Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API: add more oidc configuration settings #3423

Merged
merged 12 commits into from
May 31, 2024
Merged

API: add more oidc configuration settings #3423

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
3f38db6
add more oidc configuration settings
zhaohuabing May 17, 2024
611ccac
add more comments
zhaohuabing May 17, 2024
c97cafd
add more comments
zhaohuabing May 17, 2024
51418bb
address comments
zhaohuabing May 21, 2024
56f5850
minor wording
zhaohuabing May 21, 2024
553ce14
change naming
zhaohuabing May 24, 2024
2e29564
change naming
zhaohuabing May 24, 2024
90d0e29
Merge branch 'main' into oidc-konbs-api
zhaohuabing May 24, 2024
b35139c
fix gen check
zhaohuabing May 24, 2024
7276aa6
Merge branch 'main' into oidc-konbs-api
zhaohuabing May 29, 2024
3963cbc
Merge branch 'main' into oidc-konbs-api
zhaohuabing May 30, 2024
d47af02
change naming
zhaohuabing May 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions api/v1alpha1/oidc_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
package v1alpha1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
)

Expand Down Expand Up @@ -54,8 +55,49 @@ type OIDC struct {
RedirectURL *string `json:"redirectURL,omitempty"`

// The path to log a user out, clearing their credential cookies.
//
// If not specified, uses a default logout path "/logout"
LogoutPath *string `json:"logoutPath,omitempty"`

// ForwardAccessToken indicates whether the Envoy should forward the access token
// via the Authorization header Bearer scheme to the upstream.
// If not specified, defaults to false.
// +optional
// +notImplementedHide
ForwardAccessToken *bool `json:"ForwardAccessToken,omitempty"`

// DefaultTokenTTL is the default lifetime of the id token and access token.
// Please note that Envoy will always use the expiry time from the response
// of the authorization server if it is provided. This field is only used when
// the expiry time is not provided by the authorization.
//
// If not specified, defaults to 0. In this case, the "expires_in" field in
// the authorization response must be set by the authorization server, or the
// OAuth flow will fail.
//
// +optional
// +notImplementedHide
DefaultTokenTTL *metav1.Duration `json:"defaultTokenTTL,omitempty"`

// RefreshToken indicates whether the Envoy should automatically refresh the
// id token and access token when they expire.
// When set to true, the Envoy will use the refresh token to get a new id token
// and access token when they expire.
//
// If not specified, defaults to false.
// +optional
// +notImplementedHide
RefreshToken *bool `json:"refreshToken,omitempty"`

// DefaultRefreshTokenTTL is the default lifetime of the refresh token.
// This field is only used when the exp (expiration time) claim is omitted in
// the refresh token or the refresh token is not JWT.
//
// If not specified, defaults to 604800s (one week).
// Note: this field is only applicable when the "refreshToken" field is set to true.
// +optional
// +notImplementedHide
DefaultRefreshTokenTTL *metav1.Duration `json:"defaultRefreshTokenTTL,omitempty"`
}

// OIDCProvider defines the OIDC Provider configuration.
Expand Down
20 changes: 20 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

40 changes: 40 additions & 0 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -811,6 +811,12 @@ spec:
description: OIDC defines the configuration for the OpenID Connect
(OIDC) authentication.
properties:
ForwardAccessToken:
description: |-
ForwardAccessToken indicates whether the Envoy should forward the access token
via the Authorization header Bearer scheme to the upstream.
If not specified, defaults to false.
type: boolean
clientID:
description: |-
The client ID to be used in the OIDC
Expand Down Expand Up @@ -885,9 +891,33 @@ spec:
If not specified, defaults to "IdToken-(randomly generated uid)"
type: string
type: object
defaultRefreshTokenTTL:
description: |-
DefaultRefreshTokenTTL is the default lifetime of the refresh token.
This field is only used when the exp (expiration time) claim is omitted in
the refresh token or the refresh token is not JWT.


If not specified, defaults to 604800s (one week).
Note: this field is only applicable when the "refreshToken" field is set to true.
type: string
defaultTokenTTL:
description: |-
DefaultTokenTTL is the default lifetime of the id token and access token.
Please note that Envoy will always use the expiry time from the response
of the authorization server if it is provided. This field is only used when
the expiry time is not provided by the authorization.


If not specified, defaults to 0. In this case, the "expires_in" field in
the authorization response must be set by the authorization server, or the
OAuth flow will fail.
type: string
logoutPath:
description: |-
The path to log a user out, clearing their credential cookies.


If not specified, uses a default logout path "/logout"
type: string
provider:
Expand Down Expand Up @@ -920,6 +950,16 @@ spec:
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
type: string
refreshToken:
description: |-
RefreshToken indicates whether the Envoy should automatically refresh the
id token and access token when they expire.
When set to true, the Envoy will use the refresh token to get a new id token
and access token when they expire.


If not specified, defaults to false.
type: boolean
resources:
description: |-
The OIDC resources to be used in the
Expand Down
2 changes: 1 addition & 1 deletion site/content/en/latest/api/extension_types.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2371,7 +2371,7 @@ _Appears in:_
| `scopes` | _string array_ | false | The OIDC scopes to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />The "openid" scope is always added to the list of scopes if not already<br />specified. |
| `resources` | _string array_ | false | The OIDC resources to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.<br />If not specified, uses a default logout path "/logout" |
| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.<br /><br />If not specified, uses a default logout path "/logout" |


#### OIDCCookieNames
Expand Down