oauth2: make ID token cookie expiration configurable#44949
Open
jmsadair wants to merge 4 commits into
Open
Conversation
Signed-off-by: James Adair <jadair@netflix.com>
Signed-off-by: James Adair <jadair@netflix.com>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Member
|
@wbpcode we are internally exercising this code path and logic for a very long time - can you take a look? |
added 2 commits
May 9, 2026 19:04
Signed-off-by: James Adair <jadair@netflix.com>
Contributor
|
/wait |
Member
|
ping @wbpcode |
wbpcode
reviewed
May 14, 2026
Comment on lines
+307
to
+313
|
|
||
| // If set to true, the expiration time for the ID token cookie will always be derived from the | ||
| // ``expires_in`` field of the access token response rather than from the ``exp`` claim in the | ||
| // ID token JWT. This is useful when the access token response advertises a longer lifetime than | ||
| // the ID token and you want the ID token cookie to remain valid for that full duration. | ||
| // Default is false (use the ID token's own ``exp`` claim when available). | ||
| bool use_access_token_expiry_for_id_token_cookie = 28; |
Member
There was a problem hiding this comment.
I inclined this is an unexpected hack because we should respect the exp in the JWT. That's why JWT has exp.
cc @zhaohuabing as oauth2 expert.
Member
|
/wait-any |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message: oauth2: make ID token cookie expiration configurable
Additional Description: Adds a
use_access_token_expiry_for_id_token_cookietoOAuth2Config. Whentrue, the expiration time for the ID token cookie will always be derived from the access token responseexpires_invalue rather than from theexpclaim in the ID token JWT. This is useful when the access token response advertises a longer lifetime than the ID token and you want the ID token cookie to remain valid for the full duration.Risk Level: low
Testing: unit test
Docs Changes: inline protobuf documentation added for new field
Release Notes: added
Platform Specific Features: N/A