-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Optionally override Oauth Cookie Names #3274
Conversation
this makes a lot of sense 2 open questions
hoping we rely on work done in the past, to influence naming here |
I'd vote to keep the current naming, but allow users to specify a custom suffix. We should also provide guidance in the documentation on how to avoid session name conflicts if users opt for this customization. A preferable approach would be sending the ID token through an 'x-envoy-gateway-id-token' header, thus preventing users from tampering with cookies. This method requires some work(trival) in Envoy upstream." |
I am happy to do anything else required to move this forward. Side note - great work with this we are using envoy gateway successfully as our main ingress in our 300 plus service ecs to eks migration. |
I'm inclined to add a suffix or rewrite the entire cookie name. The default cookie name has a digest of the policy UID, it's kind of strange to put a random string as a prefix. |
should we just allow the user to set the entire name ? |
Agree, overwriting the entire name is better, users can easily know the cookie name. @sam-burrell |
api/v1alpha1/oidc_types.go
Outdated
// The optional cookie suffix to be added to Bearer and IdToken cookies in the | ||
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | ||
// If not specified, uses a randomly generated suffix | ||
CookieSuffix *string `json:"cookieSuffix,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CookieSuffix *string `json:"cookieSuffix,omitempty"` | |
IdTokenCookieName *string `json:"idTokenCookieName,omitempty"` |
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | ||
// If not specified, uses a randomly generated suffix | ||
CookieSuffix *string `json:"cookieSuffix,omitempty"` | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or even idTokenName
@sam-burrell Could you please address @arkodg 's comment? So we can move on this. |
ping @sam-burrell could you check the review comments |
Hi, this feature is very welcome 👍 I propose additionally to @arkodg´s review comment to make all cookie names configurable (and not only idToken cookie): gateway/internal/xds/translator/oidc.go Lines 161 to 167 in 6dcf78a
|
if we need to have predictable names for all the cookies then I'd suggest making the struct a little more tiered
|
Exposing BearerTokenCookieName and idTokenCookieName to API makes sense to me, but others should not be in the API as they are trivial details of the Envoy OAuth2 filter implementation. @denniskniep do you need these cookies somewhere? |
Signed-off-by: sam-burrell <[email protected]> Signed-off-by: Connor Rogers <[email protected]>
Co-authored-by: Sam Burrell <[email protected]> Signed-off-by: Connor Rogers <[email protected]>
Co-authored-by: Sam Burrell <[email protected]> Signed-off-by: Connor Rogers <[email protected]>
We have refactored this and now made this the ability to optionally overide oauth cookie names. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3274 +/- ##
==========================================
- Coverage 67.36% 67.35% -0.01%
==========================================
Files 167 167
Lines 19925 19932 +7
==========================================
+ Hits 13422 13426 +4
- Misses 5538 5540 +2
- Partials 965 966 +1 ☔ View full report in Codecov by Sentry. |
@zhaohuabing BearerTokenCookieName and idTokenCookieName is sufficient for my current use case |
hey this diff looks good ! |
Co-authored-by: Sam Burrell <[email protected]> Signed-off-by: Connor Rogers <[email protected]>
@arkodg Added, thanks! |
namespace: envoy-gateway | ||
conditions: | ||
- lastTransitionTime: null | ||
message: HMAC secret envoy-gateway-system/envoy-oidc-hmac not found |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
something is off, Accepted=False
, you may have forgotten to include the Secret
, the security
IR field is also empty
api/v1alpha1/oidc_types.go
Outdated
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | ||
// If not specified, defaults to "BearerToken-(randomly generated uid)" | ||
// +optional | ||
BearerToken *string `json:"bearerToken,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The name BearerToken
is confusing in this context. Let's rename it AccessToken
to keep consistent with #3423
BearerToken *string `json:"bearerToken,omitempty"` | |
AccessToken *string `json:"accessToken,omitempty"` |
internal/xds/translator/oidc.go
Outdated
|
||
if oidc.CookieNameOverrides != nil && | ||
oidc.CookieNameOverrides.BearerToken != nil { | ||
oauth2.Config.Credentials.CookieNames.BearerToken = *oidc.CookieNameOverrides.BearerToken |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please also change the default name for "BearerTokento
AccessToken` ?
Change
BearerToken: fmt.Sprintf("BearerToken-%s", oidc.CookieSuffix),
To
BearerToken: fmt.Sprintf("AccessToken-%s", oidc.CookieSuffix)
Signed-off-by: Connor Rogers <[email protected]>
Signed-off-by: Connor Rogers <[email protected]>
@arkodg @zhaohuabing Added your changes, thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks !
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks!
@coro can you run |
@arkodg I believe that was unrelated to my change - it seems the example certificate used in that particular test with a diff ( |
What type of PR is this?
Added ability to optionally specify a cookieSuffix in the OIDC spec.
What this PR does / why we need it:
This is necessary to link up with the JWT element of the SecurityPolicy to ultimately make passing claimHeaders from the IdToken upstream for authentication in upstream apps clear and easy.
For example it would be used like this