oauth2: add allowed_redirect_domains and original_request_uri

Adds two new fields to the OAuth2 filter config:

* `original_request_uri`: an optional formatter-supported base URI used to
  build the original request URL that is encoded into the OAuth2 `state`
  parameter. Useful when Envoy sits behind a gateway that terminates the
  user-facing hostname, so the post-authentication redirect uses the public
  host rather than Envoy's internal `:authority`.

* `allowed_redirect_domains`: an optional case-insensitive allow-list
  (exact match or `*.` wildcard) applied to the host of the formatted
  `redirect_uri`, the formatted `original_request_uri`, and the URL decoded
  from the `state` parameter on callback. Mitigates open-redirect attacks
  via injected `x-forwarded-host` headers or forged `state` values. Empty
  list (default) disables the check for backward compatibility.

The formatted `redirect_uri` and `original_request_uri` are now also
required to be parseable absolute URLs: an unparseable template output is
rejected with 401 rather than silently passing through the allow-list.
Authority parsing uses `Http::Utility::parseAuthority` so IPv6 literals
are handled consistently.

Signed-off-by: Mohammed Shetaya <mohammed.shetaya@procore.com>

Author: MohammedShetaya

api/envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -151,7 +151,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 28]
+// [#next-free-field: 30]
 message OAuth2Config {
   enum AuthType {
     // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@@ -304,6 +304,44 @@ message OAuth2Config {
   // Note: If a request matches pass_through_matcher, it bypasses OAuth validation and this matcher won't be evaluated.
   // This matcher takes precedence over deny_redirect_matcher.
   repeated config.route.v3.HeaderMatcher allow_failed_matcher = 27;
+
+  // Optional base URI (scheme + host, e.g. ``https://app.example.com``) used to build the
+  // original request URI that is encoded into the OAuth2 ``state`` parameter.
+  // This URI will be used later to redirect users on a successful OAuth.
+  //
+  // This is useful when Envoy sits behind a gateway or load balancer that terminates the
+  // user-facing hostname: In that case, the post-authentication redirect derived from ``state`` would
+  // send the user to an internal host they didn't request.
+  //
+  // Supports request header formatting tokens.
+  //
+  // Example:
+  //
+  //    original_request_uri: "%REQ(x-forwarded-proto?:scheme)%://%REQ(x-forwarded-host?:authority)%"
+  //
+  // If not set, defaults to ``<:scheme>://<:authority>`` of the incoming request.
+  string original_request_uri = 28;
+
+  // Optional list of domains that are allowed as
+  // 1. redirect_uri: which is what the IdP calls after OAuth
+  // 2. original_request_uri: the one extracted from the state of an OAuth callback (where should the request go after OAuth)
+  //
+  // This mitigates:
+  // - injecting a malicious x-forwarded-host or any header that is used to template the redirect urls
+  // - open redirect attacks where an attacker crafts a ``state`` value pointing to an untrusted host.
+  //
+  // Each entry is matched against the host (with any port stripped) extracted from the
+  // formatted ``redirect_uri``, the formatted ``original_request_uri``, and the URL decoded from
+  // the ``state`` parameter on callback. Matching is case-insensitive and supports two forms:
+  //
+  // * Exact match, e.g. ``example.com`` matches only ``example.com``.
+  // * Wildcard subdomain match using a leading ``*.``, e.g. ``*.example.com`` matches
+  //   ``foo.example.com`` and ``bar.baz.example.com`` but not ``example.com`` itself.
+  //
+  // IPv6 literals must be configured without surrounding brackets (e.g. ``::1``, not ``[::1]``).
+  //
+  // If this list is empty (the default), all hosts are allowed and no validation is performed.
+  repeated string allowed_redirect_domains = 29;
 }
 
 // Per-route OAuth2 config.

changelogs/current.yaml

@@ -18,6 +18,23 @@ removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
 
 new_features:
+- area: oauth2
+  change: |
+    Added :ref:`original_request_uri
+    <envoy_v3_api_field_extensions.filters.http.oauth2.v3.OAuth2Config.original_request_uri>`
+    to let the OAuth2 filter derive the post-authentication redirect URL from formatter tokens
+    (e.g. ``x-forwarded-proto``/``x-forwarded-host``) when Envoy sits behind a gateway that
+    terminates the user-facing hostname.
+- area: oauth2
+  change: |
+    Added :ref:`allowed_redirect_domains
+    <envoy_v3_api_field_extensions.filters.http.oauth2.v3.OAuth2Config.allowed_redirect_domains>`
+    to restrict the host of the formatted ``redirect_uri``, the formatted
+    ``original_request_uri``, and the URL decoded from the OAuth2 ``state`` parameter to an
+    explicit allow-list (exact match or ``*.`` wildcard). Requests with out-of-list hosts are
+    rejected with 401. Empty list (default) disables the check for backward compatibility.
+    Formatter output that is not a parseable absolute URL is now also rejected with 401 instead
+    of silently passing through.
 - area: dynamic_modules
   change: |
     Added ``envoy_dynamic_module_callback_is_validation_mode`` ABI callback that allows dynamic

source/extensions/filters/http/oauth2/filter.cc

@@ -302,6 +302,34 @@ std::string generateCodeChallenge(const std::string& code_verifier) {
   return Base64Url::encode(sha256_string.data(), sha256_string.size());
 }
 
+bool isHostAllowedDomain(absl::string_view host, const std::vector<std::string>& allowed_domains) {
+  if (allowed_domains.empty()) {
+    return true;
+  }
+
+  // Strip port and any IPv6 brackets via the shared authority parser so that "example.com:8080",
+  // "[::1]:443" and bare "[::1]" all normalize consistently. For IPv6 literals that are
+  // recognized as IP addresses, parseAuthority returns the host without brackets, so allow-list
+  // entries for IPv6 must also be written without brackets (e.g. "::1", not "[::1]").
+  const absl::string_view hostname = Http::Utility::parseAuthority(host).host_;
+
+  for (const auto& domain : allowed_domains) {
+    if (absl::StartsWith(domain, "*.")) {
+      // Wildcard match: "*.example.com" matches "foo.example.com"
+      absl::string_view suffix = absl::string_view(domain).substr(1);
+      if (absl::EndsWith(hostname, suffix) && hostname.size() > suffix.size()) {
+        return true;
+      }
+    } else {
+      // Exact match
+      if (absl::EqualsIgnoreCase(hostname, domain)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
 /**
  * Encodes the state parameter for the OAuth2 flow.
  * The state parameter is a base64Url encoded JSON object containing the original request URL, a
@@ -456,6 +484,9 @@ FilterConfig::FilterConfig(
       authorization_query_params_(buildAutorizationQueryParams(proto_config)),
       client_id_(proto_config.credentials().client_id()),
       redirect_uri_(proto_config.redirect_uri()),
+      allowed_redirect_domains_(proto_config.allowed_redirect_domains().begin(),
+                                proto_config.allowed_redirect_domains().end()),
+      original_request_uri_(proto_config.original_request_uri()),
       redirect_matcher_(proto_config.redirect_path_matcher(), context),
       signout_path_(proto_config.signout_path(), context), secret_reader_(secret_reader),
       stats_(FilterConfig::generateStats(stats_prefix, proto_config.stat_prefix(), scope)),
@@ -950,7 +981,45 @@ void OAuth2Filter::redirectToOAuthServer(Http::RequestHeaderMap& headers) {
   if (Http::Utility::schemeIsHttp(headers.getSchemeValue())) {
     scheme = Http::Headers::get().SchemeValues.Http;
   }
-  const std::string base_path = absl::StrCat(scheme, "://", host_);
+
+  // Format redirect_uri — needed for the query param sent to the identity provider
+  auto formatter = THROW_OR_RETURN_VALUE(Formatter::FormatterImpl::create(config_->redirectUri()),
+                                         Formatter::FormatterPtr);
+  const auto redirect_uri = formatter->format({&headers}, decoder_callbacks_->streamInfo());
+
+  // The formatted redirect_uri must be a parseable absolute URL; otherwise a malformed template
+  // output could silently bypass the allow-list check below.
+  Http::Utility::Url parsed_redirect_uri;
+  if (!parsed_redirect_uri.initialize(redirect_uri, false)) {
+    sendUnauthorizedResponse(fmt::format("redirect_uri is not a valid URL: {}", redirect_uri));
+    return;
+  }
+  if (!isHostAllowedDomain(parsed_redirect_uri.hostAndPort(), config_->allowedRedirectDomains())) {
+    sendUnauthorizedResponse(
+        fmt::format("redirect_uri is not in the allowed redirect domains: {}", redirect_uri));
+    return;
+  }
+
+  auto base_path = absl::StrCat(scheme, "://", host_);
+
+  if (!config_->originalRequestUri().empty()) {
+    formatter = THROW_OR_RETURN_VALUE(
+        Formatter::FormatterImpl::create(config_->originalRequestUri()), Formatter::FormatterPtr);
+    base_path = formatter->format({&headers}, decoder_callbacks_->streamInfo());
+  }
+
+  // allow-list validation for the base path encoded into `state`.
+  Http::Utility::Url parsed_base_path;
+  if (!parsed_base_path.initialize(base_path, false)) {
+    sendUnauthorizedResponse(fmt::format("original_request_uri is not a valid URL: {}", base_path));
+    return;
+  }
+  if (!isHostAllowedDomain(parsed_base_path.hostAndPort(), config_->allowedRedirectDomains())) {
+    sendUnauthorizedResponse(
+        fmt::format("original_request_uri is not in the allowed redirect domains: {}", base_path));
+    return;
+  }
+
   const std::string original_url = absl::StrCat(base_path, headers.Path()->value().getStringView());
 
   const CookieNames& cookie_names = config_->cookieNames();
@@ -984,9 +1053,6 @@ void OAuth2Filter::redirectToOAuthServer(Http::RequestHeaderMap& headers) {
   auto query_params = config_->authorizationQueryParams();
   query_params.overwrite(queryParamsState, state);
 
-  Formatter::FormatterPtr formatter = THROW_OR_RETURN_VALUE(
-      Formatter::FormatterImpl::create(config_->redirectUri()), Formatter::FormatterPtr);
-  const auto redirect_uri = formatter->format({&headers}, decoder_callbacks_->streamInfo());
   const std::string escaped_redirect_uri = Http::Utility::PercentEncoding::urlEncode(redirect_uri);
   query_params.overwrite(queryParamsRedirectUri, escaped_redirect_uri);
 
@@ -1598,6 +1664,13 @@ CallbackValidationResult OAuth2Filter::validateState(const Http::RequestHeaderMa
             fmt::format("State url can not be initialized: {}", original_request_url)};
   }
 
+  // Validate the host of the original request URL against allowed redirect domains.
+  if (!isHostAllowedDomain(url.hostAndPort(), config_->allowedRedirectDomains())) {
+    return {false, "", "", flow_id,
+            fmt::format("State url host is not in the allowed redirect domains: {}",
+                        url.hostAndPort())};
+  }
+
   return {true, "", original_request_url, flow_id, ""};
 }
 

source/extensions/filters/http/oauth2/filter.h

@@ -174,6 +174,10 @@ class FilterConfig : public Router::RouteSpecificFilterConfig,
     return authorization_query_params_;
   }
   const std::string& redirectUri() const { return redirect_uri_; }
+  const std::vector<std::string>& allowedRedirectDomains() const {
+    return allowed_redirect_domains_;
+  }
+  const std::string& originalRequestUri() const { return original_request_uri_; }
   const Matchers::PathMatcher& redirectPathMatcher() const { return redirect_matcher_; }
   const Matchers::PathMatcher& signoutPath() const { return signout_path_; }
   std::string clientSecret() const { return secret_reader_->clientSecret(); }
@@ -245,6 +249,8 @@ class FilterConfig : public Router::RouteSpecificFilterConfig,
   const Http::Utility::QueryParamsMulti authorization_query_params_;
   const std::string client_id_;
   const std::string redirect_uri_;
+  const std::vector<std::string> allowed_redirect_domains_;
+  const std::string original_request_uri_;
   const Matchers::PathMatcher redirect_matcher_;
   const Matchers::PathMatcher signout_path_;
   std::shared_ptr<SecretReader> secret_reader_;