/
oauth.proto
158 lines (124 loc) · 7.2 KB
/
oauth.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
syntax = "proto3";
package envoy.extensions.filters.http.oauth2.v3;
import "envoy/config/core/v3/http_uri.proto";
import "envoy/config/route/v3/route_components.proto";
import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
import "envoy/type/matcher/v3/path.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.filters.http.oauth2.v3";
option java_outer_classname = "OauthProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/oauth2/v3;oauth2v3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: OAuth]
// OAuth :ref:`configuration overview <config_http_filters_oauth>`.
// [#extension: envoy.filters.http.oauth2]
//
message OAuth2Credentials {
// [#next-free-field: 6]
message CookieNames {
// Cookie name to hold OAuth bearer token value. When the authentication server validates the
// client and returns an authorization token back to the OAuth filter, no matter what format
// that token is, if :ref:`forward_bearer_token <envoy_v3_api_field_extensions.filters.http.oauth2.v3.OAuth2Config.forward_bearer_token>`
// is set to true the filter will send over the bearer token as a cookie with this name to the
// upstream. Defaults to ``BearerToken``.
string bearer_token = 1
[(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
// Cookie name to hold OAuth HMAC value. Defaults to ``OauthHMAC``.
string oauth_hmac = 2
[(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
// Cookie name to hold OAuth expiry value. Defaults to ``OauthExpires``.
string oauth_expires = 3
[(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
// Cookie name to hold the id token. Defaults to ``IdToken``.
string id_token = 4
[(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
// Cookie name to hold the refresh token. Defaults to ``RefreshToken``.
string refresh_token = 5
[(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
}
// The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server.
string client_id = 1 [(validate.rules).string = {min_len: 1}];
// The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server.
transport_sockets.tls.v3.SdsSecretConfig token_secret = 2
[(validate.rules).message = {required: true}];
// Configures how the secret token should be created.
oneof token_formation {
option (validate.required) = true;
// If present, the secret token will be a HMAC using the provided secret.
transport_sockets.tls.v3.SdsSecretConfig hmac_secret = 3
[(validate.rules).message = {required: true}];
}
// The cookie names used in OAuth filters flow.
CookieNames cookie_names = 4;
}
// OAuth config
//
// [#next-free-field: 16]
message OAuth2Config {
enum AuthType {
// The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
// This type should only be used when Auth server does not support Basic authentication.
URL_ENCODED_BODY = 0;
// The ``client_id`` and ``client_secret`` will be sent using HTTP Basic authentication scheme.
BASIC_AUTH = 1;
}
// Endpoint on the authorization server to retrieve the access token from.
config.core.v3.HttpUri token_endpoint = 1;
// The endpoint redirect to for authorization in response to unauthorized requests.
string authorization_endpoint = 2 [(validate.rules).string = {min_len: 1}];
// Credentials used for OAuth.
OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}];
// The redirect URI passed to the authorization endpoint. Supports header formatting
// tokens. For more information, including details on header value syntax, see the
// documentation on :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`.
//
// This URI should not contain any query parameters.
string redirect_uri = 4 [(validate.rules).string = {min_len: 1}];
// Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.
type.matcher.v3.PathMatcher redirect_path_matcher = 5
[(validate.rules).message = {required: true}];
// The path to sign a user out, clearing their credential cookies.
type.matcher.v3.PathMatcher signout_path = 6 [(validate.rules).message = {required: true}];
// Forward the OAuth token as a Bearer to upstream web service.
bool forward_bearer_token = 7;
// Any request that matches any of the provided matchers will be passed through without OAuth validation.
repeated config.route.v3.HeaderMatcher pass_through_matcher = 8;
// Optional list of OAuth scopes to be claimed in the authorization request. If not specified,
// defaults to "user" scope.
// OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3
repeated string auth_scopes = 9;
// Optional resource parameter for authorization request
// RFC: https://tools.ietf.org/html/rfc8707
repeated string resources = 10;
// Defines how ``client_id`` and ``client_secret`` are sent in OAuth client to OAuth server requests.
// RFC https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
AuthType auth_type = 11 [(validate.rules).enum = {defined_only: true}];
// If set to true, allows automatic access token refresh using the associated refresh token (see
// `RFC 6749 section 6 <https://datatracker.ietf.org/doc/html/rfc6749#section-6>`_), provided that the OAuth server supports that.
// Default value is false.
google.protobuf.BoolValue use_refresh_token = 12;
// The default lifetime in seconds of the access token, if omitted by the authorization server.
//
// If this value is not set, it will default to ``0s``. In this case, the expiry must be set by
// the authorization server or the OAuth flow will fail.
google.protobuf.Duration default_expires_in = 13;
// Any request that matches any of the provided matchers won't be redirected to OAuth server when tokens are not valid.
// Automatic access token refresh will be performed for these requests, if enabled.
// This behavior can be useful for AJAX requests.
repeated config.route.v3.HeaderMatcher deny_redirect_matcher = 14;
// The default lifetime in seconds of the refresh token, if the exp (expiration time) claim is omitted in the refresh token or the refresh token is not JWT.
//
// If this value is not set, it will default to ``604800s``. In this case, the cookie with the refresh token will be expired
// in a week.
// This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``defaul_expires_in`` is used.
google.protobuf.Duration default_refresh_token_expires_in = 15;
}
// Filter config.
message OAuth2 {
// Leave this empty to disable OAuth2 for a specific route, using per filter config.
OAuth2Config config = 1;
}