Add OAuth filter (#11268)
This was written by Derek Argueta originally. Some more work might be needed to make it more generic. Risk Level: low, new filter Testing: unit tests included Docs Changes: filter docs added Signed-off-by: Snow Pettersen <snowp@lyft.com> Co-authored-by: Derek Argueta <darguetap@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ c6bfd7f9f52468d576781a9b1fe9ea5d3f9086c9master-ci-test
data-plane-api(CircleCI)
4 years ago
parent
46837a9f4e
commit
93b9c9e5d9
6 changed files with 208 additions and 0 deletions
@ -0,0 +1,15 @@ |
||||
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. |
||||
|
||||
load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") |
||||
|
||||
licenses(["notice"]) # Apache 2 |
||||
|
||||
api_proto_package( |
||||
deps = [ |
||||
"//envoy/config/core/v3:pkg", |
||||
"//envoy/config/route/v3:pkg", |
||||
"//envoy/extensions/transport_sockets/tls/v3:pkg", |
||||
"//envoy/type/matcher/v3:pkg", |
||||
"@com_github_cncf_udpa//udpa/annotations:pkg", |
||||
], |
||||
) |
||||
@ -0,0 +1,83 @@ |
||||
syntax = "proto3"; |
||||
|
||||
package envoy.extensions.filters.http.oauth2.v3alpha; |
||||
|
||||
import "envoy/config/core/v3/http_uri.proto"; |
||||
import "envoy/config/route/v3/route_components.proto"; |
||||
import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; |
||||
import "envoy/type/matcher/v3/path.proto"; |
||||
|
||||
import "google/protobuf/duration.proto"; |
||||
|
||||
import "udpa/annotations/status.proto"; |
||||
import "udpa/annotations/versioning.proto"; |
||||
import "validate/validate.proto"; |
||||
|
||||
option java_package = "io.envoyproxy.envoy.extensions.filters.http.oauth2.v3alpha"; |
||||
option java_outer_classname = "OauthProto"; |
||||
option java_multiple_files = true; |
||||
option (udpa.annotations.file_status).work_in_progress = true; |
||||
option (udpa.annotations.file_status).package_version_status = ACTIVE; |
||||
|
||||
// [#protodoc-title: OAuth] |
||||
// OAuth :ref:`configuration overview <config_http_filters_oauth>`. |
||||
// [#extension: envoy.filters.http.oauth2] |
||||
// |
||||
|
||||
message OAuth2Credentials { |
||||
// The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server. |
||||
string client_id = 1 [(validate.rules).string = {min_bytes: 1}]; |
||||
|
||||
// The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server. |
||||
transport_sockets.tls.v3.SdsSecretConfig token_secret = 2 |
||||
[(validate.rules).message = {required: true}]; |
||||
|
||||
// Configures how the secret token should be created. |
||||
oneof token_formation { |
||||
option (validate.required) = true; |
||||
|
||||
// If present, the secret token will be a HMAC using the provided secret. |
||||
transport_sockets.tls.v3.SdsSecretConfig hmac_secret = 3 |
||||
[(validate.rules).message = {required: true}]; |
||||
} |
||||
} |
||||
|
||||
// OAuth config |
||||
// |
||||
// [#next-free-field: 9] |
||||
message OAuth2Config { |
||||
// Endpoint on the authorization server to retrieve the access token from. |
||||
config.core.v3.HttpUri token_endpoint = 1; |
||||
|
||||
// The endpoint redirect to for authorization in response to unauthorized requests. |
||||
string authorization_endpoint = 2 [(validate.rules).string = {min_bytes: 1}]; |
||||
|
||||
// Credentials used for OAuth. |
||||
OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}]; |
||||
|
||||
// The redirect URI passed to the authorization endpoint. Supports header formatting |
||||
// tokens. For more information, including details on header value syntax, see the |
||||
// documentation on :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`. |
||||
// |
||||
// This URI should not contain any query parameters. |
||||
string redirect_uri = 4 [(validate.rules).string = {min_bytes: 1}]; |
||||
|
||||
// Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. |
||||
type.matcher.v3.PathMatcher redirect_path_matcher = 5 |
||||
[(validate.rules).message = {required: true}]; |
||||
|
||||
// The path to sign a user out, clearing their credential cookies. |
||||
type.matcher.v3.PathMatcher signout_path = 6 [(validate.rules).message = {required: true}]; |
||||
|
||||
// Forward the OAuth token as a Bearer to upstream web service. |
||||
bool forward_bearer_token = 7; |
||||
|
||||
// Any request that matches any of the provided matchers will be passed through without OAuth validation. |
||||
repeated config.route.v3.HeaderMatcher pass_through_matcher = 8; |
||||
} |
||||
|
||||
// Filter config. |
||||
message OAuth2 { |
||||
// Leave this empty to disable OAuth2 for a specific route, using per filter config. |
||||
OAuth2Config config = 1; |
||||
} |
||||
@ -0,0 +1,16 @@ |
||||
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. |
||||
|
||||
load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") |
||||
|
||||
licenses(["notice"]) # Apache 2 |
||||
|
||||
api_proto_package( |
||||
deps = [ |
||||
"//envoy/config/core/v4alpha:pkg", |
||||
"//envoy/config/route/v4alpha:pkg", |
||||
"//envoy/extensions/filters/http/oauth2/v3alpha:pkg", |
||||
"//envoy/extensions/transport_sockets/tls/v4alpha:pkg", |
||||
"//envoy/type/matcher/v4alpha:pkg", |
||||
"@com_github_cncf_udpa//udpa/annotations:pkg", |
||||
], |
||||
) |
||||
@ -0,0 +1,92 @@ |
||||
syntax = "proto3"; |
||||
|
||||
package envoy.extensions.filters.http.oauth2.v4alpha; |
||||
|
||||
import "envoy/config/core/v4alpha/http_uri.proto"; |
||||
import "envoy/config/route/v4alpha/route_components.proto"; |
||||
import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto"; |
||||
import "envoy/type/matcher/v4alpha/path.proto"; |
||||
|
||||
import "google/protobuf/duration.proto"; |
||||
|
||||
import "udpa/annotations/status.proto"; |
||||
import "udpa/annotations/versioning.proto"; |
||||
import "validate/validate.proto"; |
||||
|
||||
option java_package = "io.envoyproxy.envoy.extensions.filters.http.oauth2.v4alpha"; |
||||
option java_outer_classname = "OauthProto"; |
||||
option java_multiple_files = true; |
||||
option (udpa.annotations.file_status).work_in_progress = true; |
||||
option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; |
||||
|
||||
// [#protodoc-title: OAuth] |
||||
// OAuth :ref:`configuration overview <config_http_filters_oauth>`. |
||||
// [#extension: envoy.filters.http.oauth2] |
||||
// |
||||
|
||||
message OAuth2Credentials { |
||||
option (udpa.annotations.versioning).previous_message_type = |
||||
"envoy.extensions.filters.http.oauth2.v3alpha.OAuth2Credentials"; |
||||
|
||||
// The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server. |
||||
string client_id = 1 [(validate.rules).string = {min_bytes: 1}]; |
||||
|
||||
// The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server. |
||||
transport_sockets.tls.v4alpha.SdsSecretConfig token_secret = 2 |
||||
[(validate.rules).message = {required: true}]; |
||||
|
||||
// Configures how the secret token should be created. |
||||
oneof token_formation { |
||||
option (validate.required) = true; |
||||
|
||||
// If present, the secret token will be a HMAC using the provided secret. |
||||
transport_sockets.tls.v4alpha.SdsSecretConfig hmac_secret = 3 |
||||
[(validate.rules).message = {required: true}]; |
||||
} |
||||
} |
||||
|
||||
// OAuth config |
||||
// |
||||
// [#next-free-field: 9] |
||||
message OAuth2Config { |
||||
option (udpa.annotations.versioning).previous_message_type = |
||||
"envoy.extensions.filters.http.oauth2.v3alpha.OAuth2Config"; |
||||
|
||||
// Endpoint on the authorization server to retrieve the access token from. |
||||
config.core.v4alpha.HttpUri token_endpoint = 1; |
||||
|
||||
// The endpoint redirect to for authorization in response to unauthorized requests. |
||||
string authorization_endpoint = 2 [(validate.rules).string = {min_bytes: 1}]; |
||||
|
||||
// Credentials used for OAuth. |
||||
OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}]; |
||||
|
||||
// The redirect URI passed to the authorization endpoint. Supports header formatting |
||||
// tokens. For more information, including details on header value syntax, see the |
||||
// documentation on :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`. |
||||
// |
||||
// This URI should not contain any query parameters. |
||||
string redirect_uri = 4 [(validate.rules).string = {min_bytes: 1}]; |
||||
|
||||
// Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. |
||||
type.matcher.v4alpha.PathMatcher redirect_path_matcher = 5 |
||||
[(validate.rules).message = {required: true}]; |
||||
|
||||
// The path to sign a user out, clearing their credential cookies. |
||||
type.matcher.v4alpha.PathMatcher signout_path = 6 [(validate.rules).message = {required: true}]; |
||||
|
||||
// Forward the OAuth token as a Bearer to upstream web service. |
||||
bool forward_bearer_token = 7; |
||||
|
||||
// Any request that matches any of the provided matchers will be passed through without OAuth validation. |
||||
repeated config.route.v4alpha.HeaderMatcher pass_through_matcher = 8; |
||||
} |
||||
|
||||
// Filter config. |
||||
message OAuth2 { |
||||
option (udpa.annotations.versioning).previous_message_type = |
||||
"envoy.extensions.filters.http.oauth2.v3alpha.OAuth2"; |
||||
|
||||
// Leave this empty to disable OAuth2 for a specific route, using per filter config. |
||||
OAuth2Config config = 1; |
||||
} |
||||
Loading…
Reference in new issue