envoy icon indicating copy to clipboard operation
envoy copied to clipboard
verified publisher icon envoyproxy

oauth filter: set token cookies regardless of forward_bearer_token option + ability to disable bearertoken and refreshtoken cookie

Open denniskniep opened this issue 1 year ago • 2 comments

Commit Message: oauth filter: set token cookies regardless of forward_bearer_token option + ability to disable refreshtoken and bearertoken cookie

Additional Description: Unconditionally set the BearerToken, IdToken, and RefreshToken cookies in the response. The documentation of forward_bearer_token states "Forward the OAuth token as a Bearer to upstream web service." It's confusing for this behavior to affect response cookies as well.

This change alone would set the raw bearer token in the client browser which is undesirable by some.

Therefore introduced further properties to disable single cookies, if necessary:

  • disable_access_token_set_cookie
  • disable_refresh_token_set_cookie

Like it was done here: https://github.com/envoyproxy/envoy/issues/33825

Risk Level: Low Testing: Included Docs Changes: N/A Release Notes: Included Platform Specific Features: N/A Fixes: https://github.com/envoyproxy/envoy/issues/32566

denniskniep avatar Aug 25 '24 13:08 denniskniep

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/). envoyproxy/api-shepherds assignee is @markdroth CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

:cat:

Caused by: https://github.com/envoyproxy/envoy/pull/35839 was opened by denniskniep.

see: more, trace.

repokitteh-read-only[bot] avatar Aug 25 '24 13:08 repokitteh-read-only[bot]

@markdroth I addressed your review comments

denniskniep avatar Aug 29 '24 05:08 denniskniep

In the future, please don't force-push to the branch after the review has started, since that makes it hard for the reviewer to see what changed since their last review pass.

markdroth avatar Aug 29 '24 17:08 markdroth

/lgtm api

markdroth avatar Aug 29 '24 17:08 markdroth

cc: derekargueta

denniskniep avatar Sep 02 '24 11:09 denniskniep

@mattklein123 thanks for the review. Can we already merge it?

denniskniep avatar Sep 19 '24 21:09 denniskniep

/retest

mattklein123 avatar Sep 20 '24 22:09 mattklein123

I'm not sure why CI is failing. Is main fully merged? cc @phlax

mattklein123 avatar Sep 20 '24 22:09 mattklein123

Hi @mattklein123 ,

merged main again and removed that + char from the pr title. I think removing the + char did the trick... Can we merge this pr?

Probably this line can not handle it ?

The template is not valid. envoyproxy/envoy/.github/workflows/_start.yml (Line: 90, Col: 17): Error reading JToken from JsonReader. Path '', line 0, position

denniskniep avatar Sep 21 '24 21:09 denniskniep

hi @denniskniep - i think it was something slightly different

i changed Bearer to in the PR description to XXX - its a new failure mode triggered by a false positive in githubs secret scanning

phlax avatar Sep 21 '24 21:09 phlax

Sorry needs a main merge then we are good to go.

/wait

mattklein123 avatar Sep 23 '24 15:09 mattklein123

@mattklein123 merged

denniskniep avatar Sep 23 '24 18:09 denniskniep

Sorry needs merge again. :(

/wait

mattklein123 avatar Sep 24 '24 04:09 mattklein123