headersToDownstreamOnAllow in envoyExtAuthzHttp should not include content-type #48086
Labels
kind/docs
kind/enhancement
lifecycle/automatically-closed
Indicates a PR or issue that has been closed automatically.
lifecycle/stale
Indicates a PR or issue hasn't been manipulated by an Istio team member for a while
(This is used to request new product features, please visit https://discuss.istio.io for questions on using Istio)
Describe the feature request
In documentation https://istio.io/latest/docs/tasks/security/authorization/authz-custom/#define-the-external-authorizer an example for oauth2-proxy is given and headersToDownstreamOnAllow includes content-type.
When doing this, both content-type from the auth-proxy and the upstream are mixed (same beavior as this issue #30470) resulting in a corrupted content-type header if they are different. Which is almost the case since oauth2-proxy always replies with text/plain.
Describe alternatives you've considered
Documentation should not recommend including content-type in headersToDownstreamOnAllow.
Even better, it should warn that if same header is present in both auth-proxy and upstream they will be combined and separated with a comma (https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.2).
Affected product area (please put an X in all that apply)
[ ] Ambient
[X] Docs
[ ] Dual Stack
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
Additional context
The text was updated successfully, but these errors were encountered: