OAuth

This extension may be referenced by the qualified name envoy.filters.http.oauth2

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension categories:

Warning

This API is work-in-progress and is subject to breaking changes.

OAuth configuration overview.

extensions.filters.http.oauth2.v3alpha.OAuth2Credentials

[extensions.filters.http.oauth2.v3alpha.OAuth2Credentials proto]

{
  "client_id": "...",
  "token_secret": "{...}",
  "hmac_secret": "{...}"
}
client_id

(string, REQUIRED) The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server.

token_secret

(extensions.transport_sockets.tls.v3.SdsSecretConfig, REQUIRED) The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server.

hmac_secret

(extensions.transport_sockets.tls.v3.SdsSecretConfig, REQUIRED) If present, the secret token will be a HMAC using the provided secret.

Configures how the secret token should be created.

extensions.filters.http.oauth2.v3alpha.OAuth2Config

[extensions.filters.http.oauth2.v3alpha.OAuth2Config proto]

OAuth config

{
  "token_endpoint": "{...}",
  "authorization_endpoint": "...",
  "credentials": "{...}",
  "redirect_uri": "...",
  "redirect_path_matcher": "{...}",
  "signout_path": "{...}",
  "forward_bearer_token": "...",
  "pass_through_matcher": [],
  "auth_scopes": []
}
token_endpoint

(config.core.v3.HttpUri) Endpoint on the authorization server to retrieve the access token from.

authorization_endpoint

(string, REQUIRED) The endpoint redirect to for authorization in response to unauthorized requests.

credentials

(extensions.filters.http.oauth2.v3alpha.OAuth2Credentials, REQUIRED) Credentials used for OAuth.

redirect_uri

(string, REQUIRED) The redirect URI passed to the authorization endpoint. Supports header formatting tokens. For more information, including details on header value syntax, see the documentation on custom request headers.

This URI should not contain any query parameters.

redirect_path_matcher

(type.matcher.v3.PathMatcher, REQUIRED) Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

signout_path

(type.matcher.v3.PathMatcher, REQUIRED) The path to sign a user out, clearing their credential cookies.

forward_bearer_token

(bool) Forward the OAuth token as a Bearer to upstream web service.

pass_through_matcher

(repeated config.route.v3.HeaderMatcher) Any request that matches any of the provided matchers will be passed through without OAuth validation.

auth_scopes

(repeated string) Optional list of OAuth scopes to be claimed in the authorization request. If not specified, defaults to “user” scope. OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3

extensions.filters.http.oauth2.v3alpha.OAuth2

[extensions.filters.http.oauth2.v3alpha.OAuth2 proto]

Filter config.

{
  "config": "{...}"
}
config

(extensions.filters.http.oauth2.v3alpha.OAuth2Config) Leave this empty to disable OAuth2 for a specific route, using per filter config.