native oauth2 per-route config

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

Author: zhaohuabing

examples/extension-server/go.mod

@@ -4,7 +4,7 @@ go 1.26.1
 
 require (
 	github.com/envoyproxy/gateway v1.3.1
-	github.com/envoyproxy/go-control-plane v0.14.0
+	github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14
 	github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097
 	github.com/urfave/cli/v2 v2.27.7
 	google.golang.org/grpc v1.80.0

examples/extension-server/go.sum

@@ -22,8 +22,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
-github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
+github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14 h1:7g8SJv4OrVcLT4yfkzIbsTcwLBwyLu8gKb/yCf3Loxk=
+github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14/go.mod h1:18SVzvkoF8AL2O7baVikhojMZ+7rFPh3o8tOOsBVyok=
 github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097 h1:Ou9X6qsPOiDOsQgaboj3jlCE5ZYngdYeSVDKBcT95QE=
 github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097/go.mod h1:237/ZQHepDd4v5BjpRNFI2mMG7WEBd+mQnt8jwbqrnk=
 github.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds=

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/docker/cli v29.4.0+incompatible
 	github.com/dominikbraun/graph v0.23.0
-	github.com/envoyproxy/go-control-plane v0.14.0
+	github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14
 	github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989
 	github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097
 	github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989

go.sum

@@ -140,8 +140,8 @@ github.com/ebitengine/purego v0.10.0 h1:QIw4xfpWT6GWTzaW5XEKy3HXoqrJGx1ijYHzTF0/
 github.com/ebitengine/purego v0.10.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes=
 github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
-github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
+github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14 h1:7g8SJv4OrVcLT4yfkzIbsTcwLBwyLu8gKb/yCf3Loxk=
+github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14/go.mod h1:18SVzvkoF8AL2O7baVikhojMZ+7rFPh3o8tOOsBVyok=
 github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 h1:KTd1TJym7dgV1L1XlxXeJNct7rJI3xTV+iuArq40wm0=
 github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989/go.mod h1:+fG/snSdlOxU+5RWuuKSYxF9zusT3Duy1MDbETA44Bo=
 github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097 h1:Ou9X6qsPOiDOsQgaboj3jlCE5ZYngdYeSVDKBcT95QE=

internal/xds/translator/oidc.go

@@ -36,11 +36,7 @@ var _ httpFilter = &oidc{}
 
 // patchHCM builds and appends the oauth2 Filters to the HTTP Connection Manager
 // if applicable, and it does not already exist.
-// Note: this method creates an oauth2 filter for each route that contains an OIDC config.
-// the filter is disabled by default. It is enabled on the route level.
 func (*oidc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListener) error {
-	var errs error
-
 	if mgr == nil {
 		return errors.New("hcm is nil")
 	}
@@ -49,55 +45,42 @@ func (*oidc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListe
 		return errors.New("ir listener is nil")
 	}
 
+	if hcmContainsFilter(mgr, string(egv1a1.EnvoyFilterOAuth2)) {
+		return nil
+	}
+
 	for _, route := range irListener.Routes {
 		if !routeContainsOIDC(route) {
 			continue
 		}
 
-		// Only generates one OAuth2 Envoy filter for each unique name.
-		// For example, if there are two routes under the same gateway with the
-		// same OAuth2 config, only one OAuth2 filter will be generated.
-		if hcmContainsFilter(mgr, oauth2FilterName(route.Security.OIDC)) {
-			continue
-		}
-
-		filter, err := buildHCMOAuth2Filter(route.Security)
+		filter, err := buildHCMOAuth2Filter()
 		if err != nil {
-			errs = errors.Join(errs, err)
-			continue
+			return err
 		}
-
 		mgr.HttpFilters = append(mgr.HttpFilters, filter)
+		return nil
 	}
 
-	return errs
+	return nil
 }
 
-// buildHCMOAuth2Filter returns an OAuth2 HTTP filter from the provided IR HTTPRoute.
-func buildHCMOAuth2Filter(securityFeatures *ir.SecurityFeatures) (*hcmv3.HttpFilter, error) {
-	oauth2Proto, err := oauth2Config(securityFeatures)
-	if err != nil {
-		return nil, err
-	}
-
+// buildHCMOAuth2Filter returns the listener-level OAuth2 HTTP filter.
+func buildHCMOAuth2Filter() (*hcmv3.HttpFilter, error) {
+	oauth2Proto := &oauth2v3.OAuth2{}
 	OAuth2Any, err := proto.ToAnyWithValidation(oauth2Proto)
 	if err != nil {
 		return nil, err
 	}
 
 	return &hcmv3.HttpFilter{
-		Name:     oauth2FilterName(securityFeatures.OIDC),
-		Disabled: true,
+		Name: string(egv1a1.EnvoyFilterOAuth2),
 		ConfigType: &hcmv3.HttpFilter_TypedConfig{
 			TypedConfig: OAuth2Any,
 		},
 	}, nil
 }
 
-func oauth2FilterName(oidc *ir.OIDC) string {
-	return perRouteFilterName(egv1a1.EnvoyFilterOAuth2, oidc.Name)
-}
-
 func oauth2Config(securityFeatures *ir.SecurityFeatures) (*oauth2v3.OAuth2, error) {
 	var (
 		tokenEndpointCluster string
@@ -586,11 +569,19 @@ func (*oidc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPL
 	if irRoute.Security == nil || irRoute.Security.OIDC == nil {
 		return nil
 	}
-	filterName := oauth2FilterName(irRoute.Security.OIDC)
-	if err := enableFilterOnRoute(route, filterName, &routev3.FilterConfig{
-		Config: &anypb.Any{},
-	}); err != nil {
+	oauth2Proto, err := oauth2Config(irRoute.Security)
+	if err != nil {
 		return err
 	}
+	if route.TypedPerFilterConfig == nil {
+		route.TypedPerFilterConfig = make(map[string]*anypb.Any)
+	}
+
+	oauth2Any, err := proto.ToAnyWithValidation(oauth2Proto)
+	if err != nil {
+		return err
+	}
+
+	route.TypedPerFilterConfig[string(egv1a1.EnvoyFilterOAuth2)] = oauth2Any
 	return nil
 }

internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml

@@ -39,50 +39,9 @@
             '@type': type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth
             users:
               inlineBytes: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo=
-        - disabled: true
-          name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-gateway-2
+        - name: envoy.filters.http.oauth2
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
-            config:
-              authScopes:
-              - openid
-              - email
-              - profile
-              authType: BASIC_AUTH
-              authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
-              credentials:
-                clientId: client.oauth.foo.com
-                cookieNames:
-                  bearerToken: AccessToken-5F93C2E4
-                  idToken: IdToken-5F93C2E4
-                  oauthExpires: OauthExpires-5F93C2E4
-                  oauthHmac: OauthHMAC-5F93C2E4
-                  oauthNonce: OauthNonce-5F93C2E4
-                  refreshToken: RefreshToken-5F93C2E4
-                hmacSecret:
-                  name: oauth2/hmac_secret/securitypolicy/default/policy-for-gateway-2
-                  sdsConfig:
-                    ads: {}
-                    resourceApiVersion: V3
-                tokenSecret:
-                  name: oauth2/client_secret/securitypolicy/default/policy-for-gateway-2
-                  sdsConfig:
-                    ads: {}
-                    resourceApiVersion: V3
-              preserveAuthorizationHeader: true
-              redirectPathMatcher:
-                path:
-                  exact: /foo/oauth2/callback
-              redirectUri: https://www.example.com/foo/oauth2/callback
-              signoutPath:
-                path:
-                  exact: /foo/logout
-              statPrefix: securitypolicy/default/policy-for-gateway-2
-              tokenEndpoint:
-                cluster: oauth_foo_com_443
-                timeout: 10s
-                uri: https://oauth.foo.com/token
-              useRefreshToken: true
         - name: envoy.filters.http.router
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.routes.yaml

@@ -40,6 +40,45 @@
         upgradeConfigs:
         - upgradeType: websocket
       typedPerFilterConfig:
-        envoy.filters.http.oauth2/securitypolicy/default/policy-for-gateway-2:
-          '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig
-          config: {}
+        envoy.filters.http.oauth2:
+          '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
+          config:
+            authScopes:
+            - openid
+            - email
+            - profile
+            authType: BASIC_AUTH
+            authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
+            credentials:
+              clientId: client.oauth.foo.com
+              cookieNames:
+                bearerToken: AccessToken-5F93C2E4
+                idToken: IdToken-5F93C2E4
+                oauthExpires: OauthExpires-5F93C2E4
+                oauthHmac: OauthHMAC-5F93C2E4
+                oauthNonce: OauthNonce-5F93C2E4
+                refreshToken: RefreshToken-5F93C2E4
+              hmacSecret:
+                name: oauth2/hmac_secret/securitypolicy/default/policy-for-gateway-2
+                sdsConfig:
+                  ads: {}
+                  resourceApiVersion: V3
+              tokenSecret:
+                name: oauth2/client_secret/securitypolicy/default/policy-for-gateway-2
+                sdsConfig:
+                  ads: {}
+                  resourceApiVersion: V3
+            preserveAuthorizationHeader: true
+            redirectPathMatcher:
+              path:
+                exact: /foo/oauth2/callback
+            redirectUri: https://www.example.com/foo/oauth2/callback
+            signoutPath:
+              path:
+                exact: /foo/logout
+            statPrefix: securitypolicy/default/policy-for-gateway-2
+            tokenEndpoint:
+              cluster: oauth_foo_com_443
+              timeout: 10s
+              uri: https://oauth.foo.com/token
+            useRefreshToken: true

internal/xds/translator/testdata/out/xds-ir/oidc-and-jwt-with-passthrough.listeners.yaml

@@ -14,56 +14,9 @@
           initialStreamWindowSize: 65536
           maxConcurrentStreams: 100
         httpFilters:
-        - disabled: true
-          name: envoy.filters.http.oauth2/securitypolicy/envoy-gateway/security-policy-1
+        - name: envoy.filters.http.oauth2
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
-            config:
-              authScopes:
-              - openid
-              authType: BASIC_AUTH
-              authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
-              credentials:
-                clientId: client.oauth.foo.com
-                cookieNames:
-                  bearerToken: AccessToken-b0a1b740
-                  idToken: IdToken-b0a1b740
-                  oauthExpires: OauthExpires-b0a1b740
-                  oauthHmac: OauthHMAC-b0a1b740
-                  oauthNonce: OauthNonce-b0a1b740
-                  refreshToken: RefreshToken-b0a1b740
-                hmacSecret:
-                  name: oauth2/hmac_secret/securitypolicy/envoy-gateway/security-policy-1
-                  sdsConfig:
-                    ads: {}
-                    resourceApiVersion: V3
-                tokenSecret:
-                  name: oauth2/client_secret/securitypolicy/envoy-gateway/security-policy-1
-                  sdsConfig:
-                    ads: {}
-                    resourceApiVersion: V3
-              passThroughMatcher:
-              - name: Authorization
-                stringMatch:
-                  prefix: 'Bearer '
-              - name: MyHeaderPrefixed
-                stringMatch:
-                  prefix: MyPrefix
-              - name: MyHeaderNoPrefix
-              preserveAuthorizationHeader: true
-              redirectPathMatcher:
-                path:
-                  exact: /oauth2/callback
-              redirectUri: https://www.example.com/oauth2/callback
-              signoutPath:
-                path:
-                  exact: /logout
-              statPrefix: securitypolicy/envoy-gateway/security-policy-1
-              tokenEndpoint:
-                cluster: oauth_foo_com_443
-                timeout: 10s
-                uri: https://oauth.foo.com/token
-              useRefreshToken: true
         - name: envoy.filters.http.jwt_authn
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication

internal/xds/translator/testdata/out/xds-ir/oidc-and-jwt-with-passthrough.routes.yaml

@@ -16,6 +16,51 @@
         envoy.filters.http.jwt_authn:
           '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig
           requirementName: httproute/default/httproute-1/rule/0/match/0/www_example_com
-        envoy.filters.http.oauth2/securitypolicy/envoy-gateway/security-policy-1:
-          '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig
-          config: {}
+        envoy.filters.http.oauth2:
+          '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
+          config:
+            authScopes:
+            - openid
+            authType: BASIC_AUTH
+            authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
+            credentials:
+              clientId: client.oauth.foo.com
+              cookieNames:
+                bearerToken: AccessToken-b0a1b740
+                idToken: IdToken-b0a1b740
+                oauthExpires: OauthExpires-b0a1b740
+                oauthHmac: OauthHMAC-b0a1b740
+                oauthNonce: OauthNonce-b0a1b740
+                refreshToken: RefreshToken-b0a1b740
+              hmacSecret:
+                name: oauth2/hmac_secret/securitypolicy/envoy-gateway/security-policy-1
+                sdsConfig:
+                  ads: {}
+                  resourceApiVersion: V3
+              tokenSecret:
+                name: oauth2/client_secret/securitypolicy/envoy-gateway/security-policy-1
+                sdsConfig:
+                  ads: {}
+                  resourceApiVersion: V3
+            passThroughMatcher:
+            - name: Authorization
+              stringMatch:
+                prefix: 'Bearer '
+            - name: MyHeaderPrefixed
+              stringMatch:
+                prefix: MyPrefix
+            - name: MyHeaderNoPrefix
+            preserveAuthorizationHeader: true
+            redirectPathMatcher:
+              path:
+                exact: /oauth2/callback
+            redirectUri: https://www.example.com/oauth2/callback
+            signoutPath:
+              path:
+                exact: /logout
+            statPrefix: securitypolicy/envoy-gateway/security-policy-1
+            tokenEndpoint:
+              cluster: oauth_foo_com_443
+              timeout: 10s
+              uri: https://oauth.foo.com/token
+            useRefreshToken: true