An Envoy proxy extension that handles end-user authentication using OpenID Connect(OIDC). Only Authorization code flow is supported.
Filter builds are hosted on WebAssemblyHub
The extension is written in Rust and the compile target is wasm32-wasi. The filter is written against the WebAssembly for Proxies (ABI specification)
. Tested with envoy:v1.17.
The extension will handle request to these paths differently and applications should not use the same paths.
| Path | Description |
|---|---|
| /callback | path on the proxy the authorization server redirects the end-user back to after authentication. |
| /start | Starts a OpenID Connect Authorization flow |
| /sign_out | Clears the session with the extension, does not clear the session with the IdP |
The filter can be configured through. Note that some fields are optional with default values.
| Field | Type | Default | Description |
|---|---|---|---|
| redirect_uri | String | /callback | URL the authorization server redirects the end-user back to after authentication |
| cookie_name | String | oidcSession | Cookie name that holds the session cookie for the user |
| scopes | list[String] | ["openid"] | Scopes the filter will request from the authorization server |
| auth_cluster | String | auth_server_cluster | Envoy cluster that the filter will use to issue token request to the authorization server |
| auth_url | String | Required | The URL that unauthenticated end-users will be redirected to. |
| token_url | String | Required | The URL that the filter will issue token requests against |
| client_id | String | Required | OAuth 2.0 / OIDC client ID |
| client_secret | String | Required | OAuth 2.0 / OIDC client secret |
| extra_params | list[[String, String]] | [] | Extra query parameters the filter will add to the authorization redirect to the authorization server |
The filter will add the received tokens from the authorization server to request headers. Upstream application will receive request with tokens in the following request headers. NOTE: Upstream applications are responsible for validation of the received tokens.
| Header | Token | Description |
|---|---|---|
| Authorization | Access token | The access token from the successful authoriziation flow will be added by the filter to request in the Authorization header. The token will be added as a bearer token |
| X-Forwarded-ID-Token | id token | The ID token, if returned from the authorization server, will be added as a value to the X-Forwarded-ID-Token header |