envoy
envoy copied to clipboard
envoyproxy
Upgrade to Websocket seems to ignore 'typed_per_filter_config' of route when using default HTTP filter chain
Config:
- match:
path: "/mqtt"
route:
upgrade_configs:
upgrade_type: "websocket"
cluster: service_mqtt
decorator:
operation: "mqtt"
typed_per_filter_config:
internal_oauth2_oidc:
"@type": type.googleapis.com/envoy.config.route.v3.FilterConfig
disabled: true
Logs:
[2024-02-01 07:12:11.904][34][debug][oauth2] [source/extensions/filters/http/oauth2/filter.cc:441] can not skip oauth flow
[2024-02-01 07:12:11.904][34][debug][oauth2] [source/extensions/filters/http/oauth2/filter.cc:373] path /mqtt does not match with redirect matcher. redirecting to OAuth server.
Version: Docker v1.29-latest
@stevenzzzz might have some insight (based on having added route.proto's typed_per_filter_config) @alyssawilk probably has some knowledge about the websocket part (based on having had something to do with it 5 years ago!)
One thing to check since we can't see it in the provided config snippet is does the oauth filter you're trying to disable have name= internal_oauth2_oidc, or for simplicity, is that same typed_per_filter_config respected if you don't have a websocket upgrade in there?
IIUC, as long as your http-request goes through the filter-chain, right now typed-filter config is always honored no matter what your http method is.
Per the latched config, are you using the right "filter name" in your typed-filter-config? I think the oauth2 filter name is "envoy.filters.http.oauth2" per my code search.
With 'https://' requests the typed-filter config will respected, with 'wss://' not:
http:
wss:
One of the not disabled filter:
@stevenzzzz Any idea why wss request catched by disabled filterchain and https not?
When Envoy XDS loads various layers' per_filter_configs_ (either route or VHost... ), there is no selection of what connection type it is.
when a filter going through the layers of per-filter config, I don't think there should be any filtering as well. I cant see mostSpecificPerFilterConfig called by oauth2/filter.cc. Are you adding the typed_per_filter_config to your wrapper filter impl (internal_oauth2_oidc)?
I am not sure how your impl is done, nor can I tell from the config snippets shared here, so can't give you meaningful suggestion there.
But I'd probably check the customized wrapper filter impl, as far as I can tell, the original oauth2 filter impl doesnt read per-filter config, unless the wrapper impl feeds that into nested filter's passThroughMatchers()
I have same problem.
If I use http/https connection typed_per_filter_config - worked. If I use ws/wss connection typed_per_filter_config - ignored.
it's looks bad(
I add:
- name: "UPGRADE"
string_match:
exact: "websocket"
to passThroughMatchers in oath2HttpFilter, but i'm not sure if this is the best solution
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.