search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.92k stars 4.8k forks source link

oauth2 filter: option to allow errors and pass through #36523

Open mchen391 opened 2 weeks ago

mchen391 commented 2 weeks ago

Title: Provide an option to allow errors and pass through

Description:

Today, there is a deny_redirect_matcher, which is useful for APIs where redirecting does not make sense (e.g. AJAX endpoint). For endpoints that are listed in deny_redirect_matcher, the behavior would be:

  1. If access token exists and valid, succeed and pass to next filter
  2. If access token is expired and refresh token exists, attempt to refresh the access token and set it to cookies
  3. If refresh failed or refresh token is absent, sendLocalReply with an error message "OAuth flow failed."

While local reply is customizable using local reply modification, we still run into a use case where upstream service wants to handle the error themselves, i.e. we need an option that makes the 3rd bullet above become:

Similarly, in JWT authentication filter, there is a JWT requirement rule called allow_missing_or_failed (doc), with which any missing or invalid jwt will pass through so the upstream service can handle the error themselves.

alyssawilk commented 2 weeks ago

cc @derekargueta @mattklein123 for thoughts/comments