Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Optionally override Oauth Cookie Names #3274

Merged
merged 7 commits into from
May 29, 2024
Merged

feat: Optionally override Oauth Cookie Names #3274

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2bce575
Added ability to specifiy a cookieSuffix
sam-burrell Apr 25, 2024
1077aef
Allow override of OAuth cookie names
coro May 22, 2024
e58c466
Update Helm CRD docs
coro May 22, 2024
728ac57
Add testdata for custom cookie name overrides
coro May 23, 2024
24ad396
Fix regression tests to have accepted gateway
coro May 24, 2024
14e216c
Rename BearerToken to AccessToken
coro May 24, 2024
3d28ef9
Merge branch 'main' into main
coro May 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions api/v1alpha1/oidc_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,12 @@ type OIDC struct {
// +kubebuilder:validation:Required
ClientSecret gwapiv1b1.SecretObjectReference `json:"clientSecret"`

// The optional cookie name overrides to be used for Bearer and IdToken cookies in the
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
// If not specified, uses a randomly generated suffix
// +optional
CookieNames *OIDCCookieNames `json:"cookieNames,omitempty"`

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or even idTokenName

// The OIDC scopes to be used in the
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
// The "openid" scope is always added to the list of scopes if not already
Expand Down Expand Up @@ -75,3 +81,17 @@ type OIDCProvider struct {
// +optional
TokenEndpoint *string `json:"tokenEndpoint,omitempty"`
}

// OIDCCookieNames defines the names of cookies to use in the Envoy OIDC filter.
type OIDCCookieNames struct {
// The name of the cookie used to store the AccessToken in the
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
// If not specified, defaults to "AccessToken-(randomly generated uid)"
// +optional
AccessToken *string `json:"accessToken,omitempty"`
// The name of the cookie used to store the IdToken in the
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
// If not specified, defaults to "IdToken-(randomly generated uid)"
// +optional
IDToken *string `json:"idToken,omitempty"`
}
30 changes: 30 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -849,6 +849,25 @@ spec:
required:
- name
type: object
cookieNames:
description: |-
The optional cookie name overrides to be used for Bearer and IdToken cookies in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses a randomly generated suffix
properties:
accessToken:
description: |-
The name of the cookie used to store the AccessToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "AccessToken-(randomly generated uid)"
type: string
idToken:
description: |-
The name of the cookie used to store the IdToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "IdToken-(randomly generated uid)"
type: string
type: object
logoutPath:
description: |-
The path to log a user out, clearing their credential cookies.
Expand Down
27 changes: 15 additions & 12 deletions internal/gatewayapi/securitypolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -589,7 +589,9 @@ func (t *Translator) buildOIDC(
logoutPath = *oidc.LogoutPath
}

// Generate a unique cookie suffix for oauth filters
// Generate a unique cookie suffix for oauth filters.
// This is to avoid cookie name collision when multiple security policies are applied
// to the same route.
suffix := utils.Digest32(string(policy.UID))

// Get the HMAC secret.
Expand All @@ -607,17 +609,18 @@ func (t *Translator) buildOIDC(
}

return &ir.OIDC{
Name: irConfigName(policy),
Provider: *provider,
ClientID: oidc.ClientID,
ClientSecret: clientSecretBytes,
Scopes: scopes,
Resources: oidc.Resources,
RedirectURL: redirectURL,
RedirectPath: redirectPath,
LogoutPath: logoutPath,
CookieSuffix: suffix,
HMACSecret: hmacData,
Name: irConfigName(policy),
Provider: *provider,
ClientID: oidc.ClientID,
ClientSecret: clientSecretBytes,
Scopes: scopes,
Resources: oidc.Resources,
RedirectURL: redirectURL,
RedirectPath: redirectPath,
LogoutPath: logoutPath,
CookieSuffix: suffix,
CookieNameOverrides: policy.Spec.OIDC.CookieNames,
HMACSecret: hmacData,
}, nil
}

Expand Down
73 changes: 73 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
secrets:
- apiVersion: v1
kind: Secret
metadata:
namespace: envoy-gateway
name: client1-secret
data:
client-secret: Y2xpZW50MTpzZWNyZXQK
- apiVersion: v1
kind: Secret
metadata:
namespace: envoy-gateway-system
name: envoy-oidc-hmac
data:
hmac-secret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY=
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: envoy-gateway
name: gateway-1
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-1
spec:
hostnames:
- www.example.com
parentRefs:
- namespace: envoy-gateway
name: gateway-1
sectionName: http
rules:
- matches:
- path:
value: "/foo"
backendRefs:
- name: service-1
port: 8080
securityPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: envoy-gateway
name: policy-for-gateway # This policy should attach httproute-2
uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: gateway-1
oidc:
provider:
issuer: "https://accounts.google.com"
clientID: "client1.apps.googleusercontent.com"
clientSecret:
name: "client1-secret"
redirectURL: "https://www.example.com/bar/oauth2/callback"
logoutPath: "/bar/logout"
cookieNames:
idToken: "CustomIdTokenCookie"
accessToken: "CustomAccessTokenCookie"
Loading
Loading