api for id token forwarding (#8691)

* api for id token forwarding

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

* fix gen

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

Author: zhaohuabing

api/v1alpha1/oidc_types.go

@@ -16,6 +16,7 @@ const (
 
 // OIDC defines the configuration for the OpenID Connect (OIDC) authentication.
 // +kubebuilder:validation:XValidation:rule="(has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID) && has(self.clientIDRef))", message="only one of clientID or clientIDRef must be set"
+// +kubebuilder:validation:XValidation:rule="!(has(self.forwardAccessToken) && self.forwardAccessToken && has(self.forwardIDToken) && self.forwardIDToken.header.lowerAscii() == 'authorization')", message="forwardAccessToken cannot be true when forwardIDToken.header is Authorization"
 type OIDC struct {
 	// The OIDC Provider configuration.
 	Provider OIDCProvider `json:"provider"`
@@ -99,6 +100,14 @@ type OIDC struct {
 	// +optional
 	ForwardAccessToken *bool `json:"forwardAccessToken,omitempty"`
 
+	// ForwardIDToken configures forwarding of the OIDC ID token to the upstream.
+	//
+	// If the configured header is "Authorization", EG forwards the ID token using
+	// the "Bearer " prefix. For any other header, EG forwards the raw token value.
+	// If not specified, the ID token will not be forwarded.
+	// +optional
+	ForwardIDToken *OIDCTokenForwarding `json:"forwardIDToken,omitempty"`
+
 	// DefaultTokenTTL is the default lifetime of the id token and access token.
 	// Please note that Envoy will always use the expiry time from the response
 	// of the authorization server if it is provided. This field is only used when
@@ -234,6 +243,13 @@ type OIDCCookieNames struct {
 	IDToken *string `json:"idToken,omitempty"`
 }
 
+// OIDCTokenForwarding defines how an OIDC token is forwarded upstream.
+type OIDCTokenForwarding struct {
+	// Header is the upstream request header that will carry the ID token.
+	// +kubebuilder:validation:MinLength=1
+	Header string `json:"header"`
+}
+
 type SameSite string
 
 const (

api/v1alpha1/zz_generated.deepcopy.go

@@ -5432,6 +5432,22 @@ spec:
                       via the Authorization header Bearer scheme to the upstream.
                       If not specified, defaults to false.
                     type: boolean
+                  forwardIDToken:
+                    description: |-
+                      ForwardIDToken configures forwarding of the OIDC ID token to the upstream.
+
+                      If the configured header is "Authorization", EG forwards the ID token using
+                      the "Bearer " prefix. For any other header, EG forwards the raw token value.
+                      If not specified, the ID token will not be forwarded.
+                    properties:
+                      header:
+                        description: Header is the upstream request header that will
+                          carry the ID token.
+                        minLength: 1
+                        type: string
+                    required:
+                    - header
+                    type: object
                   logoutPath:
                     description: |-
                       The path to log a user out, clearing their credential cookies.
@@ -6889,6 +6905,11 @@ spec:
                 - message: only one of clientID or clientIDRef must be set
                   rule: (has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID)
                     && has(self.clientIDRef))
+                - message: forwardAccessToken cannot be true when forwardIDToken.header
+                    is Authorization
+                  rule: '!(has(self.forwardAccessToken) && self.forwardAccessToken
+                    && has(self.forwardIDToken) && self.forwardIDToken.header.lowerAscii()
+                    == ''authorization'')'
               targetRef:
                 description: |-
                   TargetRef is the name of the resource this policy is being attached to.

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -5431,6 +5431,22 @@ spec:
                       via the Authorization header Bearer scheme to the upstream.
                       If not specified, defaults to false.
                     type: boolean
+                  forwardIDToken:
+                    description: |-
+                      ForwardIDToken configures forwarding of the OIDC ID token to the upstream.
+
+                      If the configured header is "Authorization", EG forwards the ID token using
+                      the "Bearer " prefix. For any other header, EG forwards the raw token value.
+                      If not specified, the ID token will not be forwarded.
+                    properties:
+                      header:
+                        description: Header is the upstream request header that will
+                          carry the ID token.
+                        minLength: 1
+                        type: string
+                    required:
+                    - header
+                    type: object
                   logoutPath:
                     description: |-
                       The path to log a user out, clearing their credential cookies.
@@ -6888,6 +6904,11 @@ spec:
                 - message: only one of clientID or clientIDRef must be set
                   rule: (has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID)
                     && has(self.clientIDRef))
+                - message: forwardAccessToken cannot be true when forwardIDToken.header
+                    is Authorization
+                  rule: '!(has(self.forwardAccessToken) && self.forwardAccessToken
+                    && has(self.forwardIDToken) && self.forwardIDToken.header.lowerAscii()
+                    == ''authorization'')'
               targetRef:
                 description: |-
                   TargetRef is the name of the resource this policy is being attached to.

charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -4007,6 +4007,7 @@ _Appears in:_
 | `denyRedirect` | _[OIDCDenyRedirect](#oidcdenyredirect)_ |  false  |  | Any request that matches any of the provided matchers (with either tokens that are expired or missing tokens) will not be redirected to the OIDC Provider.<br />This behavior can be useful for AJAX or machine requests. |
 | `logoutPath` | _string_ |  true  |  | The path to log a user out, clearing their credential cookies.<br />If not specified, uses a default logout path "/logout" |
 | `forwardAccessToken` | _boolean_ |  false  |  | ForwardAccessToken indicates whether the Envoy should forward the access token<br />via the Authorization header Bearer scheme to the upstream.<br />If not specified, defaults to false. |
+| `forwardIDToken` | _[OIDCTokenForwarding](#oidctokenforwarding)_ |  false  |  | ForwardIDToken configures forwarding of the OIDC ID token to the upstream.<br />If the configured header is "Authorization", EG forwards the ID token using<br />the "Bearer " prefix. For any other header, EG forwards the raw token value.<br />If not specified, the ID token will not be forwarded. |
 | `defaultTokenTTL` | _[Duration](https://gateway-api.sigs.k8s.io/reference/1.5/spec/#duration)_ |  false  |  | DefaultTokenTTL is the default lifetime of the id token and access token.<br />Please note that Envoy will always use the expiry time from the response<br />of the authorization server if it is provided. This field is only used when<br />the expiry time is not provided by the authorization.<br />If not specified, defaults to 0. In this case, the "expires_in" field in<br />the authorization response must be set by the authorization server, or the<br />OAuth flow will fail. |
 | `refreshToken` | _boolean_ |  false  | true | RefreshToken indicates whether the Envoy should automatically refresh the<br />id token and access token when they expire.<br />When set to true, the Envoy will use the refresh token to get a new id token<br />and access token when they expire.<br />If not specified, defaults to true. |
 | `defaultRefreshTokenTTL` | _[Duration](https://gateway-api.sigs.k8s.io/reference/1.5/spec/#duration)_ |  false  |  | DefaultRefreshTokenTTL is the default lifetime of the refresh token.<br />This field is only used when the exp (expiration time) claim is omitted in<br />the refresh token or the refresh token is not JWT.<br />If not specified, defaults to 604800s (one week).<br />Note: this field is only applicable when the "refreshToken" field is set to true. |
@@ -4102,6 +4103,20 @@ _Appears in:_
 | `endSessionEndpoint` | _string_ |  false  |  | The OIDC Provider's [end session endpoint](https://openid.net/specs/openid-connect-core-1_0.html#RPLogout).<br />If the end session endpoint is provided, EG will use it to log out the user from the OIDC Provider when the user accesses the logout path.<br />EG will also try to discover the end session endpoint from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse) when authorizationEndpoint or tokenEndpoint is not provided. |
 
 
+#### OIDCTokenForwarding
+
+
+
+OIDCTokenForwarding defines how an OIDC token is forwarded upstream.
+
+_Appears in:_
+- [OIDC](#oidc)
+
+| Field | Type | Required | Default | Description |
+| ---   | ---  | ---      | ---     | ---         |
+| `header` | _string_ |  true  |  | Header is the upstream request header that will carry the ID token. |
+
+
 #### OTelSampler
 
 

site/content/en/latest/api/extension_types.md

@@ -54787,6 +54787,22 @@ spec:
                       via the Authorization header Bearer scheme to the upstream.
                       If not specified, defaults to false.
                     type: boolean
+                  forwardIDToken:
+                    description: |-
+                      ForwardIDToken configures forwarding of the OIDC ID token to the upstream.
+
+                      If the configured header is "Authorization", EG forwards the ID token using
+                      the "Bearer " prefix. For any other header, EG forwards the raw token value.
+                      If not specified, the ID token will not be forwarded.
+                    properties:
+                      header:
+                        description: Header is the upstream request header that will
+                          carry the ID token.
+                        minLength: 1
+                        type: string
+                    required:
+                    - header
+                    type: object
                   logoutPath:
                     description: |-
                       The path to log a user out, clearing their credential cookies.
@@ -56244,6 +56260,11 @@ spec:
                 - message: only one of clientID or clientIDRef must be set
                   rule: (has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID)
                     && has(self.clientIDRef))
+                - message: forwardAccessToken cannot be true when forwardIDToken.header
+                    is Authorization
+                  rule: '!(has(self.forwardAccessToken) && self.forwardAccessToken
+                    && has(self.forwardIDToken) && self.forwardIDToken.header.lowerAscii()
+                    == ''authorization'')'
               targetRef:
                 description: |-
                   TargetRef is the name of the resource this policy is being attached to.

test/helm/gateway-crds-helm/all.out.yaml

@@ -32760,6 +32760,22 @@ spec:
                       via the Authorization header Bearer scheme to the upstream.
                       If not specified, defaults to false.
                     type: boolean
+                  forwardIDToken:
+                    description: |-
+                      ForwardIDToken configures forwarding of the OIDC ID token to the upstream.
+
+                      If the configured header is "Authorization", EG forwards the ID token using
+                      the "Bearer " prefix. For any other header, EG forwards the raw token value.
+                      If not specified, the ID token will not be forwarded.
+                    properties:
+                      header:
+                        description: Header is the upstream request header that will
+                          carry the ID token.
+                        minLength: 1
+                        type: string
+                    required:
+                    - header
+                    type: object
                   logoutPath:
                     description: |-
                       The path to log a user out, clearing their credential cookies.
@@ -34217,6 +34233,11 @@ spec:
                 - message: only one of clientID or clientIDRef must be set
                   rule: (has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID)
                     && has(self.clientIDRef))
+                - message: forwardAccessToken cannot be true when forwardIDToken.header
+                    is Authorization
+                  rule: '!(has(self.forwardAccessToken) && self.forwardAccessToken
+                    && has(self.forwardIDToken) && self.forwardIDToken.header.lowerAscii()
+                    == ''authorization'')'
               targetRef:
                 description: |-
                   TargetRef is the name of the resource this policy is being attached to.

test/helm/gateway-crds-helm/e2e.out.yaml

@@ -32760,6 +32760,22 @@ spec:
                       via the Authorization header Bearer scheme to the upstream.
                       If not specified, defaults to false.
                     type: boolean
+                  forwardIDToken:
+                    description: |-
+                      ForwardIDToken configures forwarding of the OIDC ID token to the upstream.
+
+                      If the configured header is "Authorization", EG forwards the ID token using
+                      the "Bearer " prefix. For any other header, EG forwards the raw token value.
+                      If not specified, the ID token will not be forwarded.
+                    properties:
+                      header:
+                        description: Header is the upstream request header that will
+                          carry the ID token.
+                        minLength: 1
+                        type: string
+                    required:
+                    - header
+                    type: object
                   logoutPath:
                     description: |-
                       The path to log a user out, clearing their credential cookies.
@@ -34217,6 +34233,11 @@ spec:
                 - message: only one of clientID or clientIDRef must be set
                   rule: (has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID)
                     && has(self.clientIDRef))
+                - message: forwardAccessToken cannot be true when forwardIDToken.header
+                    is Authorization
+                  rule: '!(has(self.forwardAccessToken) && self.forwardAccessToken
+                    && has(self.forwardIDToken) && self.forwardIDToken.header.lowerAscii()
+                    == ''authorization'')'
               targetRef:
                 description: |-
                   TargetRef is the name of the resource this policy is being attached to.