Use clientID instead of redirectURL for the cookie suffix

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
envoyproxy · Apr 23, 2024 · dcafbdf · dcafbdf
1 parent 7087045
commit dcafbdf
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 8 deletions.
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -589,18 +589,17 @@ func (t *Translator) buildOIDC(
 	}
 
 	// Generate a unique cookie suffix for oauth filters
-	// We use the digest of the redirect URL to generate the cookie suffix so that
-	// multiple OIDC configurations with the same redirect URL will have the same
+	// We use the digest of the clientID to generate the cookie suffix so that
+	// multiple OIDC configurations with the same clientID will have the same
 	// cookie suffix. This allows us to share the same cookies across multiple
-	// oauth filters at multiple routes. Once users log in at one route, they will
-	// be able to access other routes with the same OIDC redirect URL (the same
-	// OIDC clientID) without logging in again.
+	// oauth filters on multiple routes. Once users log in at one route, they will
+	// be able to access other routes with the same OIDC clientID without logging in again.
 	//
 	// zhaohuabing: This is a workaround to allow multiple routes to share the same OIDC configuration.
 	// We should change this back to use policy UID after Gateway API supports
 	// targeting a policy to multiple routes.
 	// See https://github.com/kubernetes-sigs/gateway-api/discussions/2927#discussioncomment-8991869
-	suffix := utils.Digest32(*oidc.RedirectURL)
+	suffix := utils.Digest32(oidc.ClientID)
 
 	// Get the HMAC secret
 	// HMAC secret is generated by the CertGen job and stored in a secret

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml
@@ -261,7 +261,7 @@ xdsIR:
           oidc:
             clientID: client2.oauth.foo.com
             clientSecret: Y2xpZW50MTpzZWNyZXQK
-            cookieSuffix: 7f4620b9
+            cookieSuffix: "89361954"
             hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY=
             logoutPath: /foo/logout
             name: securitypolicy/default/policy-for-http-route
@@ -299,7 +299,7 @@ xdsIR:
           oidc:
             clientID: client1.apps.googleusercontent.com
             clientSecret: Y2xpZW50MTpzZWNyZXQK
-            cookieSuffix: d3d6eea4
+            cookieSuffix: 12fb2395
             hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY=
             logoutPath: /bar/logout
             name: securitypolicy/envoy-gateway/policy-for-gateway