Skip to content

Commit

Permalink
feat: added option to specify resources on the OIDC security policy (e…
Browse files Browse the repository at this point in the history
…nvoyproxy#3030)

added option to specify resources on the OIDC filter

Signed-off-by: jaynis <[email protected]>
Co-authored-by: Huabing Zhao <[email protected]>
  • Loading branch information
2 people authored and ShyunnY committed Apr 1, 2024
1 parent d5734cb commit b91082b
Show file tree
Hide file tree
Showing 12 changed files with 41 additions and 0 deletions.
5 changes: 5 additions & 0 deletions api/v1alpha1/oidc_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,11 @@ type OIDC struct {
// +optional
Scopes []string `json:"scopes,omitempty"`

// The OIDC resources to be used in the
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
// +optional
Resources []string `json:"resources,omitempty"`

// The redirect URL to be used in the OIDC
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
// If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
Expand Down
5 changes: 5 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,12 @@ spec:
Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
type: string
resources:
description: The OIDC resources to be used in the [Authentication
Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
items:
type: string
type: array
scopes:
description: The OIDC scopes to be used in the [Authentication
Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
Expand Down
1 change: 1 addition & 0 deletions internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -644,6 +644,7 @@ func (t *Translator) buildOIDC(
ClientID: oidc.ClientID,
ClientSecret: clientSecretBytes,
Scopes: scopes,
Resources: oidc.Resources,
RedirectURL: redirectURL,
RedirectPath: redirectPath,
LogoutPath: logoutPath,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -123,5 +123,6 @@ securityPolicies:
clientSecret:
name: "client2-secret"
scopes: ["openid", "email", "profile"]
resources: ["api"]
redirectURL: "https://www.example.com/foo/oauth2/callback"
logoutPath: "/foo/logout"
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,8 @@ securityPolicies:
issuer: https://oauth.foo.com
tokenEndpoint: https://oauth.foo.com/token
redirectURL: https://www.example.com/foo/oauth2/callback
resources:
- api
scopes:
- openid
- email
Expand Down Expand Up @@ -263,6 +265,8 @@ xdsIR:
tokenEndpoint: https://oauth.foo.com/token
redirectPath: /foo/oauth2/callback
redirectURL: https://www.example.com/foo/oauth2/callback
resources:
- api
scopes:
- openid
- email
Expand Down
4 changes: 4 additions & 0 deletions internal/ir/xds.go
Original file line number Diff line number Diff line change
Expand Up @@ -544,6 +544,10 @@ type OIDC struct {
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"`

// The OIDC resources to be used in the
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
Resources []string `json:"resources,omitempty" yaml:"resources,omitempty"`

// The redirect URL to be used in the OIDC
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
RedirectURL string `json:"redirectURL,omitempty"`
Expand Down
5 changes: 5 additions & 0 deletions internal/ir/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions internal/xds/translator/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) {
// every OIDC provider supports basic auth
AuthType: oauth2v3.OAuth2Config_BASIC_AUTH,
AuthScopes: oidc.Scopes,
Resources: oidc.Resources,
},
}
return oauth2, nil
Expand Down
4 changes: 4 additions & 0 deletions internal/xds/translator/testdata/in/xds-ir/oidc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ http:
- openid
- email
- profile
resources:
- api
redirectURL: "https://www.example.com/foo/oauth2/callback"
redirectPath: "/foo/oauth2/callback"
logoutPath: "/foo/logout"
Expand All @@ -56,6 +58,8 @@ http:
- openid
- email
- profile
resources:
- api
redirectURL: "https://www.example.com/bar/oauth2/callback"
redirectPath: "/bar/oauth2/callback"
logoutPath: "/bar/logout"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@
path:
exact: /foo/oauth2/callback
redirectUri: https://www.example.com/foo/oauth2/callback
resources:
- api
signoutPath:
path:
exact: /foo/logout
Expand Down Expand Up @@ -89,6 +91,8 @@
path:
exact: /bar/oauth2/callback
redirectUri: https://www.example.com/bar/oauth2/callback
resources:
- api
signoutPath:
path:
exact: /bar/logout
Expand Down
1 change: 1 addition & 0 deletions site/content/en/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -1704,6 +1704,7 @@ _Appears in:_
| `clientID` | _string_ | true | The client ID to be used in the OIDC [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
| `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). <br /><br /> This is an Opaque secret. The client secret should be stored in the key "client-secret". |
| `scopes` | _string array_ | false | The OIDC scopes to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). The "openid" scope is always added to the list of scopes if not already specified. |
| `resources` | _string array_ | false | The OIDC resources to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies. If not specified, uses a default logout path "/logout" |

Expand Down

0 comments on commit b91082b

Please sign in to comment.