oauth2 filter support per-route configuration #29641
Description
Title: oauth2 filter support per-route configuration
Description:
Currently, oauth2 filter can only be configured in the http_filters section of the HCM. It would be very useful to enable oauth2 filter to support per-route configuration, so users can also configure oauth2 at route level.
Here's a rough idea on how to make the oauth2 filter support per-rout configuration:
API Changes
- Adding an OIDC Provider Map: Let's include a map in the filter configuration to set up OIDC providers.
providers:
provider1:
token_endpoint:
cluster: oauth
uri: oauth.com/token
timeout: 3s
authorization_endpoint: https://oauth.com/oauth/authorize/
redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback"
redirect_path_matcher:
path:
exact: /callback
signout_path:
path:
exact: /signout
credentials:
client_id: foo
token_secret:
name: token
sds_config:
path: "/etc/envoy/token-secret-foo.yaml"
hmac_secret:
name: hmac
sds_config:
path: "/etc/envoy/hmac-foo.yaml"
provider2:
token_endpoint:
cluster: oauth
uri: oauth.com/token
timeout: 3s
authorization_endpoint: https://oauth.com/oauth/authorize/
redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback"
redirect_path_matcher:
path:
exact: /callback
signout_path:
path:
exact: /signout
credentials:
client_id: bar
token_secret:
name: token
sds_config:
path: "/etc/envoy/token-secret-bar.yaml"
hmac_secret:
name: hmac
sds_config:
path: "/etc/envoy/hmac-bar.yaml"- Using Map Keys for Per-Route Config: In the per-route configuration, use the map key to point to a specific provider:
route_config:
virtual_hosts:
- name: service
domains:
- "*"
routes:
- match:
prefix: "/app1"
route:
cluster: app1_service
typed_per_filter_config:
envoy.filters.http.csrf:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
provider: provider1
- match:
prefix: "/app2"
route:
cluster: app1_service
typed_per_filter_config:
envoy.filters.http.csrf:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
provider: provider2 - Backwards Compatible
The current config will be reserved for backward-compatible, but will be declared as deprecated. A new default will be added as the global default.
providers:
provider1:
......
default: provider1
config: // deprecated
token_endpoint:
cluster: oauth
uri: oauth.com/token
timeout: 3s
......Token Cookies
The oauth2 filter stores tokens in cookies. Since all the HTTP requests on the same domain share the same cookies, it will mess up the tokens even if we do per-route OIDC configuration.
Solution: we could namespace through cookie-name by prefixing cookie-name with provider kyes. To avoid exposing tokens to requests that they don't have access to, we can remove cookies for non-matching providers prior to sending requests to upstreams.