oidc: native oauth2 per-route config (#8703)

native oauth2 per-route config

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

Author: zhaohuabing

examples/extension-server/go.mod

@@ -4,8 +4,8 @@ go 1.26.2
 
 require (
 	github.com/envoyproxy/gateway v1.3.1
-	github.com/envoyproxy/go-control-plane v0.14.0
-	github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097
+	github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14
+	github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14
 	github.com/urfave/cli/v2 v2.27.7
 	google.golang.org/grpc v1.80.0
 	google.golang.org/protobuf v1.36.11

examples/extension-server/go.sum

@@ -22,10 +22,10 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
-github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
-github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097 h1:Ou9X6qsPOiDOsQgaboj3jlCE5ZYngdYeSVDKBcT95QE=
-github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097/go.mod h1:237/ZQHepDd4v5BjpRNFI2mMG7WEBd+mQnt8jwbqrnk=
+github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14 h1:7g8SJv4OrVcLT4yfkzIbsTcwLBwyLu8gKb/yCf3Loxk=
+github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14/go.mod h1:18SVzvkoF8AL2O7baVikhojMZ+7rFPh3o8tOOsBVyok=
+github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14 h1:zEzMNlk4Kb4GpwKt2pmEc2B5+iM9rcmUYoB0mGHhXyU=
+github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14/go.mod h1:5yRfenlmRH8sxKrhXyiFtK8BDz3syDWcFm81rkCcATM=
 github.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds=
 github.com/envoyproxy/protoc-gen-validate v1.3.3/go.mod h1:TsndJ/ngyIdQRhMcVVGDDHINPLWB7C82oDArY51KfB0=
 github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=

go.mod

@@ -11,10 +11,10 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/docker/cli v29.4.0+incompatible
 	github.com/dominikbraun/graph v0.23.0
-	github.com/envoyproxy/go-control-plane v0.14.0
-	github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989
-	github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097
-	github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989
+	github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14
+	github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260409050421-3f47accd6e14
+	github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14
+	github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260409050421-3f47accd6e14
 	github.com/envoyproxy/ratelimit v1.4.1-0.20260122083618-3fb702589d36
 	github.com/evanphx/json-patch v5.9.11+incompatible
 	github.com/evanphx/json-patch/v5 v5.9.11

go.sum

@@ -164,14 +164,14 @@ github.com/ebitengine/purego v0.10.0 h1:QIw4xfpWT6GWTzaW5XEKy3HXoqrJGx1ijYHzTF0/
 github.com/ebitengine/purego v0.10.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes=
 github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
-github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
-github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 h1:KTd1TJym7dgV1L1XlxXeJNct7rJI3xTV+iuArq40wm0=
-github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989/go.mod h1:+fG/snSdlOxU+5RWuuKSYxF9zusT3Duy1MDbETA44Bo=
-github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097 h1:Ou9X6qsPOiDOsQgaboj3jlCE5ZYngdYeSVDKBcT95QE=
-github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097/go.mod h1:237/ZQHepDd4v5BjpRNFI2mMG7WEBd+mQnt8jwbqrnk=
-github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989 h1:8tBwE+GI3IWMywGVrJjc2grm7SCpPMydVu+HiBYb4+E=
-github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989/go.mod h1:buWyXJdrI6ayYbeGm3upu3Qf/qHHrdWfUHKnVrTD+vM=
+github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14 h1:7g8SJv4OrVcLT4yfkzIbsTcwLBwyLu8gKb/yCf3Loxk=
+github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14/go.mod h1:18SVzvkoF8AL2O7baVikhojMZ+7rFPh3o8tOOsBVyok=
+github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260409050421-3f47accd6e14 h1:VszH+75Lfplgo/ZDOe79HOGnLHAgPHWqFjMl7AdQEWw=
+github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260409050421-3f47accd6e14/go.mod h1:29VWPXU81Y5hg3S89D3zXhbOgqgh93Os+W911d6SxP8=
+github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14 h1:zEzMNlk4Kb4GpwKt2pmEc2B5+iM9rcmUYoB0mGHhXyU=
+github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14/go.mod h1:5yRfenlmRH8sxKrhXyiFtK8BDz3syDWcFm81rkCcATM=
+github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260409050421-3f47accd6e14 h1:128xSbKG9xp2W6JAyfb2Q2pDrEC5bhtUcfYpJZf6OdA=
+github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260409050421-3f47accd6e14/go.mod h1://utHaGoDyMdS6rB87A76UIaRn+Ss9dS2ZJ5rM2psGU=
 github.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds=
 github.com/envoyproxy/protoc-gen-validate v1.3.3/go.mod h1:TsndJ/ngyIdQRhMcVVGDDHINPLWB7C82oDArY51KfB0=
 github.com/envoyproxy/ratelimit v1.4.1-0.20260122083618-3fb702589d36 h1:nEi1OH2qhE8NtcuBgO/uKpTw/P0nVu4i8mZvL6oD9CQ=

internal/xds/extensions/extensions.gen.go

@@ -29,6 +29,7 @@ import (
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/kafka_mesh/v3alpha"
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/metadata_exchange/v3"
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/mysql_proxy/v3"
+	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/peer_metadata/v3"
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha"
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/rocketmq_proxy/v3"
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/sip_proxy/router/v3alpha"
@@ -42,6 +43,7 @@ import (
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/private_key_providers/qat/v3alpha"
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/regex_engines/hyperscan/v3alpha"
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/router/cluster_specifier/golang/v3alpha"
+	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/stat_sinks/kafka/v3"
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/tap_sinks/udp_sink/v3alpha"
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/upstreams/http/tcp/golang/v3alpha"
 	_ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/vcl/v3alpha"
@@ -185,6 +187,7 @@ import (
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/original_dst/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/original_src/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/proxy_protocol/v3"
+	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/set_filter_state/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/tls_inspector/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/connection_limit/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/direct_response/v3"
@@ -225,6 +228,8 @@ import (
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/udp_proxy/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/cel/v3"
+	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/file_content/v3"
+	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/generic_secret/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/metadata/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/req_without_query/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/geoip_providers/common/v3"
@@ -296,6 +301,7 @@ import (
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/apple/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/cares/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/getaddrinfo/v3"
+	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/hickory/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/socket_interface/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/outlier_detection_monitors/common/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/outlier_detection_monitors/consecutive_errors/v3"
@@ -330,6 +336,7 @@ import (
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/stat_sinks/open_telemetry/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/stat_sinks/wasm/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/string_matcher/lua/v3"
+	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/dynamic_modules/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/fluentd/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/opentelemetry/resource_detectors/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/opentelemetry/samplers/v3"
@@ -350,6 +357,7 @@ import (
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/cert_validator/dynamic_modules/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/udp_packet_writer/v3"
+	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/dynamic_modules/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/generic/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/http/v3"
 	_ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/tcp/v3"

internal/xds/translator/oidc.go

@@ -36,11 +36,7 @@ var _ httpFilter = &oidc{}
 
 // patchHCM builds and appends the oauth2 Filters to the HTTP Connection Manager
 // if applicable, and it does not already exist.
-// Note: this method creates an oauth2 filter for each route that contains an OIDC config.
-// the filter is disabled by default. It is enabled on the route level.
 func (*oidc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListener) error {
-	var errs error
-
 	if mgr == nil {
 		return errors.New("hcm is nil")
 	}
@@ -49,56 +45,43 @@ func (*oidc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListe
 		return errors.New("ir listener is nil")
 	}
 
+	if hcmContainsFilter(mgr, string(egv1a1.EnvoyFilterOAuth2)) {
+		return nil
+	}
+
 	for _, route := range irListener.Routes {
 		if !routeContainsOIDC(route) {
 			continue
 		}
 
-		// Only generates one OAuth2 Envoy filter for each unique name.
-		// For example, if there are two routes under the same gateway with the
-		// same OAuth2 config, only one OAuth2 filter will be generated.
-		if hcmContainsFilter(mgr, oauth2FilterName(route.Security.OIDC)) {
-			continue
-		}
-
-		filter, err := buildHCMOAuth2Filter(route.Security)
+		filter, err := buildHCMOAuth2Filter()
 		if err != nil {
-			errs = errors.Join(errs, err)
-			continue
+			return err
 		}
-
 		mgr.HttpFilters = append(mgr.HttpFilters, filter)
+		return nil
 	}
 
-	return errs
+	return nil
 }
 
-// buildHCMOAuth2Filter returns an OAuth2 HTTP filter from the provided IR HTTPRoute.
-func buildHCMOAuth2Filter(securityFeatures *ir.SecurityFeatures) (*hcmv3.HttpFilter, error) {
-	oauth2Proto, err := oauth2Config(securityFeatures)
-	if err != nil {
-		return nil, err
-	}
-
+// buildHCMOAuth2Filter returns the listener-level OAuth2 HTTP filter.
+func buildHCMOAuth2Filter() (*hcmv3.HttpFilter, error) {
+	oauth2Proto := &oauth2v3.OAuth2{}
 	OAuth2Any, err := proto.ToAnyWithValidation(oauth2Proto)
 	if err != nil {
 		return nil, err
 	}
 
 	return &hcmv3.HttpFilter{
-		Name:     oauth2FilterName(securityFeatures.OIDC),
-		Disabled: true,
+		Name: string(egv1a1.EnvoyFilterOAuth2),
 		ConfigType: &hcmv3.HttpFilter_TypedConfig{
 			TypedConfig: OAuth2Any,
 		},
 	}, nil
 }
 
-func oauth2FilterName(oidc *ir.OIDC) string {
-	return perRouteFilterName(egv1a1.EnvoyFilterOAuth2, oidc.Name)
-}
-
-func oauth2Config(securityFeatures *ir.SecurityFeatures) (*oauth2v3.OAuth2, error) {
+func oauth2Config(securityFeatures *ir.SecurityFeatures) (*oauth2v3.OAuth2PerRoute, error) {
 	var (
 		tokenEndpointCluster string
 		err                  error
@@ -135,7 +118,7 @@ func oauth2Config(securityFeatures *ir.SecurityFeatures) (*oauth2v3.OAuth2, erro
 	// If the user wants to forward the oauth2 access token to the upstream service,
 	// we should not preserve the original authorization header.
 	preserveAuthorizationHeader := !oidc.ForwardAccessToken
-	oauth2 := &oauth2v3.OAuth2{
+	oauth2 := &oauth2v3.OAuth2PerRoute{
 		Config: &oauth2v3.OAuth2Config{
 			StatPrefix: oidc.Name,
 			TokenEndpoint: &corev3.HttpUri{
@@ -589,11 +572,19 @@ func (*oidc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPL
 	if irRoute.Security == nil || irRoute.Security.OIDC == nil {
 		return nil
 	}
-	filterName := oauth2FilterName(irRoute.Security.OIDC)
-	if err := enableFilterOnRoute(route, filterName, &routev3.FilterConfig{
-		Config: &anypb.Any{},
-	}); err != nil {
+	oauth2Proto, err := oauth2Config(irRoute.Security)
+	if err != nil {
 		return err
 	}
+	if route.TypedPerFilterConfig == nil {
+		route.TypedPerFilterConfig = make(map[string]*anypb.Any)
+	}
+
+	oauth2Any, err := proto.ToAnyWithValidation(oauth2Proto)
+	if err != nil {
+		return err
+	}
+
+	route.TypedPerFilterConfig[string(egv1a1.EnvoyFilterOAuth2)] = oauth2Any
 	return nil
 }

internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml

@@ -39,50 +39,9 @@
             '@type': type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth
             users:
               inlineBytes: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo=
-        - disabled: true
-          name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-gateway-2
+        - name: envoy.filters.http.oauth2
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
-            config:
-              authScopes:
-              - openid
-              - email
-              - profile
-              authType: BASIC_AUTH
-              authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
-              credentials:
-                clientId: client.oauth.foo.com
-                cookieNames:
-                  bearerToken: AccessToken-5F93C2E4
-                  idToken: IdToken-5F93C2E4
-                  oauthExpires: OauthExpires-5F93C2E4
-                  oauthHmac: OauthHMAC-5F93C2E4
-                  oauthNonce: OauthNonce-5F93C2E4
-                  refreshToken: RefreshToken-5F93C2E4
-                hmacSecret:
-                  name: oauth2/hmac_secret/securitypolicy/default/policy-for-gateway-2
-                  sdsConfig:
-                    ads: {}
-                    resourceApiVersion: V3
-                tokenSecret:
-                  name: oauth2/client_secret/securitypolicy/default/policy-for-gateway-2
-                  sdsConfig:
-                    ads: {}
-                    resourceApiVersion: V3
-              preserveAuthorizationHeader: true
-              redirectPathMatcher:
-                path:
-                  exact: /foo/oauth2/callback
-              redirectUri: https://www.example.com/foo/oauth2/callback
-              signoutPath:
-                path:
-                  exact: /foo/logout
-              statPrefix: securitypolicy/default/policy-for-gateway-2
-              tokenEndpoint:
-                cluster: oauth_foo_com_443
-                timeout: 10s
-                uri: https://oauth.foo.com/token
-              useRefreshToken: true
         - name: envoy.filters.http.router
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.routes.yaml

@@ -40,6 +40,45 @@
         upgradeConfigs:
         - upgradeType: websocket
       typedPerFilterConfig:
-        envoy.filters.http.oauth2/securitypolicy/default/policy-for-gateway-2:
-          '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig
-          config: {}
+        envoy.filters.http.oauth2:
+          '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2PerRoute
+          config:
+            authScopes:
+            - openid
+            - email
+            - profile
+            authType: BASIC_AUTH
+            authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
+            credentials:
+              clientId: client.oauth.foo.com
+              cookieNames:
+                bearerToken: AccessToken-5F93C2E4
+                idToken: IdToken-5F93C2E4
+                oauthExpires: OauthExpires-5F93C2E4
+                oauthHmac: OauthHMAC-5F93C2E4
+                oauthNonce: OauthNonce-5F93C2E4
+                refreshToken: RefreshToken-5F93C2E4
+              hmacSecret:
+                name: oauth2/hmac_secret/securitypolicy/default/policy-for-gateway-2
+                sdsConfig:
+                  ads: {}
+                  resourceApiVersion: V3
+              tokenSecret:
+                name: oauth2/client_secret/securitypolicy/default/policy-for-gateway-2
+                sdsConfig:
+                  ads: {}
+                  resourceApiVersion: V3
+            preserveAuthorizationHeader: true
+            redirectPathMatcher:
+              path:
+                exact: /foo/oauth2/callback
+            redirectUri: https://www.example.com/foo/oauth2/callback
+            signoutPath:
+              path:
+                exact: /foo/logout
+            statPrefix: securitypolicy/default/policy-for-gateway-2
+            tokenEndpoint:
+              cluster: oauth_foo_com_443
+              timeout: 10s
+              uri: https://oauth.foo.com/token
+            useRefreshToken: true