Sync Gloo APIs. Destination Branch: gloo-main

api/gloo/enterprise.gloo/v1/auth_config.proto

@@ -540,6 +540,18 @@ message EndSessionProperties {
     MethodType methodType = 1;
 }
 
+// Allows copying verified claims to headers sent upstream
+message ClaimToHeader {
+    // Claim name. for example, “sub”
+    string claim = 1;
+
+    // The header the claim will be copied to. for example, “x-sub”.
+    string header = 2;
+
+    // If the header exists, append to it (true), or overwrite it (false).
+    bool append = 3;
+}
+
 
 message OidcAuthorizationCode {
     // your client id as registered with the issuer
@@ -662,6 +674,9 @@ message OidcAuthorizationCode {
     // Generally the client secret is required and AuthConfigs will be rejected if it isn't set.
     // However certain implementations of the PKCE flow do not use a client secret (including Okta) so this setting allows configuring Oidc without a client secret.
     google.protobuf.BoolValue disable_client_secret = 21;
+
+    // Optional: What claims should be copied to upstream headers.
+    repeated ClaimToHeader claims_to_headers = 22;
 }
 
 message PlainOAuth2 {
@@ -1071,7 +1086,7 @@ message OpaAuthOptions {
     bool fast_input_conversion = 1;
 
     // Return the reason given from the OPA engine after a decision made on this policy. Reason must be the second
-    // parameter of the query. The entry will be in the returned DynamicMetadata in the CheckResponse and the structure 
+    // parameter of the query. The entry will be in the returned DynamicMetadata in the CheckResponse and the structure
     // will be
     // envoy.filters.http.ext_authz:
     //   -> name of the auth step, i.e. spec.configs[i].name
@@ -1433,7 +1448,6 @@ message ExtAuthConfig {
 
         // Configuration related to the user session.
         UserSessionConfig user_session = 20;
-
     }
 
     message AccessTokenValidationConfig {

api/gloo/gloo/v1/enterprise/options/caching/caching.proto

@@ -25,7 +25,7 @@ message Settings {
    // Max payload size to cache. If unset defaults to a reasonable value.
    // If explicitly set to 0 will prevent anything with a body from
    // being cached.
-   google.protobuf.UInt64Value max_payload_size = 4;
+   google.protobuf.UInt32Value max_payload_size = 4;
 
 
 }

api/gloo/gloo/v1/options/connection_limit/connection_limit.proto

@@ -20,7 +20,7 @@ message ConnectionLimit {
     // The maximum number of active connections for this gateway. When this limit is reached, any incoming connection
     // will be closed after delay duration.
     // Must be greater than one.
-    google.protobuf.UInt64Value max_active_connections = 1;
+    google.protobuf.UInt32Value max_active_connections = 1;
 
     // The time to wait before a connection is dropped. Useful for DoS prevention.
     // Defaults to zero and the connection will be closed immediately.