oauth2 filter: Make OAuth scopes configurable.

api/envoy/extensions/filters/http/oauth2/v3alpha/oauth.proto

@@ -44,7 +44,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message OAuth2Config {
   // Endpoint on the authorization server to retrieve the access token from.
   config.core.v3.HttpUri token_endpoint = 1;
@@ -74,6 +74,10 @@ message OAuth2Config {
 
   // Any request that matches any of the provided matchers will be passed through without OAuth validation.
   repeated config.route.v3.HeaderMatcher pass_through_matcher = 8;
+
+  // Space separated list of scopes to be claimed in the authorization request.
+  // Defaults to "user" if not provided.
+  string auth_scopes = 9;
 }
 
 // Filter config.

docs/root/configuration/http/http_filters/oauth2_filter.rst

@@ -71,6 +71,8 @@ The following is an example configuring the filter.
         name: hmac
         sds_config:
           path: "/etc/envoy/hmac.yaml"
+    # (Optional): defaults to 'user' scope if not provided
+    auth_scopes: "profile email"
 
 Below is a complete code example of how we employ the filter as one of
 :ref:`HttpConnectionManager HTTP filters
@@ -114,6 +116,8 @@ Below is a complete code example of how we employ the filter as one of
                     name: hmac
                     sds_config:
                       path: "/etc/envoy/hmac.yaml"
+                # (Optional): defaults to 'user' scope is not provided
+                auth_scopes: "profile email"
           - name: envoy.router
           tracing: {}
           codec_type: "AUTO"

docs/root/version_history/current.rst

@@ -18,6 +18,7 @@ Minor Behavior Changes
 * ext_authz filter: the deprecated field :ref:`use_alpha <envoy_api_field_config.filter.http.ext_authz.v2.ExtAuthz.use_alpha>` is no longer supported and cannot be set anymore.
 * grpc_web filter: if a `grpc-accept-encoding` header is present it's passed as-is to the upstream and if it isn't `grpc-accept-encoding:identity` is sent instead. The header was always overwriten with `grpc-accept-encoding:identity,deflate,gzip` before.
 * memory: enable new tcmalloc with restartable sequences for aarch64 builds.
+* oauth filter: added the optional parameter :ref:`auth_scopes <config_http_filters_oauth>` with default value of 'user' if not provided. Enables for this value to be overridden in the Authorization request to the OAuth provider.
 * tls: removed RSA key transport and SHA-1 cipher suites from the client-side defaults.
 * watchdog: the watchdog action :ref:`abort_action <envoy_v3_api_msg_watchdog.v3alpha.AbortActionConfig>` is now the default action to terminate the process if watchdog kill / multikill is enabled.
 * xds: to support TTLs, heartbeating has been added to xDS. As a result, responses that contain empty resources without updating the version will no longer be propagated to the

source/extensions/filters/http/oauth2/config.cc

@@ -36,6 +36,7 @@ secretsProvider(const envoy::extensions::transport_sockets::tls::v3::SdsSecretCo
     return secret_manager.findStaticGenericSecretProvider(config.name());
   }
 }
+
 } // namespace
 
 Http::FilterFactoryCb OAuth2Config::createFilterFactoryFromProtoTyped(

source/extensions/filters/http/oauth2/filter.cc

@@ -48,7 +48,7 @@ constexpr const char* CookieTailHttpOnlyFormatString =
     ";version=1;path=/;Max-Age={};secure;HttpOnly";
 
 const char* AuthorizationEndpointFormat =
-    "{}?client_id={}&scope=user&response_type=code&redirect_uri={}&state={}";
+    "{}?client_id={}&scope={}&response_type=code&redirect_uri={}&state={}";
 
 constexpr absl::string_view UnauthorizedBodyMessage = "OAuth flow failed.";
 
@@ -61,6 +61,8 @@ constexpr absl::string_view REDIRECT_LOGGED_IN = "oauth.logged_in";
 constexpr absl::string_view REDIRECT_FOR_CREDENTIALS = "oauth.missing_credentials";
 constexpr absl::string_view SIGN_OUT = "oauth.sign_out";
 
+const std::string& DEFAULT_AUTH_SCOPE = "user";
+
 template <class T>
 std::vector<Http::HeaderUtility::HeaderData> headerMatchers(const T& matcher_protos) {
   std::vector<Http::HeaderUtility::HeaderData> matchers;
@@ -90,6 +92,8 @@ FilterConfig::FilterConfig(
       redirect_matcher_(proto_config.redirect_path_matcher()),
       signout_path_(proto_config.signout_path()), secret_reader_(secret_reader),
       stats_(FilterConfig::generateStats(stats_prefix, scope)),
+      auth_scopes_((!proto_config.auth_scopes().empty()) ? proto_config.auth_scopes()
+                                                         : DEFAULT_AUTH_SCOPE),
       forward_bearer_token_(proto_config.forward_bearer_token()),
       pass_through_header_matchers_(headerMatchers(proto_config.pass_through_matcher())) {
   if (!cluster_manager.get(oauth_token_endpoint_.cluster())) {
@@ -275,9 +279,9 @@ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& he
     const std::string escaped_redirect_uri =
         Http::Utility::PercentEncoding::encode(redirect_uri, ":/=&?");
 
-    const std::string new_url =
-        fmt::format(AuthorizationEndpointFormat, config_->authorizationEndpoint(),
-                    config_->clientId(), escaped_redirect_uri, escaped_state);
+    const std::string new_url = fmt::format(
+        AuthorizationEndpointFormat, config_->authorizationEndpoint(), config_->clientId(),
+        config_->authScopes(), escaped_redirect_uri, escaped_state);
     response_headers->setLocation(new_url);
     decoder_callbacks_->encodeHeaders(std::move(response_headers), true, REDIRECT_FOR_CREDENTIALS);
 

source/extensions/filters/http/oauth2/filter.h

@@ -123,6 +123,7 @@ class FilterConfig {
   std::string clientSecret() const { return secret_reader_->clientSecret(); }
   std::string tokenSecret() const { return secret_reader_->tokenSecret(); }
   FilterStats& stats() { return stats_; }
+  const std::string authScopes() const { return auth_scopes_; }
 
 private:
   static FilterStats generateStats(const std::string& prefix, Stats::Scope& scope);
@@ -135,6 +136,7 @@ class FilterConfig {
   const Matchers::PathMatcher signout_path_;
   std::shared_ptr<SecretReader> secret_reader_;
   FilterStats stats_;
+  const std::string auth_scopes_;
   const bool forward_bearer_token_ : 1;
   const std::vector<Http::HeaderUtility::HeaderData> pass_through_header_matchers_;
 };

source/extensions/filters/http/oauth2/oauth_client.cc

@@ -66,6 +66,7 @@ void OAuth2ClientImpl::onSuccess(const Http::AsyncClient::Request&,
   const auto response_code = message->headers().Status()->value().getStringView();
   if (response_code != "200") {
     ENVOY_LOG(debug, "Oauth response code: {}", response_code);
+    ENVOY_LOG(debug, "Oauth response body: {}", message->bodyAsString());
     parent_->sendUnauthorizedResponse();
     return;
   }

test/extensions/filters/http/oauth2/config_test.cc

@@ -47,6 +47,7 @@ void expectInvalidSecretConfig(const std::string& failed_secret_name,
   signout_path:
     path:
       exact: /signout
+  auth_scopes: user
     )EOF";
 
   OAuth2Config factory;
@@ -87,6 +88,7 @@ TEST(ConfigTest, CreateFilter) {
   signout_path:
     path:
       exact: /signout
+  auth_scopes: user
     )EOF";
 
   OAuth2Config factory;

test/extensions/filters/http/oauth2/filter_test.cc

@@ -35,6 +35,7 @@ static const std::string TEST_CALLBACK = "/_oauth";
 static const std::string TEST_CLIENT_ID = "1";
 static const std::string TEST_CLIENT_SECRET_ID = "MyClientSecretKnoxID";
 static const std::string TEST_TOKEN_SECRET_ID = "MyTokenSecretKnoxID";
+static const std::string TEST_AUTH_SCOPES = "user openid email";
 
 namespace {
 Http::RegisterCustomInlineHeader<Http::CustomInlineHeaderRegistry::Type::RequestHeaders>
@@ -91,6 +92,7 @@ class OAuth2Test : public testing::Test {
     p.set_authorization_endpoint("https://auth.example.com/oauth/authorize/");
     p.mutable_signout_path()->mutable_path()->set_exact("/_signout");
     p.set_forward_bearer_token(true);
+    p.set_auth_scopes(TEST_AUTH_SCOPES);
     auto* matcher = p.add_pass_through_matcher();
     matcher->set_name(":method");
     matcher->set_exact_match("OPTIONS");
@@ -147,6 +149,41 @@ TEST_F(OAuth2Test, InvalidCluster) {
                             "specify which cluster to direct OAuth requests to.");
 }
 
+// Verifies that the OAuth config is created with a default value for auth_scopes field when it is
+// not set in proto/yaml.
+TEST_F(OAuth2Test, DefaultAuthScope) {
+
+  // Set up proto fields
+  envoy::extensions::filters::http::oauth2::v3alpha::OAuth2Config p;
+  auto* endpoint = p.mutable_token_endpoint();
+  endpoint->set_cluster("auth.example.com");
+  endpoint->set_uri("auth.example.com/_oauth");
+  endpoint->mutable_timeout()->set_seconds(1);
+  p.set_redirect_uri("%REQ(x-forwarded-proto)%://%REQ(:authority)%" + TEST_CALLBACK);
+  p.mutable_redirect_path_matcher()->mutable_path()->set_exact(TEST_CALLBACK);
+  p.set_authorization_endpoint("https://auth.example.com/oauth/authorize/");
+  p.mutable_signout_path()->mutable_path()->set_exact("/_signout");
+  p.set_forward_bearer_token(true);
+  auto* matcher = p.add_pass_through_matcher();
+  matcher->set_name(":method");
+  matcher->set_exact_match("OPTIONS");
+
+  auto credentials = p.mutable_credentials();
+  credentials->set_client_id(TEST_CLIENT_ID);
+  credentials->mutable_token_secret()->set_name("secret");
+  credentials->mutable_hmac_secret()->set_name("hmac");
+
+  MessageUtil::validate(p, ProtobufMessage::getStrictValidationVisitor());
+
+  // Create the OAuth config.
+  auto secret_reader = std::make_shared<MockSecretReader>();
+  FilterConfigSharedPtr test_config_;
+  test_config_ = std::make_shared<FilterConfig>(p, factory_context_.cluster_manager_, secret_reader,
+                                                scope_, "test.");
+
+  EXPECT_EQ(test_config_->authScopes(), "user");
+}
+
 /**
  * Scenario: The OAuth filter receives a sign out request.
  *
@@ -239,8 +276,8 @@ TEST_F(OAuth2Test, OAuthErrorNonOAuthHttpCallback) {
       {Http::Headers::get().Location.get(),
        "https://auth.example.com/oauth/"
        "authorize/?client_id=" +
-           TEST_CLIENT_ID +
-           "&scope=user&response_type=code&"
+           TEST_CLIENT_ID + "&scope=" + TEST_AUTH_SCOPES +
+           "&response_type=code&"
            "redirect_uri=http%3A%2F%2Ftraffic.example.com%2F"
            "_oauth&state=http%3A%2F%2Ftraffic.example.com%2Fnot%2F_oauth"},
   };
@@ -392,8 +429,8 @@ TEST_F(OAuth2Test, OAuthTestInvalidUrlInStateQueryParam) {
   Http::TestRequestHeaderMapImpl request_headers{
       {Http::Headers::get().Host.get(), "traffic.example.com"},
       {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get},
-      {Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=user&"
-                                        "state=blah"},
+      {Http::Headers::get().Path.get(),
+       "/_oauth?code=abcdefxyz123&scope=" + TEST_AUTH_SCOPES + "&state=blah"},
       {Http::Headers::get().Cookie.get(), "OauthExpires=123;version=test"},
       {Http::Headers::get().Cookie.get(), "BearerToken=legit_token;version=test"},
       {Http::Headers::get().Cookie.get(),
@@ -426,8 +463,8 @@ TEST_F(OAuth2Test, OAuthTestCallbackUrlInStateQueryParam) {
   Http::TestRequestHeaderMapImpl request_headers{
       {Http::Headers::get().Host.get(), "traffic.example.com"},
       {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get},
-      {Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=user&"
-                                        "state=https%3A%2F%2Ftraffic.example.com%2F_oauth"},
+      {Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=" + TEST_AUTH_SCOPES +
+                                            "&state=https%3A%2F%2Ftraffic.example.com%2F_oauth"},
       {Http::Headers::get().Cookie.get(), "OauthExpires=123;version=test"},
       {Http::Headers::get().Cookie.get(), "BearerToken=legit_token;version=test"},
       {Http::Headers::get().Cookie.get(),
@@ -457,8 +494,8 @@ TEST_F(OAuth2Test, OAuthTestCallbackUrlInStateQueryParam) {
   Http::TestRequestHeaderMapImpl final_request_headers{
       {Http::Headers::get().Host.get(), "traffic.example.com"},
       {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get},
-      {Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=user&"
-                                        "state=https%3A%2F%2Ftraffic.example.com%2F_oauth"},
+      {Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=" + TEST_AUTH_SCOPES +
+                                            "&state=https%3A%2F%2Ftraffic.example.com%2F_oauth"},
       {Http::Headers::get().Cookie.get(), "OauthExpires=123;version=test"},
       {Http::Headers::get().Cookie.get(), "BearerToken=legit_token;version=test"},
       {Http::Headers::get().Cookie.get(),
@@ -482,8 +519,9 @@ TEST_F(OAuth2Test, OAuthTestUpdatePathAfterSuccess) {
   Http::TestRequestHeaderMapImpl request_headers{
       {Http::Headers::get().Host.get(), "traffic.example.com"},
       {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get},
-      {Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=user&"
-                                        "state=https%3A%2F%2Ftraffic.example.com%2Foriginal_path"},
+      {Http::Headers::get().Path.get(),
+       "/_oauth?code=abcdefxyz123&scope=" + TEST_AUTH_SCOPES +
+           "&state=https%3A%2F%2Ftraffic.example.com%2Foriginal_path"},
       {Http::Headers::get().Cookie.get(), "OauthExpires=123;version=test"},
       {Http::Headers::get().Cookie.get(), "BearerToken=legit_token;version=test"},
       {Http::Headers::get().Cookie.get(),
@@ -511,8 +549,9 @@ TEST_F(OAuth2Test, OAuthTestUpdatePathAfterSuccess) {
   Http::TestRequestHeaderMapImpl final_request_headers{
       {Http::Headers::get().Host.get(), "traffic.example.com"},
       {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get},
-      {Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=user&"
-                                        "state=https%3A%2F%2Ftraffic.example.com%2Foriginal_path"},
+      {Http::Headers::get().Path.get(),
+       "/_oauth?code=abcdefxyz123&scope=" + TEST_AUTH_SCOPES +
+           "&state=https%3A%2F%2Ftraffic.example.com%2Foriginal_path"},
       {Http::Headers::get().Cookie.get(), "OauthExpires=123;version=test"},
       {Http::Headers::get().Cookie.get(), "BearerToken=legit_token;version=test"},
       {Http::Headers::get().Cookie.get(),
@@ -545,8 +584,8 @@ TEST_F(OAuth2Test, OAuthTestFullFlowPostWithParameters) {
       {Http::Headers::get().Location.get(),
        "https://auth.example.com/oauth/"
        "authorize/?client_id=" +
-           TEST_CLIENT_ID +
-           "&scope=user&response_type=code&"
+           TEST_CLIENT_ID + "&scope=" + TEST_AUTH_SCOPES +
+           "&response_type=code&"
            "redirect_uri=https%3A%2F%2Ftraffic.example.com%2F"
            "_oauth&state=https%3A%2F%2Ftraffic.example.com%2Ftest%"
            "3Fname%3Dadmin%26level%3Dtrace"},

test/extensions/filters/http/oauth2/oauth_integration_test.cc

@@ -58,6 +58,7 @@ name: oauth
         name: token
       hmac_secret:
         name: hmac
+    auth_scopes: user openid email
 )EOF");
 
     // Add the OAuth cluster.