oauth2: Add default expiry for RFC compliance (#31499)

Signed-off-by: Ryan Northey <ryan@synca.io> Mirrored from https://github.com/envoyproxy/envoy @ 3d67a3f940db59057a6f22db81fae8ecf2bcf5d3
11 months ago · 158cad77b1
parent 160e5af4c3
commit 158cad77b1
1 changed files with 8 additions and 1 deletions
--- a/envoy/extensions/filters/http/oauth2/v3/oauth.proto
+++ b/envoy/extensions/filters/http/oauth2/v3/oauth.proto
@ -7,6 +7,7 @@ import "envoy/config/route/v3/route_components.proto";
 import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
 import "envoy/type/matcher/v3/path.proto";

+import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

 import "udpa/annotations/status.proto";
@ -73,7 +74,7 @@ message OAuth2Credentials {

 // OAuth config
 //
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message OAuth2Config {
  enum AuthType {
    // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@ -130,6 +131,12 @@ message OAuth2Config {
  // `RFC 6749 section 6 <https://datatracker.ietf.org/doc/html/rfc6749#section-6>`_), provided that the OAuth server supports that.
  // Default value is false.
  google.protobuf.BoolValue use_refresh_token = 12;
+
+  // The default lifetime in seconds of the access token, if omitted by the authorization server.
+  //
+  // If this value is not set, it will default to ``0s``. In this case, the expiry must be set by
+  // the authorization server or the OAuth flow will fail.
+  google.protobuf.Duration default_expires_in = 13;
 }

 // Filter config.