Skip to content

Commit

Permalink
Added ability to specifiy a cookieSuffix
Browse files Browse the repository at this point in the history
Signed-off-by: sam-burrell <sam.burrell@gmail.com>
  • Loading branch information
sam-burrell committed Apr 25, 2024
1 parent dde05a9 commit 7a4f51a
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 1 deletion.
5 changes: 5 additions & 0 deletions api/v1alpha1/oidc_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ type OIDC struct {
// +kubebuilder:validation:Required
ClientSecret gwapiv1b1.SecretObjectReference `json:"clientSecret"`

// The optional cookie suffix to be added to Bearer and IdToken cookies in the
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
// If not specified, uses a randomly generated suffix
CookieSuffix *string `json:"cookieSuffix,omitempty"`

// The OIDC scopes to be used in the
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
// The "openid" scope is always added to the list of scopes if not already
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -618,6 +618,12 @@ spec:
required:
- name
type: object
cookieSuffix:
description: |-
The optional cookie suffix to be added to Bearer and IdToken cookies in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses a randomly generated suffix
type: string
logoutPath:
description: |-
The path to log a user out, clearing their credential cookies.
Expand Down
7 changes: 6 additions & 1 deletion internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -588,8 +588,13 @@ func (t *Translator) buildOIDC(
logoutPath = *oidc.LogoutPath
}

// Generate a unique cookie suffix for oauth filters
// Generate a unique cookie suffix for oauth filters if CookieSuffix is not provided
// This is to avoid cookie name collision when multiple security policies are applied
// to the same route.
suffix := utils.Digest32(string(policy.UID))
if oidc.CookieSuffix != nil {
suffix = *oidc.CookieSuffix
}

// Get the HMAC secret
// HMAC secret is generated by the CertGen job and stored in a secret
Expand Down
1 change: 1 addition & 0 deletions site/content/en/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -2080,6 +2080,7 @@ _Appears in:_
| `provider` | _[OIDCProvider](#oidcprovider)_ | true | The OIDC Provider configuration. |
| `clientID` | _string_ | true | The client ID to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
| `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br /><br />This is an Opaque secret. The client secret should be stored in the key<br />"client-secret". |
| `cookieSuffix` | _string_ | false | The optional cookie suffix to be added to Bearer and IdToken cookies in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). If not specified, uses a randomly generated suffix |
| `scopes` | _string array_ | false | The OIDC scopes to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />The "openid" scope is always added to the list of scopes if not already<br />specified. |
| `resources` | _string array_ | false | The OIDC resources to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
Expand Down

0 comments on commit 7a4f51a

Please sign in to comment.