[OAUTH2] Forward ID Token and Refresh Token

[lewismacdonald]

Title: Allow oauth2 forwarding of refresh/id token

Description:

We are trying to use the oauth2 filter to manage an auth2 /oidc flow, but the current implementation can only forward the access token through the filter chain/to downstream and not other tokens potentially returned from the id provider (i.e. refresh token, id token).

I believe this would require an extension of https://github.com/envoyproxy/envoy/blob/23a97fbb237b51f10c19c8c228f74faf7ec65370/source/extensions/filters/http/oauth2/oauth_client.cc#L32

The desired behavior i think would be options of embedding more than just access token in the cookie - perhaps via an additional config to optionally determine which response keys from the /token endpoint should be embedded in the cookie and forwarded using forward_bearer_token: true

[snowp]

Seems reasonable, marking as help wanted.

[jamesmulcahy]

There's some overlap here with #17808 and its associated PR.

[Alexcei88]

17808 already contains changes in the main branch

[kanurag94]

I think this is already done, but do we want the functionality to set header as well as we do for the BearerToken?

[Alexcei88]

I think there is no needs to pass Refresh Token ad Id token. Why is the refresh token needed for upstream? I cannot come up a use case. Envoy updates access token using by refresh token.

[kanurag94]

Sure @Alexcei88, I meant to ask this rhetorically -- if we are waiting for the same or this is complete.

Envoy updates access token using by refresh token Ps. I think its not yet implemented to update access_token using refresh_token (but it would be https://github.com/envoyproxy/envoy/pull/24684 -- your PR)