed.
    bool failure_mode_allow = 5;

    // Set this if you also want to send the body of the request, and not just the headers.
    BufferSettings request_body = 6;

    // Clears route cache in order to allow the external authorization service to correctly affect
    // routing decisions. Filter clears all cached routes when:
    //
    // 1. The field is set to *true*.
    //
    // 2. The status returned from the authorization service is a HTTP 200 or gRPC 0.
    //
    // 3. At least one *authorization response header* is added to the client request, or is used for
    // altering another client request header.
    //
    bool clear_route_cache = 7;

    // Sets the HTTP status that is returned to the client when there is a network error between the
    // filter and the authorization server. The default status is HTTP 403 Forbidden.
    // If set, this must be one of the following:
    // - 100
    // - 200 201 202 203 204 205 206 207 208 226
    // - 300 301 302 303 304 305 307 308
    // - 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 421 422 423 424 426 428 429 431
    // - 500 501 502 503 504 505 506 507 508 510 511
    uint32 status_on_error = 8;

    // Describes the transport protocol version to use when connecting to the ext auth server.
    enum ApiVersion {
        // Use v3 API.
        V3 = 0;
    }

    // Determines the API version for the `ext_authz` transport protocol that will be used by Envoy
    // to communicate with the auth server. Defaults to `V2`. For more info, see the `transport_api_version` field
    // [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#extensions-filters-http-ext-authz-v3-extauthz).
    ApiVersion transport_api_version = 9;

    // Optional additional prefix to use when emitting statistics.
    // This allows to distinguish emitted statistics between configured ext_authz filters in an HTTP filter chain.
    string stat_prefix = 10;
}

message GrpcService {
    // Set the authority header when calling the GRPC service.
    string authority = 1;
}

message HttpService {
    // Sets a prefix to the value of authorization request header *Path*.
    string path_prefix = 1;

    message Request {
        // These headers will be copied from the incoming request to the request going
        // to the auth server. Note that in addition to the user's supplied matchers:
        //
        // 1. *Host*, *Method*, *Path* and *Content-Length* are automatically included to the list.
        //
        // 2. *Content-Length* will be set to 0 and the request to the authorization service will not have
        // a message body.
        repeated string allowed_headers = 1;

        // These headers that will be included to the request to authorization service. Note that
        // client request of the same key will be overridden.
        map<string, string> headers_to_add = 2;

        // Headers that match these regex patterns will be copied from the incoming request
        // to the request going to the auth server.
        repeated string allowed_headers_regex = 3;
    }
    Request request = 2;

    message Response {
        // When this is set, authorization response headers that have a header in this list will be added to the original client request and sent to the upstream.
        // Note that coexistent headers will be overridden.
        repeated string allowed_upstream_headers = 1;

        // When this is set, authorization response headers in this list will be added to the client's response when the auth request is denied.
        // Note that when this list is *not* set, all the authorization response headers, except *Authority
        // (Host)* will be in the response to the client. When a header is included in this list, *Path*,
        // *Status*, *Content-Length*, *WWW-Authenticate* and *Location* are automatically added.
        repeated string allowed_client_headers = 2;

        // When this is set, authorization response headers that have a correspondent match will be added to the client's response.
        // Note that coexistent headers will be appended.
        repeated string allowed_upstream_headers_to_append = 3;
    }
    Response response = 3;
}

// Configuration for buffering the request data.
message BufferSettings {
    // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return
    // *HTTP 413* and will *not* initiate the authorization process when buffer reaches the number
    // set in this field. Note that this setting will have precedence over failure_mode_allow.
    // Defaults to 4KB.
    uint32 max_request_bytes = 1;

    // When this field is true, Envoy will buffer the message until *max_request_bytes* is reached.
    // The authorization request will be dispatched and no 413 HTTP error will be returned by the
    // filter.
    bool allow_partial_message = 2;

    // When this field is true, Envoy will send the body sent to the external authorization service with raw bytes.
    bool pack_as_bytes = 3;
}

// Gloo is not expected to configure the ext auth server in this case.
// This is used with custom auth servers.
message CustomAuth {
    // When a request matches the virtual host, route, or weighted destination on which this configuration is defined,
    // Gloo will add the given context_extensions to the request that is sent to the external authorization server.
    // This allows the server to base the auth decision on metadata that you define on the source of the request.
    //
    // This attribute is analogous to Envoy's config.filter.http.ext_authz.v2.CheckSettings. See the official
    // [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#envoy-v3-api-msg-extensions-filters-http-ext-authz-v3-checksettings)
    // for more details.
    map<string, string> context_extensions = 1;

    // [Enterprise-only]
    // Only required in the case where multiple auth servers are configured in Settings
    // This name must match a key in the named_extauth Settings.
    string name = 2;
}

// **Deprecated**: The pluginAuth config type is deprecated and will be removed in a future release. Use passThroughAuth instead.
message AuthPlugin {
    // Name of the plugin
    string name = 1;
    // Name of the compiled plugin file. If not specified, Gloo Edge will look for an ".so" file with same name as the plugin.
    string plugin_file_name = 2;
    // Name of the exported symbol that implements the plugin interface in the plugin.
    // If not specified, defaults to the name of the plugin
    string exported_symbol_name = 3;

    // +kubebuilder:validation:Required
    google.protobuf.Struct config = 4;
}

// This is the legacy/simple basic auth config. It supports the APR and SHA-1 hashing algorithms.
//
// When using basic auth, requests can pass only one `Authorization` header. You cannot use basic auth config in
// conjunction with other auth configs that rely on the `Authorization` header as well. In case of such a conflict,
// use a different type of auth config or configure a different header, such as `X-Auth`.
message BasicAuth {
    string realm = 1;

    // If 'apr' is defined, 'encryption' and 'user_source' must not be defined or the config will fail validation
    message Apr {
        // Message to store the salt and salted hashed password for a user
        message SaltedHashedPassword {
            // Salt used with the apr algorithm for the user
            string salt = 1;
            // Salted and hashed password for the user
            string hashed_password = 2;
        }
        // Map of authorized usernames to stored credentials
        map<string, SaltedHashedPassword> users = 2;
    }
    Apr apr = 2;

    // Below here is the "extended" basic auth config. Hashing algorithm and user source are independent and configurable.
    // It is required to define exactly one of 'apr' or ('encryption' and 'user_source') or the config will fail validation

    // The encryption/hashing algorithm to use to store the password
    message EncryptionType {
        // Sha1 encryption type (https://datatracker.ietf.org/doc/html/rfc3174)
        // Sha1 is considered insecure and is not recommended for production use
        message Sha1 {}
        // Apache specific iterated MD5 hashing: (https://httpd.apache.org/docs/2.4/misc/password_encryptions.html)
        message Apr {}
        oneof algorithm {
            Apr apr = 1;
            Sha1 sha1 = 2;
        }
    }

    // The encryption type to use to store the password on the server
    // If 'encryption' is defined, 'user_source' must be defined and the top level 'apr' field must not be defined or the config will fail validation
    EncryptionType encryption = 3;

    // Message to store user data. We need the salt and salted hashed password for each user
    message User {
        // Salt used with the hashing algorithm for the user
        string salt = 1;
        // Salted and hashed password for the user
        string hashed_password = 2;
    }

     // Map of valid usernames to stored credentials
    message UserList {
        map<string, User> users= 1;
    }

     // Source of user credential data
     // If 'user_source' is defined, 'encryption' must be defined and the top level 'apr'' field must not be defined or the config will fail validation
    oneof user_source {
        UserList user_list = 4;
    }
}


// HMAC is a message authentication technique that can use multiple algorithms for finding credentials and generating signed messages.
// It conforms to https://www.ietf.org/rfc/rfc2104.txt
message HmacAuth {
    // Configuration for how secrets are stored.
    oneof secret_storage {
        // +kubebuilder:validation:Required
        SecretRefList secret_refs = 1;
    }
    // Algorithm to use to turn the request into a hashable string
    oneof implementation_type{
        HmacParametersInHeaders parameters_in_headers = 2;
    }
}
message SecretRefList {
    // list of secrets as registered with the issuer
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinItems=1
    repeated core.solo.io.ResourceRef secret_refs = 1;
}
// Extract the HMAC parameters from the HTTP headers and use SHA-1 hashing
message HmacParametersInHeaders {}

// Deprecated: Prefer OAuth2
message OAuth {
    // your client id as registered with the issuer
    string client_id = 1 [deprecated = true];

    // your client secret as registered with the issuer
    core.solo.io.ResourceRef client_secret_ref = 2 [deprecated = true];

    // The url of the issuer. We will look for OIDC information in issuerUrl+
    // ".well-known/openid-configuration"
    string issuer_url = 3 [deprecated = true];

    // extra query parameters to apply to the Ext-Auth service's authorization request to the identity provider.
    map<string, string> auth_endpoint_query_params = 7 [deprecated = true];

    // we to redirect after successful auth, if we can't determine the original
    // url this should be your publicly available app url.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string app_url = 4 [deprecated = true];

    // a callback path relative to app url that will be used for OIDC callbacks.
    // needs to not be used by the application
    string callback_path = 5 [deprecated = true];

    // Scopes to request in addition to openid scope.
    repeated string scopes = 6 [deprecated = true];
}

message OAuth2 {
    oneof oauth_type {
        // provide issuer location and let gloo handle OIDC flow for you.
        // requests authorized by validating the contents of ID token.
        // can also authorize the access token if configured.
        //
        // +kubebuilder:validation:XValidation:rule="has(self.clientAuthentication) ? !has(self.clientSecretRef) && !has(self.disableClientSecret) : has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="If clientAuthentication is set, neither clientSecretRef nor disableClientSecret may be set. Otherwise, clientSecretRef must be set or disableClientSecret must be true."
        OidcAuthorizationCode oidc_authorization_code = 1;

        // provide the access token on the request and let gloo handle authorization.
        //
        // according to https://datatracker.ietf.org/doc/html/rfc6750 you can pass tokens through:
        // - form-encoded body parameter. recommended, more likely to appear. e.g.: Authorization: Bearer mytoken123
        // - URI query parameter e.g. access_token=mytoken123
        // - and (preferably) secure cookies
        AccessTokenValidation access_token_validation = 2;

        // Enterprise-Only: THIS FEATURE IS IN TECH PREVIEW. APIs are versioned as alpha and subject to change.
        // provide issuer location and let Gloo handle Oauth2 flow for you.
        // requests authorized by validating the contents of access token.
        // Prefer to use OIDC for better security.
        //
        // +kubebuilder:validation:XValidation:rule="has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="Either clientSecretRef must be set or disableClientSecret must be true"
        PlainOAuth2 oauth2 = 3;
    }
}

message RedisOptions {
    // address of the redis. can be address:port or unix://path/to/unix.sock
    string host = 1;
    // db to use. can leave unset for db 0.
    int32 db = 2;
    // size of the connection pool. can leave unset for default.
    // defaults to 10 connections per every CPU
    int32 pool_size = 3;
	// enabled with a socket type of TLS. this is the tls cert mount path for this particular host.
	// the generic secret can include the keys 'ca.crt', 'tls.crt', and 'tls.key'.
	// the secret can contain the root-ca ,'ca.crt', at minimum. If a
	// certificate is needed, both the 'tls.crt' and 'tls.key' need to be included.
	// reference this to equal the 'mountPath' on the 'redis.certs[x].mountPath' in the helm chart values.
	// an example of a mount path is '/certs'.
    string tls_cert_mount_path = 4;
    // redis socket types
    enum SocketType {
        // TCP connection socket, this is the default.
        TCP = 0;
        // TLS connection socket.
        TLS = 1;
    }
    // the socket type, default is TCP.
    SocketType socket_type = 5;
}

message UserSession {
    message InternalSession {
        // Refresh expired id-tokens using the refresh-token. The tokens refreshes when the client issues a call.
        // Defaults to false. To enable refreshing, set to true.
        google.protobuf.BoolValue allow_refreshing = 1;
        // Prefix to append to cookie keys, such as for separate domain and subdomain prefixes.
        // Cookie keys are stored in the form `<key_prefix>_<cookie_name>`.
        // For more information, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes
        string key_prefix = 2;
        // Domain used to validate against requests in order to ensure that request host name matches target domain.
        // If the target domain is provided will prevent requests that do not match the target domain according to
        // the domain matching specifications in RFC 6265. For more information, see https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.3
        string target_domain = 3;
    }
    message RedisSession {
        // Options to connect to redis
        RedisOptions options = 1;
        // Key prefix inside redis
        string key_prefix = 2;
        // Cookie name to set and store the session id. If empty the default "__session" is used.
        string cookie_name = 3;
        // Refresh expired id-tokens using the refresh-token. The tokens refreshes when the client issues a call.
        // Defaults to true. To disable refreshing, set to false.
        google.protobuf.BoolValue allow_refreshing = 4;
        // Specifies a time buffer in which an id-token will be refreshed prior to its
        // actual expiration. Defaults to 2 seconds. A duration of 0 will only refresh
        // tokens after they have already expired. To refresh tokens, you must also set
        // 'allowRefreshing' to 'true'; otherwise, this field is ignored.
        google.protobuf.Duration pre_expiry_buffer = 5;
        // Domain used to validate against requests in order to ensure that request host name matches target domain.
        // If the target domain is provided will prevent requests that do not match the target domain according to
        // the domain matching specifications in RFC 6265. For more information, see https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.3
        string target_domain = 6;

        // If set, the name of the header that will include the randomly generated session id
        // This would be used as part of the code exchange with the Oauth2 token endpoint
        string header_name = 7;
    }

    // should we fail auth flow when failing to get a session from redis, or allow it to continue,
    // potentially starting a new auth flow and setting a new session.
    bool fail_on_fetch_failure = 1;

    message CookieOptions {
        // Max age for the cookie. Leave unset for a default of 30 days (2592000 seconds).
        // To disable cookie expiry, set explicitly to 0.
        google.protobuf.UInt32Value max_age = 1;
        // Use a non-secure cookie. Note - this should only be used for testing and in trusted
        // environments.
        bool not_secure = 2;
        // Set the cookie to be HttpOnly. defaults to true. Set explicity to false to disable.
        google.protobuf.BoolValue http_only = 5;
        // Path of the cookie. If unset, defaults to "/". Set it explicitly to "" to avoid setting a
        // path.
        google.protobuf.StringValue path = 3;
        // The SameSite options. The default value is LaxMode.
        enum SameSite {
            // Default Mode is the same as LaxMode but will not show up in the Cookie Header. This value is ignored.
            DefaultMode = 0;
            // Cookies are not sent on normal cross-site subrequests, but are sent when
            // navigating to the origin site.
            LaxMode = 1;
            // Only be sent in a first-party context and not be sent along with requests
            // initiated by third party websites.
            StrictMode = 2;
            // Cookies are sent in all contexts. Cookie NotSecure must be unset.
            NoneMode = 3;
        }
        // Whether the cookie should be restricted to a first-party or same-site context.
        // The default mode is LaxMode.
        SameSite same_site = 6;
        // Cookie domain
        string domain = 4;
    }

    // Set-Cookie options
    CookieOptions cookie_options = 2;
    oneof session {
        // Set the tokens in the cookie itself. No need for server side state.
        InternalSession cookie = 3;
        // Use redis to store the tokens and just store a random id in the cookie.
        RedisSession redis = 4;
    }
    // the cipher config is used to encrypt session cookie values.  This is currently only available for OIDC.
    message CipherConfig {
        // to enable the cipher encryption, the key has to be present. Note that the key has to be found and 32 bytes in
        // length for the authconfig to not be rejected.
        oneof key {
            // The key reference used for the cipher. The reference must be a Kubernetes Secret of type `gloo.solo.io.EncryptionKeySecret`.
            core.solo.io.ResourceRef key_ref = 1;
        }
    }
    // the cipher config enables the symmetric key encryption of the cookie values of the user session.
    CipherConfig cipher_config = 5;
}

message HeaderConfiguration {
    // If set, the id token will be forward upstream using this header name.
    string id_token_header = 1;
    // If set, the access token will be forward upstream using this header name.
    string access_token_header = 2;
    // If true, adds the "Bearer" prefix to the upstream access token header value.
    google.protobuf.BoolValue use_bearer_schema_for_authorization = 3;
}

// OIDC configuration is discovered at <issuerUrl>/.well-known/openid-configuration
// The discovery override defines any properties that should override this discovery configuration
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
message DiscoveryOverride {
    // url of the provider authorization endpoint
    string auth_endpoint = 1;

    // url of the provider token endpoint
    string token_endpoint = 2;

    // url of the provider json web key set
    string jwks_uri = 3;

    // list of scope values that the provider supports
    repeated string scopes = 4;

    // list of response types that the provider supports
    repeated string response_types = 5;

    // list of subject identifier types that the provider supports
    repeated string subjects = 6;

    // list of json web signature signing algorithms that the provider supports for encoding claims in a jwt
    repeated string id_token_algs = 7;

    // list of client authentication methods supported by the provider token endpoint
    repeated string auth_methods = 8;

    // list of claim types that the provider supports
    repeated string claims = 9;

    // url of the provider token revocation endpoint
    string revocation_endpoint = 10;

    // url of the provider end session endpoint
    string end_session_endpoint = 11;
}

// The json web key set (JWKS) (https://datatracker.ietf.org/doc/html/rfc7517) is discovered at an interval
// from a remote source. When keys rotate in the remote source, there may be a delay in the
// local source picking up those new keys. Therefore, a user could execute a request with a token
// that has been signed by a key in the remote JWKS, but the local cache doesn't have the key yet.
// The request would fail because the key isn't contained in the local set. Since most IdPs publish key
// keys in their remote JWKS before they are used, this is not an issue most of the time.
// This policy lets you define the behavior for when a user has a token with a key
// not yet in the local cache.
message JwksOnDemandCacheRefreshPolicy {
    oneof policy {
        // Never refresh the local JWKS cache on demand. If a key is not in the cache, it is assumed to be malicious.
        // This is the default policy since we assume that IdPs publish keys before they rotate them,
        // and frequent polling finds the newest keys.
        google.protobuf.Empty never = 1;

        // If a key is not in the cache, fetch the most recent keys from the IdP and update the cache.
        // NOTE: This should only be done in trusted environments, since missing keys will each trigger
        // a request to the IdP. Using this in an environment exposed to the internet will allow malicious agents to
        // execute a DDoS attack by spamming protected endpoints with tokens signed by invalid keys.
        google.protobuf.Empty always = 2;

        // If a key is not in the cache, fetch the most recent keys from the IdP and update the cache.
        // This value sets the number of requests to the IdP per polling interval. If that limit is exceeded,
        // we will stop fetching from the IdP for the remainder of the polling interval.
        uint32 max_idp_req_per_polling_interval = 3;
    }
}

message AutoMapFromMetadata {
    // The namespace from which to map metadata
    string namespace = 1;
}

message EndSessionProperties {
    // The Method used to make the request.
    enum MethodType {
        // Uses GET method when making the request
        GetMethod = 0;
        // Uses POST method when making the request
        PostMethod = 1;
    }
    // The method type used by the end session endpoint, defaults to GET.
    MethodType methodType = 1;
}

// Map a single claim from an OAuth2 or OIDC token to a header in the request to the upstream destination.
message ClaimToHeader {
    // The claim name from the token, such as `sub`.
    string claim = 1;

    // The header to copy the claim to, such as `x-sub`.
    string header = 2;

    // If the header exists, append the claim value to the header (true), or overwrite any existing value (false). The default behavior is to overwrite any existing value (false).
    bool append = 3;
}

// For apps in Microsoft Azure, configure Microsoft Entra ID as the OpenID Connect (OIDC) provider.
// This way, you can enable distributed claims and caching for when users are members of more than 200 groups.
message Azure {
    // The client ID for the ExtAuthService app that is registered in MS Entra,
    // to access the Microsoft Graph API to retrieve distributed claims.
    // This app is NOT the app that you want to configure external auth for.
    string client_id = 1;

    // The tenant ID represents the MS Entra organization ID where the ExtAuthService app is registered.
    // This tenant ID may or may not be the same as in the top level `OidcAuthorizationCodeConfig`,
    // depending on how your Azure account is provisioned.
    string tenant_id = 2;

    // The client secret of the ExtAuthService app that is registered with MS Entra to communicate with the MS Graph API.
    // The client secret data must be placed in a k8s secret under a key called 'client-secret'.
    core.solo.io.ResourceRef client_secret = 3;

    // Redis connection details to cache MS Entera claims.
    // This way, you avoid performance issues of accessing the Microsoft Graph API too many times.
    // Note that this setting does NOT turn on Redis caching for the user session.
    // To turn on Redis user session caching, use the `userSessionConfig` field.
    RedisOptions claims_caching_options = 4;
}

message OidcAuthorizationCode {
    // your client id as registered with the issuer
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string client_id = 1;

    // your client secret as registered with the issuer.
    // This is required unless `disable_client_secret` is true
    // This field has been deprecated and can be set in the client_secret option of client_authentication
    core.solo.io.ResourceRef client_secret_ref = 2 [deprecated = true];

    // The url of the issuer. We will look for OIDC information in issuerUrl+
    // ".well-known/openid-configuration"
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string issuer_url = 3;

    // extra query parameters to apply to the Ext-Auth service's authorization request to the identity provider.
    // this can be useful for flows such as PKCE (https://www.oauth.com/oauth2-servers/pkce/authorization-request/)
    // to set the `code_challenge` and `code_challenge_method`.
    map<string, string> auth_endpoint_query_params = 4;

    // extra query parameters to apply to the Ext-Auth service's token request to the identity provider.
    // this can be useful for flows such as PKCE (https://www.oauth.com/oauth2-servers/pkce/authorization-request/)
    // to set the `code_verifier`.
    map<string, string> token_endpoint_query_params = 14;

    // where to redirect after successful auth, if we can't determine the original url.
    // this should be your publicly available app url.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string app_url = 5;

    // a callback path relative to app url that will be used for OIDC callbacks.
    // should not be used by the application.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string callback_path = 6;

    // a path relative to app url that will be used for logging out from an OIDC session.
    // should not be used by the application.
    // If not provided, logout functionality will be disabled.
    string logout_path = 9;

    // url to redirect to after logout.
    // This should be a publicly available URL. If not provided, will default to the `app_url`.
    string after_logout_url = 15;

    // Scopes to request in addition to openid scope.
    repeated string scopes = 7;

    // Configuration related to the user session.
    UserSession session = 8;

    // Configures headers added to requests.
    HeaderConfiguration headers = 10;

    // OIDC configuration is discovered at <issuerUrl>/.well-known/openid-configuration
    // The discovery override defines any properties that should override this discovery configuration
    // For example, the following AuthConfig CRD could be defined as:
    //    ```yaml
    //    apiVersion: enterprise.gloo.solo.io/v1
    //    kind: AuthConfig
    //    metadata:
    //      name: google-oidc
    //      namespace: gloo-system
    //    spec:
    //      configs:
    //      - oauth:
    //          app_url: http://localhost:8080
    //          callback_path: /callback
    //          client_id: $CLIENT_ID
    //          client_secret_ref:
    //            name: google
    //            namespace: gloo-system
    //          issuer_url: https://accounts.google.com
    //          discovery_override:
    //            token_endpoint: "https://token.url/gettoken"
    //    ```
    //
    // And this will ensure that regardless of what value is discovered at
    // <issuerUrl>/.well-known/openid-configuration, "https://token.url/gettoken" will be used as the token endpoint
    DiscoveryOverride discovery_override = 11;

    // The interval at which OIDC configuration is discovered at <issuerUrl>/.well-known/openid-configuration
    // If not specified, the default value is 30 minutes.
    google.protobuf.Duration discovery_poll_interval = 12;

    // If a user executes a request with a key that is not found in the JWKS, it could be
    // that the keys have rotated on the remote source, and not yet in the local cache.
    // This policy lets you define the behavior for how to refresh the local cache during a request
    // where an invalid key is provided
    JwksOnDemandCacheRefreshPolicy jwks_cache_refresh_policy = 13;

    // in the future we may implement this:
    // add optional configuration for validation of the access token received during the OIDC flow
    // AccessTokenValidation access_token_validation = 8;

    // DEPRECATED: Prefer the RedisSession.HeaderName field
    // If set, the randomly generated session id will be sent to the token endpoint as part of the code exchange
    // The session id is used as the key for sessions in Redis
    string session_id_header_name = 16 [deprecated = true];

    // If set, CallbackPath will be evaluated as a regular expression
    bool parse_callback_path_as_regex = 17;

    // If specified, authEndpointQueryParams and tokenEndpointQueryParams will be populated using dynamic metadata values.
    // By default parameters will be extracted from the solo_authconfig_oidc namespace
    // this behavior can be overridden by explicitly specifying a namespace
    AutoMapFromMetadata auto_map_from_metadata = 18;

    // If specified, these are properties defined for the end session endpoint
    // specifications. Noted [here](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)
    // in the OIDC documentation.
    EndSessionProperties end_session_properties = 19;

    // Map of metadata key to claim. Ie:
    // dynamic_metadata_from_claims:
    //   issuer: iss
    //   email: email
    // When specified, the matching claims from the ID token will be emitted as dynamic metadata.
    // Note that metadata keys must be unique, and the claim names must be alphanumeric and use `-` or `_` as separators.
    // The metadata will live in a namespace specified by the canonical name of the ext auth filter (in our case `envoy.filters.http.ext_authz`),
    // and the structure of the claim value will be preserved in the metadata struct.
    map<string, string> dynamic_metadata_from_claims = 20;

    // If true, do not check for or use the client secret.
    // Generally the client secret is required and AuthConfigs will be rejected if it isn't set.
    // However certain implementations of the PKCE flow do not use a client secret (including Okta) so this setting allows configuring Oidc without a client secret.
    // This field has been deprecated and can be set in the client_secret option of client_authentication
    google.protobuf.BoolValue disable_client_secret = 21 [deprecated = true];

    // Optional: Configuration specific to the OAuth2 access token received and processed by the ext-auth-service.
    AccessToken access_token = 23;

    // Optional: Configuration specific to the OIDC identity token received and processed by the ext-auth-service.
    IdentityToken identity_token = 24;

    // Optional: Map a single claim from an OAuth2 access token to a header in the request to the upstream destination.
    // Gloo Mesh products only: Note that if you want to clear the route cache to force the proxy to recalculate the
    // routing destination after adding the claims, you must create an additional JwtPolicy or TransformationPolicy,
    // and configure the `clearRouteCache` or `recalculateRoutingDestination` options.
    message AccessToken {

        // A list of claims to be mapped from the JWT token received by ext-auth-service to an upstream destination
        repeated ClaimToHeader claims_to_headers = 1;
    }

    // Optional: Map a single claim from an OIDC identity token to a header in the request to the upstream destination.
    message IdentityToken {

        // A list of claims to be mapped from the JWT token received by ext-auth-service to an upstream destination
        repeated ClaimToHeader claims_to_headers = 1;
    }

    // Configuration specific to the client authentication type used to exchange the access code for the access and id tokens.
    message ClientAuthentication {
        // Client Secret Authentication requires a client secret (unless it is disabled)
        message ClientSecret {
            // your client secret as registered with the issuer.
            // This is required unless `disable_client_secret` is true
            core.solo.io.ResourceRef client_secret_ref = 1;
            // If true, do not check for or use the client secret.
            // Generally the client secret is required and AuthConfigs will be rejected if it isn't set.
            // However certain implementations of the PKCE flow do not use a client secret (including Okta) so this setting allows configuring Oidc without a client secret.
            google.protobuf.BoolValue disable_client_secret = 2;
        }

         // Private Key JWT Authentication requires a signing key for the JWT and an duration for the JWT to be valid.
        message PrivateKeyJwt{
            // Signing key for the JWT used to authenticate the client
            //
            // +kubebuilder:validation:Required
            core.solo.io.ResourceRef signing_key_ref = 1;
            // Amount of time for which the JWT is valid. No maximum is enforced, but different IDPs may impose limits on how far in
            // the future the expiration time is allowed to be. If omitted, default is 5s.
            google.protobuf.Duration valid_for = 2;
        }

        // Configure how to authenticate the client
        oneof client_authentication_config {
            // Use the client secret method to authenticate the client
            //
            // +kubebuilder:validation:XValidation:rule="has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="Either clientSecretRef must be set or disableClientSecret must be true"
            ClientSecret client_secret = 1;
            // Use the private ket JWT method to authenticate the client
            PrivateKeyJwt private_key_jwt = 2;
        }
    }

    // +kubebuilder:validation:XValidation:rule="has(self.clientSecret) || has(self.privateKeyJwt)",message="Must specify clientSecret or privateKeyJwt"
    ClientAuthentication client_authentication = 25;

    oneof Provider {
        Default default = 26;
        Azure azure = 27;
    }

    // No-op, represents default OIDC behavior
    message Default {}

    // For the moment this is just path, but we may want to configure things like iss/sid validation
    message FrontChannelLogout {
        // Path to use for front channel logout. Should not be the same as logout or callback paths.
        string path=1;
    }

    // Configuration for front channel logout. This is used to log out the user from multiple apps/clients associated with one OpenId Provider (OP).
    // The path is registered with the OP and is called for each app/client that the user is logged into when the logout endpoint is called.
    FrontChannelLogout front_channel_logout = 28;
}

message PlainOAuth2 {
    // Your client ID as registered with the issuer
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string client_id = 1;

    // Your client secret as registered with the issuer.
    // This is required unless `disable_client_secret` is set.
    core.solo.io.ResourceRef client_secret_ref = 2;

    // Extra query parameters to apply to the Ext-Auth service's authorization request to the identity provider.
    // These parameters can be useful for flows such as [PKCE](https://www.oauth.com/oauth2-servers/pkce/authorization-request/)
    // to set the `code_challenge` and `code_challenge_method`.
    map<string, string> auth_endpoint_query_params = 3;

    // Where to redirect after successful auth, if Gloo can't determine the original URL.
    // Set this field to your publicly available app URL.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string app_url = 4;

    // A callback path relative to the app URL to be used for OAuth2 callbacks.
    // Do not use this path in the application itself.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string callback_path = 5;

    // Scopes to request for.
    repeated string scopes = 6;

    // Configuration related to the user session.
    UserSession session = 7;

    // A path relative to the app URL to use for logging out from an OAuth2 session.
    // Do not use this path in the application itself.
    // If not provided, logout functionality is disabled.
    string logout_path = 8;

    // Extra query parameters to apply to the Ext-Auth service's token request to the identity provider.
    // These parameters can be useful for flows such as [PKCE](https://www.oauth.com/oauth2-servers/pkce/authorization-request/)
    // to set the `code_verifier`.
    map<string, string> token_endpoint_query_params = 9;

    // URL to redirect to after logout.
    // Set this field to a publicly available URL. If not provided, this value defaults to the `app_url` value.
    string after_logout_url = 10;

    // The URL of the provider authorization endpoint.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string auth_endpoint = 11;

    // The URL of the provider token endpoint.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string token_endpoint = 12;

    // The URL of the provider token revocation endpoint.
    // For more information, refer to https://www.rfc-editor.org/rfc/rfc7009.
    string revocation_endpoint = 13;
    // If true, do not check for or use the client secret.
    // Generally the client secret is required and AuthConfigs will be rejected if it isn't set.
    // However certain implementations of the PKCE flow do not use a client secret (including Okta) so this setting allows configuring Oauth2 without a client secret.
    google.protobuf.BoolValue disable_client_secret = 14;
}

// Defines how JSON Web Token (JWT) access tokens are validated.
//
// Tokens are validated using a JSON Web Key Set (as defined in
// [Section 5 of RFC7517](https://datatracker.ietf.org/doc/html/rfc7517#section-5)),
// which can be either inlined in the configuration or fetched from a remote location via HTTP.
// Any keys in the JWKS that are not intended for signature verification (i.e. whose
// ["use" parameter](https://datatracker.ietf.org/doc/html/rfc7517#section-4.2) is not "sig")
// will be ignored by the system, as will keys that do not specify a
// ["kid" (Key ID) parameter](https://datatracker.ietf.org/doc/html/rfc7517#section-4.2).
//
// The JWT to be validated must define non-empty "kid" and "alg" headers. The "kid" header
// determines which key in the JWKS will be used to verify the signature of the token;
// if no matching key is found, the token will be rejected.
//
// If present, the server will verify the "exp", "iat", and "nbf" standard JWT claims.
// Validation of the "iss" claim and of token scopes can be configured as well.
// If the JWT has been successfully validated, its set of claims will be added to the
// `AuthorizationRequest` state under the "jwtAccessToken" key.
message JwtValidation {

    // Specifies how to fetch JWKS from remote and how to cache it.
    message RemoteJwks {
        // The HTTP URI to fetch the JWKS.
        //
        // +kubebuilder:validation:Required
        // +kubebuilder:validation:MinLength=1
        string url = 1;

        // The frequency at which the JWKS should be refreshed.
        // If not specified, the default value is 5 minutes.
        google.protobuf.Duration refresh_interval = 2;
    }

    // Represents a locally available JWKS.
    message LocalJwks {
        // JWKS is embedded as a string.
        //
        // +kubebuilder:validation:Required
        // +kubebuilder:validation:MinLength=1
        string inline_string = 1;
    }

    oneof jwks_source_specifier {
        // Fetches the JWKS from a remote location.
        RemoteJwks remote_jwks = 1;
        // Loads the JWKS from a local data source.
        LocalJwks local_jwks = 2;
    }

    // Allow only tokens that have been issued by this principal (i.e. whose "iss" claim matches this value).
    // If empty, issuer validation will be skipped.
    string issuer = 3;
}

// Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated
// [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662)
//
// If the token introspection url requires client authentication, both the client_id and client_secret
// are required. Unless disable_client_secret is set, when only one is provided, the config will be rejected.
// These values will be encoded in a basic auth header in order to authenticate the client.
message IntrospectionValidation {
    // The URL for the [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) endpoint.
    // If provided, the (opaque) access token provided or received from the oauth authorization endpoint
    // will be validated against this endpoint, or locally cached responses for this access token.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string introspection_url = 1;

    // Your client id as registered with the issuer.
    // Optional: Use if the token introspection url requires client authentication.
    string client_id = 2;

    // Your client secret as registered with the issuer.
    // Optional: Use if the token introspection url requires client authentication.
    core.solo.io.ResourceRef client_secret_ref = 3;

    // The name of the [introspection response](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2)
    // attribute that contains the ID of the resource owner (e.g. `sub`, `username`).
    // If specified, the external auth server will use the value of the attribute as the identifier of the
    // authenticated user and add it to the request headers and/or dynamic metadata (depending on how the
    // server is configured); if the field is set and the attribute cannot be found, the request will be denied.
    // This field is optional and by default the server will not try to derive the user ID.
    string user_id_attribute_name = 4;

    // Allows setting a client id but not a client secret.
    google.protobuf.BoolValue disable_client_secret = 5;

}

message AccessTokenValidation {

    oneof validation_type {
        // The URL for the [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) endpoint.
        // If provided, the (opaque) access token provided or received from the oauth authorization endpoint
        // will be validated against this endpoint, or locally cached responses for this access token.
        // This field is deprecated as it does not support authenticated introspection requests
        //
        // +kubebuilder:validation:MinLength=1
        string introspection_url = 1 [deprecated = true];

        // Validate access tokens that conform to the
        // [JSON Web Token (JWT)](https://datatracker.ietf.org/doc/rfc7662/) specification.
        JwtValidation jwt = 2;

        // Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated
        // [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) specification.
        //
        // +kubebuilder:validation:XValidation:rule="has(self.clientId) && size(self.clientId) > 0 ? has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret) : !has(self.clientSecretRef)",message="If clientId is set, clientSecretRef must be set or disableClientSecret must be true. Otherwise, clientSecretRef must not be set."
        IntrospectionValidation introspection = 3;

        // In the future we may implement HMAC validation
    }

    // The URL for the OIDC userinfo endpoint.
    // If provided, the (opaque) access token provided or received from the oauth endpoint
    // will be queried and the userinfo response (or cached response) will be added to the
    // `AuthorizationRequest` state under the "introspection" key.
    // This can be useful to leverage the userinfo response in, for example, an external auth server plugin.
    string userinfo_url = 4;

    // How long the token introspection and userinfo endpoint response for a specific access token should be kept
    // in the in-memory cache. The result will be invalidated at this timeout, or at "exp" time from the introspection
    // result, whichever comes sooner. If omitted, defaults to 10 minutes. If zero, then no caching will be done.
    google.protobuf.Duration cache_timeout = 5;

    // Optional criteria for validating the scopes of a token.
    oneof scope_validation {
        // Require access token to have all of the scopes in the given list.
        // This configuration applies to both opaque and JWT tokens. In the case of opaque tokens,
        // this will check the scopes returned in the "scope" member of introspection response
        // (as described in [Section 2.2 of RFC7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2).
        // In case of JWTs the scopes to be validated are expected to be contained in the "scope" claim of the
        // token in the form of a space-separated string.
        // Omitting this field means that scope validation will be skipped.
        ScopeList required_scopes = 6;

        // in the future we may add other types of scope validation (e.g. predicate matching)
    }

    // Map of metadata key to claim. Ie:
    // dynamic_metadata_from_claims:
    //   issuer: iss
    //   email: email
    // When specified, the matching claims from the access token will be emitted as dynamic metadata.
    // Note that metadata keys must be unique, and the claim names must be alphanumeric and use `-` or `_` as separators.
    // Works when the access token is a JWT or when the access token is opaque, in which case the claims will refer to field in the response from the token introspection endpoint.
    // The metadata will live in a namespace specified by the canonical name of the ext auth filter (in our case `envoy.filters.http.ext_authz`),
    // and the structure of the claim value will be preserved in the metadata struct.
    map<string, string> dynamic_metadata_from_claims = 7;

    // A list of claims to be mapped from the JWT token received by ext-auth-service to an upstream destination
    repeated ClaimToHeader claims_to_headers = 8;

    oneof Provider {
        Default default = 9;
        Azure azure = 10;
    }

    // No-op, represents default OIDC distributed claims behavior
    message Default {}

    message ScopeList {
      repeated string scope = 1;
    }
}

message OauthSecret {
    string client_secret = 1;
}

// Defines how API keys are validated.
//
// When the provided API key token has been successfully validated, it's token will be
// added to the `AuthorizationRequest` state under the "api_key_value" key name.
message ApiKeyAuth {
    // DEPRECATED: use K8sSecretApiKeyStorage to configure secrets storage backend. Values here
    // will be overwritten if values are specified in the storage backend.
    // Identify all valid API key secrets that match the provided label selector.
    // API key secrets must be in one of the watch namespaces for gloo to locate them.
    map<string, string> label_selector = 1 [deprecated = true];

    // DEPRECATED: use K8sSecretApiKeyStorage to configure secrets storage backend. Values here
    // will be overwritten if values are specified in the storage backend.
    // A way to directly reference API key secrets. This configuration can be useful for testing,
    // but in general the more flexible label selector should be preferred.
    repeated core.solo.io.ResourceRef api_key_secret_refs = 2 [deprecated = true];

    // When receiving a request, the Gloo Edge Enterprise external auth server will look for an API key in a header
    // with this name. This field is optional; if not provided it defaults to `api-key`.
    string header_name = 3;

    // DEPRECATED: use headers_from_metadata_entry
    map<string, SecretKey> headers_from_metadata = 4 [deprecated = true];

    // API key structures might contain additional data (e.g. the ID of the user that the API key belongs to)
    // in the form of extra fields included in the API key metadata structure.
    // This configuration can be used to add this data to the headers of successfully authenticated requests.
    // Each key in the map represents the name of header to be added; the corresponding value determines the key
    // in the API key metadata structure that will be inspected to determine the value for the header.
    //
    // When the provided API key token has been successfully validated, and this field has been configured, then
    // any extra API key metadata fields that were able to be discovered will be added to the `AuthorizationRequest`
    // state under the key name that was configured. For example, using the `x-user-name` string as the header name,
    // and referencing an existing "user-email" API key metadata entry will result in the value of this "user-email"
    // metadata entry being accessable in other auth modules in the `AuthorizationRequest.State["x-user-name"]` key.
    // This behavior allows other modules (e.g. OPA) to build more powerful rules to further validate the contents
    // of the extra API key metadata than what's possible using the standalone API key module.
    map<string, MetadataEntry> headers_from_metadata_entry = 5;

    oneof storage_backend {
        K8sSecretApiKeyStorage k8s_secret_apikey_storage = 6;
        AerospikeApiKeyStorage aerospike_apikey_storage = 7;
    }

    // DEPRECATED: use generalized MetadataEntry
    message SecretKey {
        // DEPRECATED
        // (Required) The key of the API key metadata entry to inspect.
        string name = 1;
        // DEPRECATED
        // If this field is set to `true`, Gloo will reject an API key structure that does not contain data for the given key.
        // Defaults to `false`. In this case, if an API key structure does not contain the requested data, no header will be added
        // to the request.
        bool required = 2;
    }

    // For the K8s secret backend, this data is stored as key-value data in the secret itself.
    // For the Aerospike backend, this data is stored as bins on the key's record
    message MetadataEntry {
        // (Required) The key of the API key metadata entry to inspect.
        string name = 1;
        // If this field is set to `true`, Gloo will reject an API key structure that does not contain data for the given key.
        // Defaults to `false`. In this case, if an API key structure does not contain the requested data, no header will be added
        // to the request.
        bool required = 2;
    }

    // API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
    // in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
    // This validation comes with a performance cost, and can be disabled by setting this field to `true`.
    bool skip_metadata_validation = 8;
}
message K8sSecretApiKeyStorage {
    // Identify all valid API key secrets that match the provided label selector.<br/>
    // API key secrets must be in one of the watch namespaces for gloo to locate them.
    map<string, string> label_selector = 1;

    // A way to directly reference API key secrets. This configuration can be useful for testing,
    // but in general the more flexible label selector should be preferred.
    repeated core.solo.io.ResourceRef api_key_secret_refs = 2;
}

message AerospikeApiKeyStorage {
    // The IP address or hostname of one of the cluster members of your Aerospike database. The address must be reachable from Gloo Edge, such as in a virtual machine with a public IP address or in a pod in the cluster.
    // The client automatically discovers other members of the cluster after establishing a connection.
	string hostname = 1;
    // The Aerospike namespace of the database. Defaults to "solo-namespace".
	string namespace = 2;
    // The Aerospike set to use for storage of API keys. Defaults to "apikeys".
	string set = 3;
    // The port on which to connect to the Aerospike server. Defaults to 3000.
	int32 port = 4;
    // The size of the batch, which is the number of keys sent in the request. Defaults to 5000.
	int32 batch_size = 5;

	// The write settings for guaranteed consistency when committing a transaction on the Aerospike server. For more information, see the [Aerospike commit policy](https://github.com/aerospike/aerospike-client-go/blob/master/commit_policy.go).
    // Defaults to "commit_all".
    oneof commit_level {
        // "commit_all" indicates that the server waits until successfully committing the master and all replicas.
        uint32 commit_all = 6;
        // "commit_master" indicates that the server waits until successfully committing the master only.
        uint32 commit_master = 7;
    }

    // The read settings for strong consistency (SC). For possible values, see the [Aerospike read mode SC](https://github.com/aerospike/aerospike-client-go/blob/master/read_mode_sc.go).
    // Defaults to "read_mode_sc_session".
    readModeSc read_mode_sc = 8;
    message readModeSc {
        oneof read_mode_sc {
            // The session ensures this client sees only an increasing sequence of record versions.
            // Server reads only from master, which is the default.
            uint32 read_mode_sc_session = 1;
            // "linearize" ensures that ALL clients see only an increasing sequence of record versions.
            // "server" reads only from master.
            uint32 read_mode_sc_linearize = 2;

            // "replica" indicates that the server can read from master or any full (non-migrating) replica.
            // An increasing sequence of record versions is not guaranteed.
            uint32 read_mode_sc_replica = 3;

            // "allow_unavailable" indicates that the server can read from master or any full (non-migrating) replica or from unavailable
            // partitions. An increasing sequence of record versions is not guaranteed.
            uint32 read_mode_sc_allow_unavailable = 4;
        }
    }

    // The read settings for availability (AP). For possible values, see the [Aerospike read mode AP](https://github.com/aerospike/aerospike-client-go/blob/master/read_mode_ap.go).
    // Defaults to "read_mode_ap_one".
    readModeAp read_mode_ap = 9;
    message readModeAp {
        oneof read_mode_ap {
            // "one" indicates that a single node is involved in the read operation.
            uint32 read_mode_ap_one = 1;

            // "all" indicates that all duplicate nodes are consulted in
            // the read operation.
            uint32 read_mode_ap_all = 2;
        }
    }

	// TLS settings to enable mutual TLS (mTLS) on the server side. These configuration options must match what you configured in your Aerospike setup. For more information, see the Aerospike [security](https://docs.aerospike.com/server/guide/security/tls) and [network TLS](https://docs.aerospike.com/server/operations/configure/network/tls) guides.
    // The subject name of the TLS authority. For more information, see the [Aerospike docs](https://docs.aerospike.com/reference/configuration#tls-name).
	string node_tls_name = 10;
    // The path to the TLS certfiicate.
	string cert_path = 11;
    // The path to the key.
	string key_path = 12;
	// The TLS insecure setting. If set to `true`, the authority of the certificate on the client's end is not authenticated. You might use insecure mode in non-production environments when the certificate is not known.
	bool allow_insecure = 13;
	// If the root certificate authority (CA) is not set, add the system certs by default.
	string root_ca_path = 14;
	// The TLS version. Versions 1.0, 1.1, 1.2, and 1.3 are supported. Defaults to 1.3
	string tls_version = 15;
	// The TLS identifier for an elliptic curve. For more information, see [TLS supported groups](https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8).
    repeated tlsCurveID tls_curve_groups = 16;
    message tlsCurveID {
        oneof curve_id {
            uint32 curve_p256 = 1;
            uint32 curve_p384 = 2;
            uint32 curve_p521 = 3;
            uint32 x_25519 = 4;
        }
    }

    // Identify the set of required labels (key/value) which an Aerospike secret must contain
    // If a secret contains the provided set of labels, it will be considered valid when authorizing an ApiKey provided in a request
    map<string, string> label_selector = 17;
}

// When no storage backend is specified, the default storage backend defined in the extauth server is used.
message ServerDefaultApiKeyStorage{}

message ApiKey {
    // The string value of the API key.
    string api_key = 2;
    // A list of labels (key=value) for the apikey secret.
    // These labels are used by the storage driver to facilitate lookups by label
    repeated string labels = 3;
    // additional data the client needs associated with this API key
    map<string, string> metadata = 4;
    // Optional: Unique identifier for the API key
    string uuid = 5;
}

// DEPRECATED: use ApiKey
message ApiKeySecret {
    // The string value of the API key.
    string api_key = 2;
    // A list of labels (key=value) for the apikey secret.
    // These labels are used by the storage driver to facilitate lookups by label
    repeated string labels = 3;
    // additional data the client needs associated with this API key
    map<string, string> metadata = 4;
}

// Enforce Open Policy Agent (OPA) policies through an OPA engine
// that is built into the Gloo external auth server.
// 
// For larger scale operations and more capabilities like bundling or caching,
// you might run the OPA engine as a sidecar or bring your own server
// by using the OpaServerAuth setting instead.
message OpaAuth {
    // An optional resource reference to config maps containing modules to assist in the resolution of `query`.
    repeated core.solo.io.ResourceRef modules = 1;

    // The query that determines the auth decision. The result of this query
    // must be either a boolean or an array with boolean as the first element. A boolean `true` value means that
    // the request will be authorized. Any other value, or error, means that the request will be denied.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string query = 2;

    // Additional Options for Opa Auth configuration.
    OpaAuthOptions options = 3;
}

message OpaAuthOptions {
    // Decreases OPA latency by speeding up conversion of input to the OPA engine.
    // If this is set to true, only http_request and state fields which are a scalar, map, or string array
    // are included in the request input. All other fields are dropped. Dropped fields will not be evaluated by the OPA engine.
    // By default, this is set to false and all fields are evaluated by OPA.
    bool fast_input_conversion = 1;

    // DEPRECATED: It's recommended to use the `dynamic_metadata` field within Rego policies to specify the decision reason. To learn more about this approach, see the [OPA Envoy Plugin docs](https://github.com/open-policy-agent/opa/blob/c12463c/docs/content/envoy-primer.md#example-policy-with-additional-controls).
    //
    // When `returnDecisionReason` is set to true, the decision reason is stored in the Envoy Dynamic Metadata and has the following properties:<ul>
    // <li>`body` - a textual explanation of the decision</li>
    // <li>`allowed` - whether the request was allowed or rejected</li></ul>
    //
    // When using OpaAuth, the `body` field must be the second parameter of the query.
    //
    // Both the OpaAuth and OpaServerAuth approaches use the `allowed` and `body` values from the OPA response in the decision reason.
    // You can find the `body` and `allowed` fields in the Envoy Filter Dynamic Metadata under the `envoy.filters.http.ext_authz.<authentication_step_name>.reason` section.
    //
    // If, however, `returnDecisionReason` is set to false, OPA's decision to allow or reject a request is made according to the Rego policy rules, and no explanation is provided.
    // Despite of this, the `dynamic_metadata` field can still be used to convey any necessary information to the Envoy Dynamic Metadata, including the decision reason.
    bool return_decision_reason = 2;
}

// Enforce Open Policy Agent (OPA) policies through an OPA sidecar 
// to the the Gloo external auth server, or by bringing your own OPA server.
// This way, you can use OPA at scale and with additional capabilities, such as bundling or caching.
//
// For smaller operations or quick tests, you might use the OpaAuth setting instead.
message OpaServerAuth {
    // The package from your Rego policy bundle used to query the OPA data API.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string package = 1;

    // The rule in your Rego policy bundle used to query the OPA data API. Supports querying subfields with a `/`. For more information, see the [OPA docs for the Data API](https://www.openpolicyagent.org/docs/latest/rest-api/#data-api).
    string rule_name = 2;

    // The address of the OPA server to query, in the format `ADDRESS:PORT`.
    // For OPA servers within the cluster, the address is the pod's service address,
    // such as `opa-svc.default.svc.cluster.local:8181`. For OPA servers outside the cluster,
    // the server must be accessible to the cluster, such as through an ExternalService.
    // If you do not have your own OPA server instance, omit this field.
    // When the external auth service has the OPA server sidecar enabled, the OPA server
    // sidecar will be used instead, with an address such as `http://localhost:8181`.
    string server_addr = 3;

    // Additional options for OPA Auth configuration.
    OpaAuthOptions options = 4;
}

// Authenticates and authorizes requests by querying an LDAP server. Gloo makes the following assumptions:
//  * Requests provide credentials via the basic HTTP authentication header. Gloo will BIND to the LDAP server using the
//    credentials extracted from the header.
//  * Your LDAP server is configured so that each entry you want to authorize has an attribute that indicates its group
//    memberships. A common way of achieving this is by using the [*memberof* overlay](http://www.openldap.org/software/man.cgi?query=slapo-memberof).
message Ldap {

    // Configuration properties for pooling connections to the LDAP server. If the pool is exhausted when a connection
    // is requested (meaning that all the pooled connections are in use), the connection will be created on the fly.
    message ConnectionPool {
        // Maximum number connections that are pooled at any give time. The default value is 5.
        google.protobuf.UInt32Value maxSize = 1;
        // Number of connections that the pool will be pre-populated with upon initialization. The default value is 2.
        google.protobuf.UInt32Value initialSize = 2;
    }

    // Address of the LDAP server to query. Should be in the form ADDRESS:PORT, e.g. `ldap.default.svc.cluster.local:389`.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string address = 1;

    // Template to build user entry distinguished names (DN). This must contains a single occurrence of the "%s" placeholder.
    // When processing a request, Gloo will substitute the name of the user (extracted from the auth header) for the
    // placeholder and issue a search request with the resulting DN as baseDN (and 'base' search scope).
    // E.g. "uid=%s,ou=people,dc=solo,dc=io"
    string userDnTemplate = 2;

    // Case-insensitive name of the attribute that contains the names of the groups an entry is member of. Gloo will look
    // for attributes with the given name to determine which groups the user entry belongs to. Defaults to 'memberOf' if not provided.
    string membershipAttributeName = 3;

    // In order for the request to be authenticated, the membership attribute (e.g. *memberOf*) on the user entry must
    // contain at least of one of the group DNs specified via this option.
    // E.g. []string{ "cn=managers,ou=groups,dc=solo,dc=io", "cn=developers,ou=groups,dc=solo,dc=io" }
    repeated string allowedGroups = 4;

    // Use this property to tune the pool of connections to the LDAP server that Gloo maintains.
    ConnectionPool pool = 5;

    // Use to set a custom filter when searching a member. Defaults to "(uid=*)".
    string searchFilter = 6;

    // Disables group checking, regardless of the value for allowedGroups,
    // and disables validation for the membership attribute of the user entry.
    // Group checking is enabled by default.
    bool disable_group_checking = 7;

    // Settings for using a separate service account for looking up group membership
    // To use this, you also need to configure credentials in a secret
    LdapServiceAccount group_lookup_settings = 8;
}

message LdapServiceAccount {
    // Reference to an AccountCredentialsSecret to use to authenticate as the service account
    core.solo.io.ResourceRef credentials_secret_ref = 1;
    // If true, Gloo will use the service account to check group membership
    bool check_groups_with_service_account = 2;
}
// Authorizes requests by querying a custom extauth server.
message PassThroughAuth {

    oneof protocol {
        PassThroughGrpc grpc = 1;
        PassThroughHttp http = 2;
    }

    // Custom config to be passed per request to the passthrough auth service.
    google.protobuf.Struct config = 4;

    // If set to true, the service will accept client request even if the communication with
    //  the authorization service has failed, or if the authorization service has returned a server error.
    // Defaults to false.
    bool failure_mode_allow = 5;
}

// Configuration defining an exponential back off strategy.
message BackoffStrategy {
    // The base interval to be used for the next back off computation.
    // Defaults to 1000 milliseconds
    google.protobuf.Duration base_interval = 1;

    // Specifies the maximum delay between retries.
    // Defaults to 10 times the base interval.
    google.protobuf.Duration max_interval = 2;
}


// The message specifies the retry policy of the external gRPC service when unable to initially connect.
message RetryPolicy {

    // Specifies the allowed number of retries. This parameter is optional and
    // defaults to 1.
    google.protobuf.UInt32Value num_retries = 1;

    oneof strategy {
        // Specifies parameters that control the backoff strategy.
        // This parameter is optional, in which case the default base interval is 1000 milliseconds. The
        // default maximum interval is 10 times the base interval.
        BackoffStrategy retry_back_off = 2;
    }
}

// Authorizes requests by querying a custom extauth grpc server
// Assumes that the server implements the envoy external authorization spec:
// https://github.com/envoyproxy/envoy/blob/ae1ed1fa74f096dabe8dd5b19fc70333621b0309/api/envoy/service/auth/v3/external_auth.proto#L29
message PassThroughGrpc {

    // Address of the auth server to query. Should be in the form ADDRESS:PORT, e.g. `default.svc.cluster.local:389`.
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string address = 1;

    // Timeout for the auth server to respond. Defaults to 5s
    google.protobuf.Duration connection_timeout = 2;

    // TLS config for the Grpc passthrough, if not configured the connection will use insecure.
    PassThroughGrpcTLSConfig tlsConfig =3;

    // Indicates the retry policy for re-establishing the gRPC stream.
    // This field is optional and failed calls will not retry unless configured.
    RetryPolicy retry_policy = 4;
}
// TLS configuration for the extauth grpc passthrough connection
message PassThroughGrpcTLSConfig {
}

// Authorizes requests by making a POST HTTP/1 request to a custom HTTP auth server
// Assumes the request is authorized if the server returns a OK (200) status code,
// else the request is unauthorized.
message PassThroughHttp {
    // Required: URL of the passthrough http service, is a fully qualified domain name.
    // Example: http://ext-auth-service.svc.local:9001. Path provided in the URL will be respected.
    // To use https, provide the cert in the HTTPS_PASSTHROUGH_CA_CERT environment variable to the ext-auth-service
    // pod as a base64-encoded string
    //
    // +kubebuilder:validation:Required
    // +kubebuilder:validation:MinLength=1
    string url = 1;

    /* The passthrough http request can be configured to pass through the incoming request body,
     the ext-auth state (which is shared between different auth methods within one ext-auth instance), and
     the [filterMetadata](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/data_sharing_between_filters#metadata)
     The body of the passthrough auth request will be a JSON as follows:
     {
       "body" : string,
       "state": object (map[string]interface{}),
       "filterMetadata": object (map[string]protobuf.Struct),
       "config": object (protobuf.Struct),
     }
     `config` is the struct block specified under the passthrough auth configuration.
     If `passthrough_body`, `passthrough_state`, `passthrough_filter_metadata`, and `config` are all false/nil,
     the body of the auth request will remain empty. Setting any of these will increase latency slightly due to
     JSON marshalling.

    */
    message Request {
        // These headers will be copied from the incoming request to the request going
        // to the auth server. By default, no headers are copied from the incoming request.
        // Pseudo-headers such as `:Path`, and `:Method` can not be specified here.
        repeated string allowed_headers = 1;

        // These headers that will be included to the request to authorization service. Note that
        // client request of the same key will be overridden.
        // Pseudo-headers such as `:Path`, and `:Method` can not be specified here.
        map<string, string> headers_to_add = 2;

        // Whether or not to include the ext-auth state object in the passthrough request body.
        // If this is set to true, it is expected that the state is returned in the HTTP response from the
        // passthrough service. The state received from the response will be the state that is shared with
        // other ext-auth service methods.
        // If pass_through_body, pass_through_filter_metadata and pass_through_state are false,
        // the authorization request body will be empty. A non-empty body will increase latency times
        // slightly, so this is set to false by default, and should only be set to to true if the
        // extauth state is needed in the auth request.
        bool pass_through_state = 3;

        // Whether or not to include the filter metadata in the passthrough request body.
        // If pass_through_body, pass_through_filter_metadata and pass_through_state are false,
        // the authorization request body will be empty. A non-empty body will increase latency times
        // slightly, so this is set to false by default, and should only be set to to true if the
        // filter metadata is needed in the auth request.
        bool pass_through_filter_metadata = 4;

        // Whether or not to include the body in the passthrough request body.
        // In order for this to work, the settings.extauth.requestBody must be set in the Gloo Edge Settings CRD so that
        // the request body is buffered and sent to the ext-auth service.
        // If pass_through_body, pass_through_filter_metadata and pass_through_state are false,
        // the authorization request body will be empty. A non-empty body will increase latency times
        // slightly, so this is set to false by default, and should only be set to to true if the
        // request body is needed in the auth request.
        bool pass_through_body = 5;
    }
    // Pass through the incoming request body, ext auth state, and filter metadata.
    // For more information, see the [PassThrough Http Request description](#request-1).
    Request request = 3;

    message Response {
        // When this is set, authorization response headers that have a header in this list will be added to the original client request and sent to the upstream
        // when the auth request is successful. These will be appended to any request headers that already exist.
        // If this and allowed_upstream_headers_to_overwrite are empty, by default, no authorization response headers will be added to the upstream request.
        // Header names may not be included in both allowed_upstream_headers and allowed_upstream_headers_to_overwrite.
        repeated string allowed_upstream_headers = 1;

        // When this is set, authorization response headers in this list will be added to the response to the downstream client when the auth request is denied.
        // If the response header already exists, it will replace the response header.
        // If this is empty, by default, no authorization response headers will be added to the response to the downstream client.
        repeated string allowed_client_headers_on_denied = 2;

        // If this is set to true, the body of the response from the http passthrough auth server is expected to have shape
        // {
        //   "state": object (map[string]interface{})
        // }
        // The state will be marshalled from the response body and this is the state that will be passed on to other auth configs.
        // Because of the marshalling from JSON to Go map, this will add some latency to the request.
        // If the marshalling fails, the authorization check will fail and the request will be unauthorized after the ext-auth-service pod
        // logs the marshal error.
        bool read_state_from_response = 3;

        // When this is set, authorization response headers that have a header in this list will be added to the original client request and sent to the upstream
        // when the auth request is successful. These will overwrite to any request headers that already exist.
        // If this and allowed_upstream_headers are empty, by default, no authorization response headers will be added to the upstream request.
        // Header names may not be included in both allowed_upstream_headers and allowed_upstream_headers_to_overwrite.
        repeated string allowed_upstream_headers_to_overwrite = 4;
    }
    // Pass through response information such as the headers and body to downstream clients.
    // For more information, see the [PassThrough Http Response description](#response-1).
    Response response = 4;

    // Timeout for the auth server to respond. Defaults to 5s
    google.protobuf.Duration connection_timeout = 8;
}

// PortalAuth is used to authorize requests for credentials generated by the portal web server.
// This API is only supported for Gloo Gateway Portal.
message PortalAuth {
    // The portal web server url used to validate credentials generated by the portal for the backing service(s).
    string url = 1;
    // The api key header name used to find the api key in the request headers.
    // If provided will not authorize requests without the api key in the request headers.
    // If not provided, will authorize requests with a Bearer token but must be chained with an AccessTokenValidation AuthConfig which will validate the token.
    string api_key_header = 2;
    // Options to connect to redis. If not provided, data will be cached in memory.
    RedisOptions redis_options = 3;
    // The frequency at which the validated credential data should be refreshed by quering the portal web server. Defaults to 60s.
    google.protobuf.Duration cache_duration = 4;
    // Timeout for the portal web server to respond. Defaults to 200ms
    google.protobuf.Duration request_timeout = 5;
}

message AuthConfigStatus {
	enum State {
			// Pending status indicates the resource has not yet been validated
			Pending = 0;
			// Accepted indicates the resource has been validated
			Accepted = 1;
			// Rejected indicates an invalid configuration by the user
			// Rejected resources may be propagated to the xDS server depending on their severity
			Rejected = 2;
			// Warning indicates a partially invalid configuration by the user
			// Resources with Warnings may be partially accepted by a controller, depending on the implementation
			Warning = 3;
	}
	// State is the enum indicating the state of the resource
	State state = 1;
	// Reason is a description of the error for Rejected resources. If the resource is pending or accepted, this field will be empty
	string reason = 2;
	// Reference to the reporter who wrote this status
	string reported_by = 3;
	// Reference to statuses (by resource-ref string: "Kind.Namespace.Name") of subresources of the parent resource
	map<string, AuthConfigStatus> subresource_statuses = 4;

	// Opaque details about status results
	google.protobuf.Struct details = 5;
}



message AuthConfigNamespacedStatuses {
	map<string, AuthConfigStatus> statuses = 1;
}