-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[OAuth2] Incompatibility with access_token responses without "expire_in" #14542
Comments
Until then, here's an ugly patch for testing / demonstration. This patch just ignores the With this patch and #14538, the oauth2 token works with the GitHub OAuth App feature. diff --git a/source/extensions/filters/http/oauth2/oauth_client.cc b/source/extensions/filters/http/oauth2/oauth_client.cc
index 170d4a9a2..16f807c14 100644
--- a/source/extensions/filters/http/oauth2/oauth_client.cc
+++ b/source/extensions/filters/http/oauth2/oauth_client.cc
@@ -88,14 +88,14 @@ void OAuth2ClientImpl::onSuccess(const Http::AsyncClient::Request&,
// TODO(snowp): Should this be a pgv validation instead? A more readable log
// message might be good enough reason to do this manually?
- if (!response.has_access_token() || !response.has_expires_in()) {
- ENVOY_LOG(debug, "No access token or expiration after asyncGetAccessToken");
+ if (!response.has_access_token()) {
+ ENVOY_LOG(debug, "No access token after asyncGetAccessToken");
parent_->sendUnauthorizedResponse();
return;
}
const std::string access_token{PROTOBUF_GET_WRAPPED_REQUIRED(response, access_token)};
- const std::chrono::seconds expires_in{PROTOBUF_GET_WRAPPED_REQUIRED(response, expires_in)};
+ const std::chrono::seconds expires_in{3600};
parent_->onGetAccessTokenSuccess(access_token, expires_in);
} Filter: name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3alpha.OAuth2
config:
token_endpoint:
cluster: github-oauth
uri: https://github.com/login/oauth/access_token
timeout: 3s
authorization_endpoint: https://github.com/login/oauth/authorize
redirect_uri: "<URL_TO_SELF>/callback"
redirect_path_matcher:
path:
exact: /callback
signout_path:
path:
exact: /signout
credentials:
client_id: <YOUR_GITHUB_CLIENT_ID>
token_secret:
name: github-oauth-client-secret
hmac_secret:
name: github-oauth-hmac Cluster: name: github-oauth
connect_timeout: 5s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: github-oauth
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: github.com
port_value: 443
transport_socket:
name: tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: github.com |
cc: @williamsfu99 |
I'll have a go at fixing this today if you don't mind. |
@terorie |
@williamsfu99 Thanks for your quick response and helping me with this. I would appreciate a look at #14625. I'm very new to Envoy, so if the code isn't any good, feel free to submit your own PR. In the meantime, I'm going to add tests later today. |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
Please remove the stale label. Envoy is still incompatible with GitHub's OAuth 2.0 provider. |
Sorry to barge in, but is there a workaround or my best option are to compile envoy with hardcodes |
It seems this is still an issue when attempting to authenticate against Github.
Frustrating issue that wasn't too clear until I found this thread: it's very hard to find results for debugging GIthub's own products! |
@orHayoun @DiamondJoseph I am working on fixing #14625 today. |
Title: oauth2 filter is incompatible with authorization servers that omit
expire_in
onaccess_token
responsesDescription:
When configuring the oauth2 HTTP filter against an RFC 6749-compliant OAuth 2.0 authorization server, the auth flow fails if the
access_token
response does not contain anexpire_in
field.Repro steps:
Setup Envoy oauth2 HTTP filter against an RFC 6749-compliant authorization server that does not return the
expire_in
field on theaccess_token
response, such as GitHub.Admin and Stats Output: Not relevant
Config:
Logs:
Starting with the response headers of the
access_token
request as sent by the Envoy OAuth 2.0 client implementation.Relevant log line:
No access token or expiration after asyncGetAccessToken
Call Stack: Not relevant
Additional information
RFC 6749 Section 5.1 states:
In short, authorization server implementations do not have to provide the
expires_in
parameter in theiraccess_token
request response.For example, GitHub does not set this parameter: (https://docs.github.com/en/free-pro-team@latest/developers/apps/authorizing-oauth-apps)
The Envoy OAuth 2.0 client implementation interprets this field as mandatory though. It rejects any responses without the
expired_in
parameterenvoy/source/extensions/filters/http/oauth2/oauth_client.cc
Lines 91 to 95 in 7e3b483
Proposed Fix
#14625
The Envoy oauth2 filter token config should have a field
default_expires_in
or similar, that when specified, allows responses without theexpires_in
field to pass. In the absence of theexpires_in
field, it should use that default value from the config file as the token expiration parameter.The text was updated successfully, but these errors were encountered: