envoyproxy · zhaohuabing · Feb 22, 2024 · Feb 20, 2024 · Feb 21, 2024 · Feb 21, 2024
@@ -502,6 +502,7 @@ func (t *Translator) buildOIDC(
 		RedirectURL:  redirectURL,
 		RedirectPath: redirectPath,
 		LogoutPath:   logoutPath,
+		CookieSuffix: fmt.Sprintf("%s-%s", policy.Namespace, policy.Name),
 	}, nil
 }
 

@@ -230,6 +230,7 @@ xdsIR:
         oidc:
           clientID: client2.oauth.foo.com
           clientSecret: Y2xpZW50MTpzZWNyZXQK
+          cookieSuffix: default-policy-for-http-route
           logoutPath: /foo/logout
           provider:
             authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
@@ -261,6 +262,7 @@ xdsIR:
         oidc:
           clientID: client1.apps.googleusercontent.com
           clientSecret: Y2xpZW50MTpzZWNyZXQK
+          cookieSuffix: envoy-gateway-policy-for-gateway-discover-endpoints
           logoutPath: /bar/logout
           provider:
             authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth

@@ -521,6 +521,12 @@ type OIDC struct {
 
 	// The path to log a user out, clearing their credential cookies.
 	LogoutPath string `json:"logoutPath,omitempty"`
+
+	// CookieSuffix will be added to the name of the cookies set by the oauth filter.
+	// Adding a suffix avoids multiple oauth filters from overwriting each other's cookies.
+	// These cookies are set by the oauth filter, including: BearerToken,
+	// OauthHMAC, OauthExpires, IdToken, and RefreshToken.
+	CookieSuffix string `json:"cookieSuffix,omitempty"`
 }
 
 type OIDCProvider struct {

@@ -151,6 +151,13 @@ func oauth2Config(route *ir.HTTPRoute) (*oauth2v3.OAuth2, error) {
 						SdsConfig: makeConfigSource(),
 					},
 				},
+				CookieNames: &oauth2v3.OAuth2Credentials_CookieNames{
+					BearerToken:  fmt.Sprintf("BearerToken-%s", route.OIDC.CookieSuffix),
+					OauthHmac:    fmt.Sprintf("OauthHMAC-%s", route.OIDC.CookieSuffix),
+					OauthExpires: fmt.Sprintf("OauthExpires-%s", route.OIDC.CookieSuffix),
+					IdToken:      fmt.Sprintf("IdToken-%s", route.OIDC.CookieSuffix),
+					RefreshToken: fmt.Sprintf("RefreshToken-%s", route.OIDC.CookieSuffix),
+				},
 			},
 			// every OIDC provider supports basic auth
 			AuthType:   oauth2v3.OAuth2Config_BASIC_AUTH,

@@ -31,6 +31,7 @@ http:
       redirectURL: "https://www.example.com/foo/oauth2/callback"
       redirectPath: "/foo/oauth2/callback"
       logoutPath: "/foo/logout"
+      cookieSuffix: "default-security-policy-foo"
   - name: "second-route"
     hostname: "*"
     pathMatch:
@@ -54,3 +55,4 @@ http:
       redirectURL: "https://www.example.com/bar/oauth2/callback"
       redirectPath: "/bar/oauth2/callback"
       logoutPath: "/bar/logout"
+      cookieSuffix: "default-security-policy-bar"
@@ -26,6 +26,12 @@
               authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
               credentials:
                 clientId: client.oauth.foo.com
+                cookieNames:
+                  bearerToken: BearerToken-default-security-policy-foo
+                  idToken: IdToken-default-security-policy-foo
+                  oauthExpires: OauthExpires-default-security-policy-foo
+                  oauthHmac: OauthHMAC-default-security-policy-foo
+                  refreshToken: RefreshToken-default-security-policy-foo
                 hmacSecret:
                   name: first-route/oauth2/hmac_secret
                   sdsConfig:
@@ -60,6 +66,12 @@
               authorizationEndpoint: https://oauth.bar.com/oauth2/v2/auth
               credentials:
                 clientId: client.oauth.bar.com
+                cookieNames:
+                  bearerToken: BearerToken-default-security-policy-bar
+                  idToken: IdToken-default-security-policy-bar
+                  oauthExpires: OauthExpires-default-security-policy-bar
+                  oauthHmac: OauthHMAC-default-security-policy-bar
+                  refreshToken: RefreshToken-default-security-policy-bar
                 hmacSecret:
                   name: second-route/oauth2/hmac_secret
                   sdsConfig: