From 7f2038fdba662c2de9a3fb4139800c24ecc875b6 Mon Sep 17 00:00:00 2001
From: Huabing Zhao <zhaohuabing@gmail.com>
Date: Fri, 31 May 2024 15:03:07 -0700
Subject: [PATCH] API: add more oidc configuration settings (#3423)

* add more oidc configuration settings

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* add more comments

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* add more comments

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* address comments

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* minor wording

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* change naming

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* change naming

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* fix gen check

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* change naming

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/oidc_types.go                    | 42 +++++++++++++++++++
 api/v1alpha1/zz_generated.deepcopy.go         | 20 +++++++++
 ...ateway.envoyproxy.io_securitypolicies.yaml | 40 ++++++++++++++++++
 site/content/en/latest/api/extension_types.md |  2 +-
 4 files changed, 103 insertions(+), 1 deletion(-)

diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go
index b1de7097f86..9aa03837157 100644
--- a/api/v1alpha1/oidc_types.go
+++ b/api/v1alpha1/oidc_types.go
@@ -6,6 +6,7 @@
 package v1alpha1
 
 import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 )
 
@@ -54,8 +55,49 @@ type OIDC struct {
 	RedirectURL *string `json:"redirectURL,omitempty"`
 
 	// The path to log a user out, clearing their credential cookies.
+	//
 	// If not specified, uses a default logout path "/logout"
 	LogoutPath *string `json:"logoutPath,omitempty"`
+
+	// ForwardAccessToken indicates whether the Envoy should forward the access token
+	// via the Authorization header Bearer scheme to the upstream.
+	// If not specified, defaults to false.
+	// +optional
+	// +notImplementedHide
+	ForwardAccessToken *bool `json:"ForwardAccessToken,omitempty"`
+
+	// DefaultTokenTTL is the default lifetime of the id token and access token.
+	// Please note that Envoy will always use the expiry time from the response
+	// of the authorization server if it is provided. This field is only used when
+	// the expiry time is not provided by the authorization.
+	//
+	// If not specified, defaults to 0. In this case, the "expires_in" field in
+	// the authorization response must be set by the authorization server, or the
+	// OAuth flow will fail.
+	//
+	// +optional
+	// +notImplementedHide
+	DefaultTokenTTL *metav1.Duration `json:"defaultTokenTTL,omitempty"`
+
+	// RefreshToken indicates whether the Envoy should automatically refresh the
+	// id token and access token when they expire.
+	// When set to true, the Envoy will use the refresh token to get a new id token
+	// and access token when they expire.
+	//
+	// If not specified, defaults to false.
+	// +optional
+	// +notImplementedHide
+	RefreshToken *bool `json:"refreshToken,omitempty"`
+
+	// DefaultRefreshTokenTTL is the default lifetime of the refresh token.
+	// This field is only used when the exp (expiration time) claim is omitted in
+	// the refresh token or the refresh token is not JWT.
+	//
+	// If not specified, defaults to 604800s (one week).
+	// Note: this field is only applicable when the "refreshToken" field is set to true.
+	// +optional
+	// +notImplementedHide
+	DefaultRefreshTokenTTL *metav1.Duration `json:"defaultRefreshTokenTTL,omitempty"`
 }
 
 // OIDCProvider defines the OIDC Provider configuration.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 067267b074f..490ecf5f703 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -3265,6 +3265,26 @@ func (in *OIDC) DeepCopyInto(out *OIDC) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ForwardAccessToken != nil {
+		in, out := &in.ForwardAccessToken, &out.ForwardAccessToken
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DefaultTokenTTL != nil {
+		in, out := &in.DefaultTokenTTL, &out.DefaultTokenTTL
+		*out = new(v1.Duration)
+		**out = **in
+	}
+	if in.RefreshToken != nil {
+		in, out := &in.RefreshToken, &out.RefreshToken
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DefaultRefreshTokenTTL != nil {
+		in, out := &in.DefaultRefreshTokenTTL, &out.DefaultRefreshTokenTTL
+		*out = new(v1.Duration)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDC.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 30e1b5ffb07..145b84b3e18 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -811,6 +811,12 @@ spec:
                 description: OIDC defines the configuration for the OpenID Connect
                   (OIDC) authentication.
                 properties:
+                  ForwardAccessToken:
+                    description: |-
+                      ForwardAccessToken indicates whether the Envoy should forward the access token
+                      via the Authorization header Bearer scheme to the upstream.
+                      If not specified, defaults to false.
+                    type: boolean
                   clientID:
                     description: |-
                       The client ID to be used in the OIDC
@@ -885,9 +891,33 @@ spec:
                           If not specified, defaults to "IdToken-(randomly generated uid)"
                         type: string
                     type: object
+                  defaultRefreshTokenTTL:
+                    description: |-
+                      DefaultRefreshTokenTTL is the default lifetime of the refresh token.
+                      This field is only used when the exp (expiration time) claim is omitted in
+                      the refresh token or the refresh token is not JWT.
+
+
+                      If not specified, defaults to 604800s (one week).
+                      Note: this field is only applicable when the "refreshToken" field is set to true.
+                    type: string
+                  defaultTokenTTL:
+                    description: |-
+                      DefaultTokenTTL is the default lifetime of the id token and access token.
+                      Please note that Envoy will always use the expiry time from the response
+                      of the authorization server if it is provided. This field is only used when
+                      the expiry time is not provided by the authorization.
+
+
+                      If not specified, defaults to 0. In this case, the "expires_in" field in
+                      the authorization response must be set by the authorization server, or the
+                      OAuth flow will fail.
+                    type: string
                   logoutPath:
                     description: |-
                       The path to log a user out, clearing their credential cookies.
+
+
                       If not specified, uses a default logout path "/logout"
                     type: string
                   provider:
@@ -920,6 +950,16 @@ spec:
                       [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
                       If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
                     type: string
+                  refreshToken:
+                    description: |-
+                      RefreshToken indicates whether the Envoy should automatically refresh the
+                      id token and access token when they expire.
+                      When set to true, the Envoy will use the refresh token to get a new id token
+                      and access token when they expire.
+
+
+                      If not specified, defaults to false.
+                    type: boolean
                   resources:
                     description: |-
                       The OIDC resources to be used in the
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index cdf2d5d3def..f0a558f94a2 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -2373,7 +2373,7 @@ _Appears in:_
 | `scopes` | _string array_ |  false  | The OIDC scopes to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />The "openid" scope is always added to the list of scopes if not already<br />specified. |
 | `resources` | _string array_ |  false  | The OIDC resources to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
 | `redirectURL` | _string_ |  true  | The redirect URL to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
-| `logoutPath` | _string_ |  true  | The path to log a user out, clearing their credential cookies.<br />If not specified, uses a default logout path "/logout" |
+| `logoutPath` | _string_ |  true  | The path to log a user out, clearing their credential cookies.<br /><br />If not specified, uses a default logout path "/logout" |
 
 
 #### OIDCCookieNames