Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend OIDC Configurability #3405

Closed
coro opened this issue May 16, 2024 · 0 comments · Fixed by #3514
Closed

Extend OIDC Configurability #3405

coro opened this issue May 16, 2024 · 0 comments · Fixed by #3514
Assignees
@zhaohuabing
Labels
area/policy kind/feature new feature
Milestone
v1.1.0-rc1

Comments

@coro
Copy link
Contributor

coro commented May 16, 2024

Description:
Allow users to configure additional elements of the Envoy OIDC filter in the SecurityPolicy.

Specific examples that would be very valuable to configure:

Many of these are either not configured by EG or hard coded to a default:

gateway/internal/xds/translator/oidc.go

Lines 117 to 174 in a2fbbad

oauth2 := &oauth2v3.OAuth2{
Config: &oauth2v3.OAuth2Config{
TokenEndpoint: &corev3.HttpUri{
Uri: oidc.Provider.TokenEndpoint,
HttpUpstreamType: &corev3.HttpUri_Cluster{
Cluster: cluster.name,
},
Timeout: &durationpb.Duration{
Seconds: defaultExtServiceRequestTimeout,
},
},
AuthorizationEndpoint: oidc.Provider.AuthorizationEndpoint,
RedirectUri: oidc.RedirectURL,
RedirectPathMatcher: &matcherv3.PathMatcher{
Rule: &matcherv3.PathMatcher_Path{
Path: &matcherv3.StringMatcher{
MatchPattern: &matcherv3.StringMatcher_Exact{
Exact: oidc.RedirectPath,
},
},
},
},
SignoutPath: &matcherv3.PathMatcher{
Rule: &matcherv3.PathMatcher_Path{
Path: &matcherv3.StringMatcher{
MatchPattern: &matcherv3.StringMatcher_Exact{
Exact: oidc.LogoutPath,
},
},
},
},
ForwardBearerToken: true,
Credentials: &oauth2v3.OAuth2Credentials{
ClientId: oidc.ClientID,
TokenSecret: &tlsv3.SdsSecretConfig{
Name: oauth2ClientSecretName(oidc),
SdsConfig: makeConfigSource(),
},
TokenFormation: &oauth2v3.OAuth2Credentials_HmacSecret{
HmacSecret: &tlsv3.SdsSecretConfig{
Name: oauth2HMACSecretName(oidc),
SdsConfig: makeConfigSource(),
},
},
CookieNames: &oauth2v3.OAuth2Credentials_CookieNames{
BearerToken: fmt.Sprintf("BearerToken-%s", oidc.CookieSuffix),
OauthHmac: fmt.Sprintf("OauthHMAC-%s", oidc.CookieSuffix),
OauthExpires: fmt.Sprintf("OauthExpires-%s", oidc.CookieSuffix),
IdToken: fmt.Sprintf("IdToken-%s", oidc.CookieSuffix),
RefreshToken: fmt.Sprintf("RefreshToken-%s", oidc.CookieSuffix),
},
},
// every OIDC provider supports basic auth
AuthType: oauth2v3.OAuth2Config_BASIC_AUTH,
AuthScopes: oidc.Scopes,
Resources: oidc.Resources,
},
}

Relevant Links:
Original issue: #3178
Related Issue: #3395

cc @zhaohuabing @denniskniep
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhaohuabing zhaohuabing

Labels
area/policy kind/feature new feature
Projects
None yet
Milestone
v1.1.0-rc1
Development

Successfully merging a pull request may close this issue.

feat(oidc): implement additional OIDC configuration settings zetaab/gateway
3 participants
@zhaohuabing @arkodg @coro