envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.94k stars 4.8k forks source link

Add OAuth2 introspect with anonymous consumer forwarding to OAuth2 http filter. #26774

Closed KieronWiltshire closed 1 year ago

KieronWiltshire commented 1 year ago

Description:

Describe the desired behavior, what scenario it enables and how it would be used.

Very simply, I'd like an OAuth2 introspect filter which I can use on my routes passing additional info such as the subject and scopes as a bearer token with the additional possibility of providing a default subject if the introspection fails, such as "anonymous."

[optional Relevant Links:]

Any extra documentation required to understand the issue. Ory Oathkeeper does this well but it's lacking general support.

KieronWiltshire commented 1 year ago

After some research I've realised what I'm requesting really is an OAuth2 introspect. I will change the title and description to represent the actual issue.

htuch commented 1 year ago

@snowp

KieronWiltshire commented 1 year ago

I should probably add to this that I think the best way to do this would be to allow the ability to introspect the token and create a custom JWT with claims from the introspection response, the payload's additional claims may look something like this:

{
   "anonymous": "introspect.active",
   "client_id": "introspect.client_id",
   "username": "introspect.username",
   "scopes": "introspect.scopes",
}

The question would be, how can the microservice verify the payload? This would likely need envoy to expose JWKS (which I don't think is a bad idea). It may also be a good idea to allow specific routes to allow "anonymous" fallback or not.

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] commented 1 year ago

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.