package envoy.extensions.filters.http.oauth2.v3

Get desktop application:
View/edit binary Protocol Buffers messages

OAuth cookie configuration attributes.

Used in: CookieConfigs

• CookieConfig.SameSite same_site = 1

  The value used for the SameSite cookie attribute.

Used in: CookieConfig

• DISABLED = 0

• STRICT = 1

• LAX = 2

• NONE = 3

[#next-free-field: 8]

Used in: OAuth2Config

• optional CookieConfig bearer_token_cookie_config = 1

  Configuration for the bearer token cookie.

• optional CookieConfig oauth_hmac_cookie_config = 2

  Configuration for the OAuth HMAC cookie.

• optional CookieConfig oauth_expires_cookie_config = 3

  Configuration for the OAuth expires cookie.

• optional CookieConfig id_token_cookie_config = 4

  Configuration for the ID token cookie.

• optional CookieConfig refresh_token_cookie_config = 5

  Configuration for the refresh token cookie.

• optional CookieConfig oauth_nonce_cookie_config = 6

  Configuration for the OAuth nonce cookie.

• optional CookieConfig code_verifier_cookie_config = 7

  Configuration for the code verifier cookie.

Filter config.

• optional OAuth2Config config = 1

  Leave this empty to disable OAuth2 for a specific route, using per filter config.

OAuth config [#next-free-field: 23]

Used in: OAuth2

• optional config.core.v3.HttpUri token_endpoint = 1

  Endpoint on the authorization server to retrieve the access token from.

• optional config.core.v3.RetryPolicy retry_policy = 18

  Specifies the retry policy for requests to the OAuth server. If not specified, then no retries will be performed.

• string authorization_endpoint = 2

  The endpoint redirect to for authorization in response to unauthorized requests.

• optional OAuth2Credentials credentials = 3

  Credentials used for OAuth.

• string redirect_uri = 4

  The redirect URI passed to the authorization endpoint. Supports header formatting tokens. For more information, including details on header value syntax, see the documentation on :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`. This URI should not contain any query parameters.

• optional type.matcher.v3.PathMatcher redirect_path_matcher = 5

  Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

• optional type.matcher.v3.PathMatcher signout_path = 6

  The path to sign a user out, clearing their credential cookies.

• bool forward_bearer_token = 7

  Forward the OAuth token as a Bearer to upstream web service.

• bool preserve_authorization_header = 16

  If set to true, preserve the existing authorization header. By default the client strips the existing authorization header before forwarding upstream. Can not be set to true if forward_bearer_token is already set to true. Default value is false.

• repeated config.route.v3.HeaderMatcher pass_through_matcher = 8

  Any request that matches any of the provided matchers will be passed through without OAuth validation.

• repeated string auth_scopes = 9

  Optional list of OAuth scopes to be claimed in the authorization request. If not specified, defaults to "user" scope. OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3

• repeated string resources = 10

  Optional resource parameter for authorization request RFC: https://tools.ietf.org/html/rfc8707

• OAuth2Config.AuthType auth_type = 11

  Defines how ``client_id`` and ``client_secret`` are sent in OAuth client to OAuth server requests. RFC https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

• optional google.protobuf.BoolValue use_refresh_token = 12

  If set to true, allows automatic access token refresh using the associated refresh token (see `RFC 6749 section 6 <https://datatracker.ietf.org/doc/html/rfc6749#section-6>`_), provided that the OAuth server supports that. Default value is true.

• optional google.protobuf.Duration default_expires_in = 13

  The default lifetime in seconds of the access token, if omitted by the authorization server. If this value is not set, it will default to ``0s``. In this case, the expiry must be set by the authorization server or the OAuth flow will fail.

• repeated config.route.v3.HeaderMatcher deny_redirect_matcher = 14

  Any request that matches any of the provided matchers won't be redirected to OAuth server when tokens are not valid. Automatic access token refresh will be performed for these requests, if enabled. This behavior can be useful for AJAX requests.

• optional google.protobuf.Duration default_refresh_token_expires_in = 15

  The default lifetime in seconds of the refresh token, if the exp (expiration time) claim is omitted in the refresh token or the refresh token is not JWT. If this value is not set, it will default to ``604800s``. In this case, the cookie with the refresh token will be expired in a week. This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``default_expires_in`` is used.

• bool disable_id_token_set_cookie = 17

  If set to true, the client will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID Token is too large for HTTP cookies (longer than 4096 characters). Enabling this option will only disable setting the cookie response header, the filter will still process incoming ID Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future sessions would not set the IdToken cookie header.

• bool disable_access_token_set_cookie = 19

  If set to true, the client will not set a cookie for Access Token even if one is received from the Identity Provider. Enabling this option will only disable setting the cookie response header, the filter will still process incoming Access Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future sessions would not set the Access Token cookie header.

• bool disable_refresh_token_set_cookie = 20

  If set to true, the client will not set a cookie for Refresh Token even if one is received from the Identity Provider. Enabling this option will only disable setting the cookie response header, the filter will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future sessions would not set the Refresh Token cookie header.

• optional CookieConfigs cookie_configs = 21

  Controls for attributes that can be set on the cookies.

• string stat_prefix = 22

  Optional additional prefix to use when emitting statistics.

Used in: OAuth2Config

• URL_ENCODED_BODY = 0

  The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body. This type should only be used when Auth server does not support Basic authentication.

• BASIC_AUTH = 1

  The ``client_id`` and ``client_secret`` will be sent using HTTP Basic authentication scheme.

[#next-free-field: 6]

Used in: OAuth2Config

• string client_id = 1

  The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server.

• optional transport_sockets.tls.v3.SdsSecretConfig token_secret = 2

  The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server.

• oneof token_formation

  Configures how the secret token should be created.

  • transport_sockets.tls.v3.SdsSecretConfig hmac_secret = 3

    If present, the secret token will be a HMAC using the provided secret.

• optional OAuth2Credentials.CookieNames cookie_names = 4

  The cookie names used in OAuth filters flow.

• string cookie_domain = 5

  The domain to set the cookie on. If not set, the cookie will default to the host of the request, not including the subdomains. This is useful when token cookies need to be shared across multiple subdomains.

[#next-free-field: 8]

Used in: OAuth2Credentials

• string bearer_token = 1

  Cookie name to hold OAuth bearer token value. When the authentication server validates the client and returns an authorization token back to the OAuth filter, no matter what format that token is, if :ref:`forward_bearer_token <envoy_v3_api_field_extensions.filters.http.oauth2.v3.OAuth2Config.forward_bearer_token>` is set to true the filter will send over the bearer token as a cookie with this name to the upstream. Defaults to ``BearerToken``.

• string oauth_hmac = 2

  Cookie name to hold OAuth HMAC value. Defaults to ``OauthHMAC``.

• string oauth_expires = 3

  Cookie name to hold OAuth expiry value. Defaults to ``OauthExpires``.

• string id_token = 4

  Cookie name to hold the id token. Defaults to ``IdToken``.

• string refresh_token = 5

  Cookie name to hold the refresh token. Defaults to ``RefreshToken``.

• string oauth_nonce = 6

  Cookie name to hold the nonce value. Defaults to ``OauthNonce``.

• string code_verifier = 7

  Cookie name to hold the PKCE code verifier. Defaults to ``OauthCodeVerifier``.