oidc: preserve authorization header (#3567)

* oidc preserve authorization header

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* do not preserve the original authorization header if ForwardAccessToken is true

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Co-authored-by: zirain <zirain2009@gmail.com>

internal/xds/translator/oidc.go

@@ -115,6 +115,15 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) {
 			oidc.Provider.TokenEndpoint)
 	}
 
+	// Envoy OAuth2 filter deletes the HTTP authorization header by default, which surprises users.
+	preserveAuthorizationHeader := true
+
+	// If the user wants to forward the oauth2 access token to the upstream service,
+	// we should not preserve the original authorization header.
+	if oidc.ForwardAccessToken {
+		preserveAuthorizationHeader = false
+	}
+
 	oauth2 := &oauth2v3.OAuth2{
 		Config: &oauth2v3.OAuth2Config{
 			TokenEndpoint: &corev3.HttpUri{
@@ -172,6 +181,8 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) {
 			AuthType:   oauth2v3.OAuth2Config_BASIC_AUTH,
 			AuthScopes: oidc.Scopes,
 			Resources:  oidc.Resources,
+
+			PreserveAuthorizationHeader: preserveAuthorizationHeader,
 		},
 	}
 

internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml

@@ -133,6 +133,7 @@
                   sdsConfig:
                     ads: {}
                     resourceApiVersion: V3
+              preserveAuthorizationHeader: true
               redirectPathMatcher:
                 path:
                   exact: /foo/oauth2/callback

internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml

@@ -89,6 +89,7 @@
                   sdsConfig:
                     ads: {}
                     resourceApiVersion: V3
+              preserveAuthorizationHeader: true
               redirectPathMatcher:
                 path:
                   exact: /bar/oauth2/callback