Tetrate Service ExpressVersion: Latest

JWT Identity

The differences between TSB and TSE API

Tetrate Service Express (TSE) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions. Go to Comparing TSE and TSB for more details.

JwtIdentity represents an JWT identity of a workload.

E.g.,

JWT identity of a workload:

issuer: https://mycompany.corp
subject: us-east-datacenter1-vm007
attributes:
  region: us-east
  datacenter: datacenter1
  instance_name: vm007
  instance_hostname: vm007.internal.corp
  instance_role: app-ratings

JwtIdentity

JwtIdentity represents an JWT identity of a workload.

Field Description Validation Rule

Field	Description	Validation Rule
issuer	string REQUIRED JWT `Issuer` identifier. The value must be a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components. E.g., `https://mycompany.corp`, `https://accounts.google.com`, `https://sts.windows.net/9edbd6c9-0e5b-4cfd-afec-fdde27cdd928/`, etc. See https://openid.net/specs/openid-connect-core-1_0.html#IDToken	string = { prefix: `https://` uri: `true` }
subject	string REQUIRED Workload identifier (JWT subject). A locally unique identifier within the Issuer. Preferably, the value should consist of lower case alphanumeric characters and '-', should start and end with an alphanumeric character. Otherwise, if the value includes ASCII characters other than lower case alphanumeric characters and '-', it will be encoded in a special way and will appear in that encoded form in metrics, in diagnostics, on UI. It might become non-trivial to infer the original workload identifier from the encoded form. The value that includes non-ASCII characters is not valid. E.g., `us-east-datacenter1-vm007`. See https://openid.net/specs/openid-connect-core-1_0.html#IDToken	string = { pattern: `^[�-]+$` }
attributes	map<string, string> Additional attributes associated with the workload. The value is a map with free-form keys and values. E.g., `region: us-east datacenter: datacenter1 instance_name: vm007 instance_hostname: vm007.internal.corp instance_role: app-ratings`	map = { keys: `{string:{min_len:1}}` values: `{string:{min_len:1}}` }

issuer

string
REQUIRED
JWT Issuer identifier.

The value must be a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

E.g., https://mycompany.corp, https://accounts.google.com, https://sts.windows.net/9edbd6c9-0e5b-4cfd-afec-fdde27cdd928/, etc.

See https://openid.net/specs/openid-connect-core-1_0.html#IDToken

string = {
prefix: https://
uri: true
}

subject

string
REQUIRED
Workload identifier (JWT subject).

A locally unique identifier within the Issuer.

Preferably, the value should consist of lower case alphanumeric characters and '-', should start and end with an alphanumeric character.

Otherwise, if the value includes ASCII characters other than lower case alphanumeric characters and '-', it will be encoded in a special way and will appear in that encoded form in metrics, in diagnostics, on UI. It might become non-trivial to infer the original workload identifier from the encoded form.

The value that includes non-ASCII characters is not valid.

E.g., us-east-datacenter1-vm007.

See https://openid.net/specs/openid-connect-core-1_0.html#IDToken

string = {
pattern: ^[�-]+$
}

attributes

map<string, string>
Additional attributes associated with the workload.

The value is a map with free-form keys and values.

E.g.,

region: us-east
datacenter: datacenter1
instance_name: vm007
instance_hostname: vm007.internal.corp
instance_role: app-ratings

map = {
keys: {string:{min_len:1}}
values: {string:{min_len:1}}
}

JwtIdentity​

JwtIdentity