Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2 Filter - Unexpected behaviour of forward_bearer_token #32566

Open
mustafacagataytulun opened this issue Feb 25, 2024 · 1 comment · May be fixed by #34156
Open

OAuth2 Filter - Unexpected behaviour of forward_bearer_token #32566

mustafacagataytulun opened this issue Feb 25, 2024 · 1 comment · May be fixed by #34156
Labels
area/oauth bug help wanted Needs help!

Comments

@mustafacagataytulun
Copy link

Title: OAuth2 Filter - Unexpected behaviour of forward_bearer_token

Description:
While using OAuth2 Filter, if we set forward_bearer_token to false, Envoy does not return BearerToken, IdToken, and RefreshToken cookies to the downstream.

The documentation says "if forward_bearer_token is set to true the filter will send over a cookie named BearerToken to the upstream". I expect that this field affects only forwarding to upstream. However, it seems that it also affects the downstream, since it does not set these cookies. It only sets OauthHMAC and OauthExpires cookies.

This behaviour also causes the OAuth2 filter become unusable combining with JWT Auth filter when forward_bearer_token is set to false, because the JWT Auth filter cannot find any cookie for BearerToken or IdToken.

Repro steps:

  1. Generate a simple envoy.yaml configuration file with OAuth2 filter.
  2. Set forward_bearer_token to false.
  3. Try authenticating. The final response on callback endpoint will not have Set-Cookie response headers for BearerToken, IdToken, and RefreshToken.

Config:

          http_filters:
          - name: envoy.filters.http.oauth2
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
              config:
                token_endpoint:
                  cluster: oauth
                  uri: https://login.microsoftonline.com/********-****-****-****-************/oauth2/v2.0/token
                  timeout: 3s
                authorization_endpoint: https://login.microsoftonline.com/********-****-****-****-************/oauth2/v2.0/authorize
                redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback"
                redirect_path_matcher:
                  path:
                    exact: /callback
                signout_path:
                  path:
                    exact: /signout
                credentials:
                  client_id: ********-****-****-****-************
                  token_secret:
                    name: token
                    sds_config:
                      path_config_source: 
                        path: /etc/envoy/oauth-token-secret.yaml
                  hmac_secret:
                    name: hmac
                    sds_config:
                      path_config_source: 
                        path: /etc/envoy/oauth-hmac-secret.yaml
                auth_scopes:
                - offline_access
                - openid
                - profile
                resources: []
                use_refresh_token: true
                forward_bearer_token: false
                auth_type: basic_auth
@mustafacagataytulun mustafacagataytulun added bug triage Issue requires triage labels Feb 25, 2024
@mattklein123 mattklein123 added help wanted Needs help! area/oauth and removed triage Issue requires triage labels Feb 27, 2024
@derekargueta
Copy link
Member

Thanks for the report, this is a good find. I'll look at getting a fix in this week. @mattklein123 can assign this to me.

@derekargueta derekargueta linked a pull request May 15, 2024 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oauth bug help wanted Needs help!
Projects
None yet
Milestone
No milestone
3 participants
@mustafacagataytulun @derekargueta @mattklein123