OAuth2

  • v3 API reference

  • This filter should be configured with the name envoy.filters.http.oauth2.

Attention

The OAuth2 filter is currently under active development.

Example configuration

 http_filters:
 - name: oauth2
   typed_config:
     "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3alpha.OAuth2
     token_endpoint:
       cluster: oauth
       uri: oauth.com/token
       timeout: 3s
     authorization_endpoint: https://oauth.com/oauth/authorize/
     redirect_uri: "%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback"
     redirect_path_matcher:
       path:
         exact: /callback
     signout_path:
       path:
         exact: /signout
    credentials:
      client_id: foo
      token_secret:
        name: token
      hmac_secret:
        name: hmac
    timeout: 3s
 - name: envoy.router

clusters:
- name: service
  ...
- name: auth
  connect_timeout: 5s
  type: LOGICAL_DNS
  lb_policy: ROUND_ROBIN
  load_assignment:
    cluster_name: auth
    endpoints:
    - lb_endpoints:
      - endpoint:
          address: { socket_address: { address: auth.example.com, port_value: 443 }}
  tls_context: { sni: auth.example.com }

Notes

This module does not currently provide much Cross-Site-Request-Forgery protection for the redirect loop to the OAuth server and back.

The service must be served over HTTPS for this filter to work, as the cookies use ;secure.

Statistics

The OAuth filter outputs statistics in the <stat_prefix>. namespace.

Name

Type

Description

oauth_failure

Counter

Total requests that were denied.

oauth_success

Counter

Total requests that were allowed.

oauth_unauthorization_rq

Counter

Total unauthorized requests.