OAuth2 filter: supports forwarding ID tokens to upstream web service via the Authorization header bearer scheme

[zhaohuabing]

Title: OAuth2 filter: supports forwarding ID tokens to upstream web service via the Authorization header bearer scheme

Description:
OAuth2 filter has a forward_bearer_token configuration knob. If enabled, it forwards access tokens to the upstream web service via the Authorization header bearer scheme. Could we also add a knob to forward ID tokens via the Authorization header? This would allow the JWT filter or applications to utilize ID tokens for JWT-based authentication or other authorization purposes.

Related discussion in Envoy Gateway: envoyproxy/gateway#2425 (comment)

[nezdolik]

cc @lizan @mattklein123 @derekargueta

[zvlb]

I think this issue can help me with my case.

I want save Authorization Header from request. But if forward_bearer_token=false Authorization Header deleted from requests(

[evilr00t]

👀 Hi guys, any update on this one?

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[derekargueta]

@nezdolik can we nostale this? On my radar, wrapping up #2098 first

[michaelsauter]

How does this relate to forward_payload_header of the Jwt Authentication filter? We use that to forward the ID token payload to the upstream (via another header than Authorization). In that case, the token is verified by envoy before sending it on. If the oauth filter would forward the ID token via the Authorization, it would not be able to verify it, because the oauth filter doesn't know e.g. the JWKS URI. I think it might be odd if the behaviour between the filters differs drastically in terms of provided security?

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.