JWT Identity

JwtIdentity represents an JWT identity of a workload.

E.g.,

issuer: https://mycompany.corp
subject: us-east-datacenter1-vm007
attributes:
  region: us-east
  datacenter: datacenter1
  instance_name: vm007
  instance_hostname: vm007.internal.corp
  instance_role: app-ratings

JwtIdentity

JwtIdentity represents an JWT identity of a workload.

Field Description Validation Rule

Field	Description	Validation Rule
issuer	string REQUIRED JWT `Issuer` identifier. The value must be a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components. E.g., `https://mycompany.corp`, `https://accounts.google.com`, `https://sts.windows.net/9edbd6c9-0e5b-4cfd-afec-fdde27cdd928/`, etc. See https://openid.net/specs/openid-connect-core-1_0.html#IDToken	string = { prefix: `https://` uri: `true` }
subject	string REQUIRED Workload identifier (JWT subject). A locally unique identifier within the Issuer. Preferably, the value should consist of lower case alphanumeric characters and ‘-’, should start and end with an alphanumeric character. Otherwise, if the value includes ASCII characters other than lower case alphanumeric characters and ‘-’, it will be encoded in a special way and will appear in that encoded form in metrics, in diagnostics, on UI. It might become non-trivial to infer the original workload identifier from the encoded form. The value that includes non-ASCII characters is not valid. E.g., `us-east-datacenter1-vm007`. See https://openid.net/specs/openid-connect-core-1_0.html#IDToken	string = { pattern: `^[-]+$` }
attributes	map<string, string> Additional attributes associated with the workload. The value is a map with free-form keys and values. E.g., `region: us-east datacenter: datacenter1 instance_name: vm007 instance_hostname: vm007.internal.corp instance_role: app-ratings`	map = { keys: `{string:{min_len:1}}` values: `{string:{min_len:1}}` }

issuer

string
REQUIRED
JWT Issuer identifier.

The value must be a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

E.g., https://mycompany.corp, https://accounts.google.com, https://sts.windows.net/9edbd6c9-0e5b-4cfd-afec-fdde27cdd928/, etc.

See https://openid.net/specs/openid-connect-core-1_0.html#IDToken

string = {
prefix: https://
uri: true
}

subject

string
REQUIRED
Workload identifier (JWT subject).

A locally unique identifier within the Issuer.

Preferably, the value should consist of lower case alphanumeric characters and ‘-’, should start and end with an alphanumeric character.

Otherwise, if the value includes ASCII characters other than lower case alphanumeric characters and ‘-’, it will be encoded in a special way and will appear in that encoded form in metrics, in diagnostics, on UI. It might become non-trivial to infer the original workload identifier from the encoded form.

The value that includes non-ASCII characters is not valid.

E.g., us-east-datacenter1-vm007.

See https://openid.net/specs/openid-connect-core-1_0.html#IDToken

string = {
pattern: ^[-]+$
}

attributes

map<string, string>
Additional attributes associated with the workload.

The value is a map with free-form keys and values.

E.g.,

region: us-east
datacenter: datacenter1
instance_name: vm007
instance_hostname: vm007.internal.corp
instance_role: app-ratings

map = {
keys: {string:{min_len:1}}
values: {string:{min_len:1}}
}

TSB

最近更新于 2023-09-19