[OAuth2] Incompatibility with access_token responses without "expire_in" #14542
Comments
|
Until then, here's an ugly patch for testing / demonstration. This patch just ignores the With this patch and #14538, the oauth2 token works with the GitHub OAuth App feature. diff --git a/source/extensions/filters/http/oauth2/oauth_client.cc b/source/extensions/filters/http/oauth2/oauth_client.cc
index 170d4a9a2..16f807c14 100644
--- a/source/extensions/filters/http/oauth2/oauth_client.cc
+++ b/source/extensions/filters/http/oauth2/oauth_client.cc
@@ -88,14 +88,14 @@ void OAuth2ClientImpl::onSuccess(const Http::AsyncClient::Request&,
// TODO(snowp): Should this be a pgv validation instead? A more readable log
// message might be good enough reason to do this manually?
- if (!response.has_access_token() || !response.has_expires_in()) {
- ENVOY_LOG(debug, "No access token or expiration after asyncGetAccessToken");
+ if (!response.has_access_token()) {
+ ENVOY_LOG(debug, "No access token after asyncGetAccessToken");
parent_->sendUnauthorizedResponse();
return;
}
const std::string access_token{PROTOBUF_GET_WRAPPED_REQUIRED(response, access_token)};
- const std::chrono::seconds expires_in{PROTOBUF_GET_WRAPPED_REQUIRED(response, expires_in)};
+ const std::chrono::seconds expires_in{3600};
parent_->onGetAccessTokenSuccess(access_token, expires_in);
}Filter: name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3alpha.OAuth2
config:
token_endpoint:
cluster: github-oauth
uri: https://github.com/login/oauth/access_token
timeout: 3s
authorization_endpoint: https://github.com/login/oauth/authorize
redirect_uri: "<URL_TO_SELF>/callback"
redirect_path_matcher:
path:
exact: /callback
signout_path:
path:
exact: /signout
credentials:
client_id: <YOUR_GITHUB_CLIENT_ID>
token_secret:
name: github-oauth-client-secret
hmac_secret:
name: github-oauth-hmacCluster: name: github-oauth
connect_timeout: 5s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: github-oauth
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: github.com
port_value: 443
transport_socket:
name: tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: github.com |
|
cc: @williamsfu99 |
|
I'll have a go at fixing this today if you don't mind. |
|
@terorie |
|
@williamsfu99 Thanks for your quick response and helping me with this. I would appreciate a look at #14625. I'm very new to Envoy, so if the code isn't any good, feel free to submit your own PR. In the meantime, I'm going to add tests later today. |
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
stale
|
Please remove the stale label. Envoy is still incompatible with GitHub's OAuth 2.0 provider. |
github-actions
bot
removed
the
stale
|
Sorry to barge in, but is there a workaround or my best option are to compile envoy with hardcodes |
|
It seems this is still an issue when attempting to authenticate against Github. Frustrating issue that wasn't too clear until I found this thread: it's very hard to find results for debugging GIthub's own products! |
|
@orHayoun @DiamondJoseph I am working on fixing #14625 today. |
Title: oauth2 filter is incompatible with authorization servers that omit
expire_inonaccess_tokenresponsesDescription:
When configuring the oauth2 HTTP filter against an RFC 6749-compliant OAuth 2.0 authorization server, the auth flow fails if the
access_tokenresponse does not contain anexpire_infield.Repro steps:
Setup Envoy oauth2 HTTP filter against an RFC 6749-compliant authorization server that does not return the
expire_infield on theaccess_tokenresponse, such as GitHub.Admin and Stats Output: Not relevant
Config:
Logs:
Starting with the response headers of the
access_tokenrequest as sent by the Envoy OAuth 2.0 client implementation.Relevant log line:
No access token or expiration after asyncGetAccessTokenCall Stack: Not relevant
Additional information
RFC 6749 Section 5.1 states:
In short, authorization server implementations do not have to provide the
expires_inparameter in theiraccess_tokenrequest response.For example, GitHub does not set this parameter: (https://docs.github.com/en/free-pro-team@latest/developers/apps/authorizing-oauth-apps)
{ "access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a", "scope":"repo,gist", "token_type":"bearer" }The Envoy OAuth 2.0 client implementation interprets this field as mandatory though. It rejects any responses without the
expired_inparameterenvoy/source/extensions/filters/http/oauth2/oauth_client.cc
Lines 91 to 95 in 7e3b483
Proposed Fix
#14625
The Envoy oauth2 filter token config should have a field
default_expires_inor similar, that when specified, allows responses without theexpires_infield to pass. In the absence of theexpires_infield, it should use that default value from the config file as the token expiration parameter.The text was updated successfully, but these errors were encountered: