envoy icon indicating copy to clipboard operation
envoy copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

OAuth2 Filter - Unexpected behaviour of forward_bearer_token

Open mustafacagataytulun opened this issue 1 year ago • 0 comments

Title: OAuth2 Filter - Unexpected behaviour of forward_bearer_token

Description: While using OAuth2 Filter, if we set forward_bearer_token to false, Envoy does not return BearerToken, IdToken, and RefreshToken cookies to the downstream.

The documentation says "if forward_bearer_token is set to true the filter will send over a cookie named BearerToken to the upstream". I expect that this field affects only forwarding to upstream. However, it seems that it also affects the downstream, since it does not set these cookies. It only sets OauthHMAC and OauthExpires cookies.

This behaviour also causes the OAuth2 filter become unusable combining with JWT Auth filter when forward_bearer_token is set to false, because the JWT Auth filter cannot find any cookie for BearerToken or IdToken.

Repro steps:

  1. Generate a simple envoy.yaml configuration file with OAuth2 filter.
  2. Set forward_bearer_token to false.
  3. Try authenticating. The final response on callback endpoint will not have Set-Cookie response headers for BearerToken, IdToken, and RefreshToken.

Config:

          http_filters:
          - name: envoy.filters.http.oauth2
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
              config:
                token_endpoint:
                  cluster: oauth
                  uri: https://login.microsoftonline.com/********-****-****-****-************/oauth2/v2.0/token
                  timeout: 3s
                authorization_endpoint: https://login.microsoftonline.com/********-****-****-****-************/oauth2/v2.0/authorize
                redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback"
                redirect_path_matcher:
                  path:
                    exact: /callback
                signout_path:
                  path:
                    exact: /signout
                credentials:
                  client_id: ********-****-****-****-************
                  token_secret:
                    name: token
                    sds_config:
                      path_config_source: 
                        path: /etc/envoy/oauth-token-secret.yaml
                  hmac_secret:
                    name: hmac
                    sds_config:
                      path_config_source: 
                        path: /etc/envoy/oauth-hmac-secret.yaml
                auth_scopes:
                - offline_access
                - openid
                - profile
                resources: []
                use_refresh_token: true
                forward_bearer_token: false
                auth_type: basic_auth

mustafacagataytulun avatar Feb 25 '24 13:02 mustafacagataytulun