From 8ae9b09398c692fb9af36f61e1289f2c81f80dbc Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Mon, 26 Aug 2024 09:29:56 +0800 Subject: [PATCH] API: api for setting OIDC token cookie domain (#4093) * api for oidc token cookie domain Signed-off-by: Huabing Zhao * minor wording Signed-off-by: Huabing Zhao * add regex validation Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- api/v1alpha1/oidc_types.go | 9 +++++++++ api/v1alpha1/zz_generated.deepcopy.go | 5 +++++ .../gateway.envoyproxy.io_securitypolicies.yaml | 8 ++++++++ 3 files changed, 22 insertions(+) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 53490a1f109..8951fbe63e6 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -37,6 +37,15 @@ type OIDC struct { // +optional CookieNames *OIDCCookieNames `json:"cookieNames,omitempty"` + // The optional domain to set the access and ID token cookies on. + // If not set, the cookies will default to the host of the request, not including the subdomains. + // If set, the cookies will be set on the specified domain and all subdomains. + // This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. + // +optional + // +notImplementedHide + // +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$` + CookieDomain *string `json:"cookieDomain,omitempty"` + // The OIDC scopes to be used in the // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). // The "openid" scope is always added to the list of scopes if not already diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 1680d26cca4..752317aea97 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3466,6 +3466,11 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = new(OIDCCookieNames) (*in).DeepCopyInto(*out) } + if in.CookieDomain != nil { + in, out := &in.CookieDomain, &out.CookieDomain + *out = new(string) + **out = **in + } if in.Scopes != nil { in, out := &in.Scopes, &out.Scopes *out = make([]string, len(*in)) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 15faec671eb..d436d38734d 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -2049,6 +2049,14 @@ spec: required: - name type: object + cookieDomain: + description: |- + The optional domain to set the access and ID token cookies on. + If not set, the cookies will default to the host of the request, not including the subdomains. + If set, the cookies will be set on the specified domain and all subdomains. + This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$ + type: string cookieNames: description: |- The optional cookie name overrides to be used for Bearer and IdToken cookies in the