API: add more oidc configuration settings (#3423)

* add more oidc configuration settings Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * add more comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * add more comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * minor wording Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * change naming Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * change naming Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix gen check Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * change naming Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
envoyproxy · May 31, 2024 · 7f2038f · 7f2038f
1 parent 97895ba
commit 7f2038f
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 1 deletion.
diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go
@@ -6,6 +6,7 @@
 package v1alpha1
 
 import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 )
 
@@ -54,8 +55,49 @@ type OIDC struct {
 	RedirectURL *string `json:"redirectURL,omitempty"`
 
 	// The path to log a user out, clearing their credential cookies.
+	//
 	// If not specified, uses a default logout path "/logout"
 	LogoutPath *string `json:"logoutPath,omitempty"`
+
+	// ForwardAccessToken indicates whether the Envoy should forward the access token
+	// via the Authorization header Bearer scheme to the upstream.
+	// If not specified, defaults to false.
+	// +optional
+	// +notImplementedHide
+	ForwardAccessToken *bool `json:"ForwardAccessToken,omitempty"`
+
+	// DefaultTokenTTL is the default lifetime of the id token and access token.
+	// Please note that Envoy will always use the expiry time from the response
+	// of the authorization server if it is provided. This field is only used when
+	// the expiry time is not provided by the authorization.
+	//
+	// If not specified, defaults to 0. In this case, the "expires_in" field in
+	// the authorization response must be set by the authorization server, or the
+	// OAuth flow will fail.
+	//
+	// +optional
+	// +notImplementedHide
+	DefaultTokenTTL *metav1.Duration `json:"defaultTokenTTL,omitempty"`
+
+	// RefreshToken indicates whether the Envoy should automatically refresh the
+	// id token and access token when they expire.
+	// When set to true, the Envoy will use the refresh token to get a new id token
+	// and access token when they expire.
+	//
+	// If not specified, defaults to false.
+	// +optional
+	// +notImplementedHide
+	RefreshToken *bool `json:"refreshToken,omitempty"`
+
+	// DefaultRefreshTokenTTL is the default lifetime of the refresh token.
+	// This field is only used when the exp (expiration time) claim is omitted in
+	// the refresh token or the refresh token is not JWT.
+	//
+	// If not specified, defaults to 604800s (one week).
+	// Note: this field is only applicable when the "refreshToken" field is set to true.
+	// +optional
+	// +notImplementedHide
+	DefaultRefreshTokenTTL *metav1.Duration `json:"defaultRefreshTokenTTL,omitempty"`
 }
 
 // OIDCProvider defines the OIDC Provider configuration.

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -811,6 +811,12 @@ spec:
                 description: OIDC defines the configuration for the OpenID Connect
                   (OIDC) authentication.
                 properties:
+                  ForwardAccessToken:
+                    description: |-
+                      ForwardAccessToken indicates whether the Envoy should forward the access token
+                      via the Authorization header Bearer scheme to the upstream.
+                      If not specified, defaults to false.
+                    type: boolean
                   clientID:
                     description: |-
                       The client ID to be used in the OIDC
@@ -885,9 +891,33 @@ spec:
                           If not specified, defaults to "IdToken-(randomly generated uid)"
                         type: string
                     type: object
+                  defaultRefreshTokenTTL:
+                    description: |-
+                      DefaultRefreshTokenTTL is the default lifetime of the refresh token.
+                      This field is only used when the exp (expiration time) claim is omitted in
+                      the refresh token or the refresh token is not JWT.
+
+
+                      If not specified, defaults to 604800s (one week).
+                      Note: this field is only applicable when the "refreshToken" field is set to true.
+                    type: string
+                  defaultTokenTTL:
+                    description: |-
+                      DefaultTokenTTL is the default lifetime of the id token and access token.
+                      Please note that Envoy will always use the expiry time from the response
+                      of the authorization server if it is provided. This field is only used when
+                      the expiry time is not provided by the authorization.
+
+
+                      If not specified, defaults to 0. In this case, the "expires_in" field in
+                      the authorization response must be set by the authorization server, or the
+                      OAuth flow will fail.
+                    type: string
                   logoutPath:
                     description: |-
                       The path to log a user out, clearing their credential cookies.
+
+
                       If not specified, uses a default logout path "/logout"
                     type: string
                   provider:
@@ -920,6 +950,16 @@ spec:
                       [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
                       If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
                     type: string
+                  refreshToken:
+                    description: |-
+                      RefreshToken indicates whether the Envoy should automatically refresh the
+                      id token and access token when they expire.
+                      When set to true, the Envoy will use the refresh token to get a new id token
+                      and access token when they expire.
+
+
+                      If not specified, defaults to false.
+                    type: boolean
                   resources:
                     description: |-
                       The OIDC resources to be used in the

diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -2373,7 +2373,7 @@ _Appears in:_
 | `scopes` | _string array_ |  false  | The OIDC scopes to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />The "openid" scope is always added to the list of scopes if not already<br />specified. |
 | `resources` | _string array_ |  false  | The OIDC resources to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
 | `redirectURL` | _string_ |  true  | The redirect URL to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
-| `logoutPath` | _string_ |  true  | The path to log a user out, clearing their credential cookies.<br />If not specified, uses a default logout path "/logout" |
+| `logoutPath` | _string_ |  true  | The path to log a user out, clearing their credential cookies.<br /><br />If not specified, uses a default logout path "/logout" |
 
 
 #### OIDCCookieNames