Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allows to preserve the exsting authorization header when oauth2 filter is in the request path #34236

Closed
zhaohuabing opened this issue May 18, 2024 · 3 comments · Fixed by #34470
Closed

Allows to preserve the exsting authorization header when oauth2 filter is in the request path #34236

zhaohuabing opened this issue May 18, 2024 · 3 comments · Fixed by #34470
Labels
area/http_filter area/oauth enhancement Feature requests. Not bugs or questions. help wanted Needs help!

Comments

@zhaohuabing
Copy link
Member

zhaohuabing commented May 18, 2024
edited
Loading

In the current OAuth2 implementation, the Authorization header is sanitized by the OAuth2 filter when it's in the request path, as the following code shows:

envoy/source/extensions/filters/http/oauth2/filter.cc

Lines 292 to 295 in 416cd42

// Sanitize the Authorization header, since we have no way to validate its content. Also,
// if token forwarding is enabled, this header will be set based on what is on the HMAC cookie
// before forwarding the request upstream.
headers.removeInline(authorization_handle.handle());

In some scenarios, such as Multi-Factor Authentication (MFA), there may be a need to add another layer of authentication alongside oauth2. It can be helpful if a knob could be added to change this default behavior.

   // If set to true, preserve the existing authorization header when forward_bearer_token is false.
   bool preserve_authorization_header bool = 16;

Related EG issue: envoyproxy/gateway#3396
@zhaohuabing zhaohuabing added enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels May 18, 2024
@zhaohuabing zhaohuabing changed the title Allows to keep the exsting bearer token when oauth2 filter is used Allows to preserve the exsting authorization header when oauth2 filter is in the request path May 18, 2024
@derekargueta
Copy link
Member

I thought we already had a GH issue for this but I guess not... sounds good to me

@zuercher zuercher added help wanted Needs help! area/oauth area/http_filter and removed triage Issue requires triage labels May 21, 2024
@zhaohuabing
Copy link
Member Author

/assign

@repokitteh-read-only RepoKitteh - Read Only
Copy link

zhaohuabing is not allowed to assign users.

🐱

Caused by: a #34236 (comment) was created by @zhaohuabing.

see: more, trace.

@denniskniep denniskniep mentioned this issue Jun 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/http_filter area/oauth enhancement Feature requests. Not bugs or questions. help wanted Needs help!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

oauth filter: preserve existing auth header denniskniep/envoy
3 participants
@zuercher @zhaohuabing @derekargueta