OAuth2: Add samesite attribute support for all OAuth2 supported cookie types (#37952)

Commit Message: OAuth2: Add samesite attribute support for all OAuth2 supported cookie types Additional Description: The SameSite attribute offers three values to control whether cookies are shared within the same site or across different sites. It's an optional setting, with a "Disabled" option that omits the SameSite attribute altogether. By default, this setting is disabled to ensure no changes are made to existing deployments, but operators now have the option to enable SameSite. The six cookies supporting SameSite attribute are: bearer_token_cookie hmac_cookie expires_cookie id_token_cookie refresh_token_cookie nonce_cookie The samesite attribute value allowed are: Strict Lax None Disabled (Default, if no value is set in config) The operator can also optionally do not specify any SameSite attributes for cookie. This will result DISABLED value to be set for all cookie's SameSite attribute value. in this case no same site attribute will be returned by filter. The operator can also choose different same site attribute to be configured by different cookies. This means the SameSite attributes for different cookies listed above can be different. Also the operator can optionally specify SameSite attribute for some cookie but miss it for others. it is not mandatory to specify SameSite explicitly for all cookies Risk Level: Medium Testing: unit Docs Changes: proto is documented Release Notes: changelog entry added --------- Signed-off-by: Yueren Wang <yuerenwang@lyft.com> Signed-off-by: Yueren Wang <yuerenwang@tm4wwrxcwd.tailbaa43.ts.net> Co-authored-by: Yueren Wang <yuerenwang@tm4wwrxcwd.tailbaa43.ts.net> Mirrored from https://github.com/envoyproxy/envoy @ d76115f5eaaa1ee4756d2542762049e1ad1a149e
1 month ago · d173530940
parent 57d08f25ef
commit d173530940
1 changed files with 39 additions and 1 deletions
--- a/envoy/extensions/filters/http/oauth2/v3/oauth.proto
+++ b/envoy/extensions/filters/http/oauth2/v3/oauth.proto
@ -25,6 +25,41 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.http.oauth2]
 //

+// OAuth cookie configuration attributes.
+//
+message CookieConfig {
+  enum SameSite {
+    DISABLED = 0;
+    STRICT = 1;
+    LAX = 2;
+    NONE = 3;
+  }
+
+  // The value used for the SameSite cookie attribute.
+  SameSite same_site = 1 [(validate.rules).enum = {defined_only: true}];
+}
+
+// [#next-free-field: 7]
+message CookieConfigs {
+  // Configuration for the bearer token cookie.
+  CookieConfig bearer_token_cookie_config = 1;
+
+  // Configuration for the OAuth HMAC cookie.
+  CookieConfig oauth_hmac_cookie_config = 2;
+
+  // Configuration for the OAuth expires cookie.
+  CookieConfig oauth_expires_cookie_config = 3;
+
+  // Configuration for the ID token cookie.
+  CookieConfig id_token_cookie_config = 4;
+
+  // Configuration for the refresh token cookie.
+  CookieConfig refresh_token_cookie_config = 5;
+
+  // Configuration for the OAuth nonce cookie.
+  CookieConfig oauth_nonce_cookie_config = 6;
+}
+
 // [#next-free-field: 6]
 message OAuth2Credentials {
  // [#next-free-field: 7]
@ -84,7 +119,7 @@ message OAuth2Credentials {

 // OAuth config
 //
-// [#next-free-field: 21]
+// [#next-free-field: 22]
 message OAuth2Config {
  enum AuthType {
    // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@ -186,6 +221,9 @@ message OAuth2Config {
  // will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
  // sessions would not set the Refresh Token cookie header.
  bool disable_refresh_token_set_cookie = 20;
+
+  // Controls for attributes that can be set on the cookies.
+  CookieConfigs cookie_configs = 21;
 }

 // Filter config.