oauth2: support disabling redirects for AJAX requests (#32655)

Added new parameter `ajax_request_matcher` to optionally not allow OAuth2 authorization redirect when all tokens are expired. Such redirect usually redirects the user to a login page (in authorization code flow) and this behavior is not desired in Ajax requests. Signed-off-by: Samuel Valis <samuel.valis@innovatrics.com> Mirrored from https://github.com/envoyproxy/envoy @ 8318716d9aedfc6277cd605a41b606a86f3feb52
12 months ago · 156b273195
parent a8860de8a7
commit 156b273195
1 changed files with 6 additions and 1 deletions
--- a/envoy/extensions/filters/http/oauth2/v3/oauth.proto
+++ b/envoy/extensions/filters/http/oauth2/v3/oauth.proto
@ -74,7 +74,7 @@ message OAuth2Credentials {

 // OAuth config
 //
-// [#next-free-field: 14]
+// [#next-free-field: 15]
 message OAuth2Config {
  enum AuthType {
    // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@ -137,6 +137,11 @@ message OAuth2Config {
  // If this value is not set, it will default to ``0s``. In this case, the expiry must be set by
  // the authorization server or the OAuth flow will fail.
  google.protobuf.Duration default_expires_in = 13;
+
+  // Any request that matches any of the provided matchers won't be redirected to OAuth server when tokens are not valid.
+  // Automatic access token refresh will be performed for these requests, if enabled.
+  // This behavior can be useful for AJAX requests.
+  repeated config.route.v3.HeaderMatcher deny_redirect_matcher = 14;
 }

 // Filter config.