feat: Optionally override Oauth Cookie Names #3274
Conversation
|
this makes a lot of sense 2 open questions
hoping we rely on work done in the past, to influence naming here |
|
I'd vote to keep the current naming, but allow users to specify a custom suffix. We should also provide guidance in the documentation on how to avoid session name conflicts if users opt for this customization. A preferable approach would be sending the ID token through an 'x-envoy-gateway-id-token' header, thus preventing users from tampering with cookies. This method requires some work(trival) in Envoy upstream." |
|
I am happy to do anything else required to move this forward. Side note - great work with this we are using envoy gateway successfully as our main ingress in our 300 plus service ecs to eks migration. |
I'm inclined to add a suffix or rewrite the entire cookie name. The default cookie name has a digest of the policy UID, it's kind of strange to put a random string as a prefix. |
should we just allow the user to set the entire name ? |
Agree, overwriting the entire name is better, users can easily know the cookie name. @sam-burrell |
api/v1alpha1/oidc_types.go
Outdated
| // The optional cookie suffix to be added to Bearer and IdToken cookies in the | ||
| // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | ||
| // If not specified, uses a randomly generated suffix | ||
| CookieSuffix *string `json:"cookieSuffix,omitempty"` |
There was a problem hiding this comment.
| CookieSuffix *string `json:"cookieSuffix,omitempty"` | |
| IdTokenCookieName *string `json:"idTokenCookieName,omitempty"` |
| // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | ||
| // If not specified, uses a randomly generated suffix | ||
| CookieSuffix *string `json:"cookieSuffix,omitempty"` | ||
|
|
|
@sam-burrell Could you please address @arkodg 's comment? So we can move on this. |
|
ping @sam-burrell could you check the review comments |
|
Hi, this feature is very welcome 👍 I propose additionally to @arkodg´s review comment to make all cookie names configurable (and not only idToken cookie): gateway/internal/xds/translator/oidc.go Lines 161 to 167 in 6dcf78a
|
if we need to have predictable names for all the cookies then I'd suggest making the struct a little more tiered |
Exposing BearerTokenCookieName and idTokenCookieName to API makes sense to me, but others should not be in the API as they are trivial details of the Envoy OAuth2 filter implementation. @denniskniep do you need these cookies somewhere? |
Signed-off-by: sam-burrell <sam.burrell@gmail.com> Signed-off-by: Connor Rogers <23215294+coro@users.noreply.github.com>
Co-authored-by: Sam Burrell <sam.burrell@gmail.com> Signed-off-by: Connor Rogers <23215294+coro@users.noreply.github.com>
Co-authored-by: Sam Burrell <sam.burrell@gmail.com> Signed-off-by: Connor Rogers <23215294+coro@users.noreply.github.com>
sam-burrell
changed the title
|
We have refactored this and now made this the ability to optionally overide oauth cookie names. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3274 +/- ##
==========================================
- Coverage 67.35% 67.19% -0.16%
==========================================
Files 166 166
Lines 19355 19470 +115
==========================================
+ Hits 13036 13083 +47
- Misses 5378 5444 +66
- Partials 941 943 +2 ☔ View full report in Codecov by Sentry. |
@zhaohuabing BearerTokenCookieName and idTokenCookieName is sufficient for my current use case |
|
hey this diff looks good ! |
Co-authored-by: Sam Burrell <sam.burrell@gmail.com> Signed-off-by: Connor Rogers <23215294+coro@users.noreply.github.com>
|
@arkodg Added, thanks! |
| namespace: envoy-gateway | ||
| conditions: | ||
| - lastTransitionTime: null | ||
| message: HMAC secret envoy-gateway-system/envoy-oidc-hmac not found |
There was a problem hiding this comment.
something is off, Accepted=False, you may have forgotten to include the Secret, the security IR field is also empty
api/v1alpha1/oidc_types.go
Outdated
| // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | ||
| // If not specified, defaults to "BearerToken-(randomly generated uid)" | ||
| // +optional | ||
| BearerToken *string `json:"bearerToken,omitempty"` |
There was a problem hiding this comment.
The name BearerToken is confusing in this context. Let's rename it AccessToken to keep consistent with #3423
| BearerToken *string `json:"bearerToken,omitempty"` | |
| AccessToken *string `json:"accessToken,omitempty"` |
internal/xds/translator/oidc.go
Outdated
|
|
||
| if oidc.CookieNameOverrides != nil && | ||
| oidc.CookieNameOverrides.BearerToken != nil { | ||
| oauth2.Config.Credentials.CookieNames.BearerToken = *oidc.CookieNameOverrides.BearerToken |
There was a problem hiding this comment.
Could you please also change the default name for "BearerTokentoAccessToken` ?
Change
BearerToken: fmt.Sprintf("BearerToken-%s", oidc.CookieSuffix),
To
BearerToken: fmt.Sprintf("AccessToken-%s", oidc.CookieSuffix)
Signed-off-by: Connor Rogers <23215294+coro@users.noreply.github.com>
Signed-off-by: Connor Rogers <23215294+coro@users.noreply.github.com>
What type of PR is this?
Added ability to optionally specify a cookieSuffix in the OIDC spec.
What this PR does / why we need it:
This is necessary to link up with the JWT element of the SecurityPolicy to ultimately make passing claimHeaders from the IdToken upstream for authentication in upstream apps clear and easy.
For example it would be used like this