Conversation
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Fixed a compilation with test cases Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com> Signed-off-by: sudeeptoroy <sudeeptoroy@users.noreply.github.com>
sudeeptoroy
force-pushed
the
oauth2_resource_param
branch
from
cde5869 to
0e4849d
Compare
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
|
Oauth2 codeowners @rgs1 @derekargueta @snowp |
|
cc: @williamsfu99 |
|
|
||
| // Optional resource parameter for authorization request | ||
| // RFC: https://tools.ietf.org/html/rfc8707 | ||
| string resource = 10; |
There was a problem hiding this comment.
The RFC seems to allow multiple values here, should this be a repeated field?
Multiple "resource" parameters MAY be
used to indicate that the requested token is intended to be used
at multiple resources.
There was a problem hiding this comment.
@snowp I will convert this to a repeated field.
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
|
/api lgtm |
|
/lgtm api |
| std::string h1 = "http://"; | ||
| std::string h2 = "https://"; | ||
|
|
||
| for (const auto& resource : resources_protos) { | ||
| if (resource.rfind(h1, 0) == 0 || resource.rfind(h2, 0) == 0) { |
There was a problem hiding this comment.
Can we extract the URL detection logic into its own function?
Currently this allocates two strings every time we do this which seems unnecessary. How about we rewrite this as
absl::StartsWith(resource, "http://") || absl::StartsWith(resource, "https://")?
| std::string encodeResourceList(const Protobuf::RepeatedPtrField<std::string>& resources_protos) { | ||
| std::string result = ""; | ||
|
|
||
| if (!resources_protos.empty()) { |
There was a problem hiding this comment.
no need for this since in the empty case the for loop would terminate immediately
| std::string tokenSecret() const { return secret_reader_->tokenSecret(); } | ||
| FilterStats& stats() { return stats_; } | ||
| const std::string& encodedAuthScopes() const { return encoded_auth_scopes_; } | ||
| const std::string encodedResources() const { return encoded_resources_; } |
| config_->encodedAuthScopes(), escaped_redirect_uri, escaped_state); | ||
| response_headers->setLocation(new_url); | ||
|
|
||
| const std::string resource_param = config_->encodedResources(); |
There was a problem hiding this comment.
use const ref here to avoid a copy
| // Auth_scopes was not set, should return default value. | ||
| EXPECT_EQ(test_config_->encodedAuthScopes(), TEST_DEFAULT_SCOPE); | ||
|
|
||
| // resource by default is not set |
There was a problem hiding this comment.
nit: proper grammar/punctuation in comments
| std::string h2 = "https://"; | ||
|
|
||
| for (const auto& resource : resources_protos) { | ||
| if (resource.rfind(h1, 0) == 0 || resource.rfind(h2, 0) == 0) { |
There was a problem hiding this comment.
Looking at the RFC it seems like the resource must be an absolute URL, so why do we need this special handling? Is there a reason why we would not percent encode in all cases?
cc @williamsfu99 in case you can shed some light on the the spec here
There was a problem hiding this comment.
resource may be in ARN format hence the special case.
"resource":"arn:aws:iam::123456789012:user/12345"
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
There was a problem hiding this comment.
@snowp @williamsfu99 Let me know what do you think about ARN resource. Also code is up for review again
There was a problem hiding this comment.
I don't have a problem supporting the ARN resources, but it seems like we should percent encode it regardless in order to pass it as query param? Are there use cases in the wild where it expects these query parameters to not be URL encoded?
There was a problem hiding this comment.
Hi @snowp , here is some information around URI and I agree that it should be url encoded.
absolute URI: The RFC does not mandate the format of the resource param. It's just an identifier and meant to identify the protected resource the client is requesting a token for.
The "resource" parameter URI value is an identifier representing the identity of the resource, which MAY be a locator that corresponds to a network-addressable location where the target resource is hosted.
definition of URI: https://tools.ietf.org/html/rfc3986#section-4.3
I guess, you are in agreement with this.
I will update the PR with URL encoding next.
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
| const std::string& resource_param = config_->encodedResources(); | ||
|
|
||
| response_headers->setLocation(new_url + resource_param); |
There was a problem hiding this comment.
Just a small nit but could we rename encodedResources to encodedResourceQueryParams and then inline resource_param like so:
response_headers->setLocation(new_url + config_->encodedResourceQueryParams());
? I think that would read a bit cleaner
There was a problem hiding this comment.
@snowp, I have done the changes. The macos tests are failing because go binary could not be installed on the test setup.
Let me know how to move forward from here.
code is up for review
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
|
/retest |
|
Retrying Azure Pipelines: |
|
/retest |
|
Retrying Azure Pipelines: |
snowp
left a comment
snowp
left a comment
There was a problem hiding this comment.
Thanks! Can you merge main to fix CI?
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
Hi @snowp , the CI is fixed now. Requesting you to approve the merge. |
|
@sudeeptoroy Sorry could you add a release note for this? Thanks! |
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
Hi @snowp, I have added a release note. Can you review it and let me know if wordings are fine? |
snowp
left a comment
snowp
left a comment
There was a problem hiding this comment.
Release note looks good besides one minor language suggestion! Thanks for your patience in iterating on this PR
| * json: introduced new JSON parser (https://github.com/nlohmann/json) to replace RapidJSON. The new parser is disabled by default. To test the new RapidJSON parser, enable the runtime feature `envoy.reloadable_features.remove_legacy_json`. | ||
| * kill_request: :ref:`Kill Request <config_http_filters_kill_request>` Now supports bidirection killing. | ||
| * log: added a new custom flag ``%j`` to the log pattern to print the actual message to log as JSON escaped string. | ||
| * oauth filter: added the optional parameter :ref:`resources <envoy_v3_api_field_extensions.filters.http.oauth2.v3alpha.OAuth2Config.resources>`. Set this value to add multiple "resource" parameters in the Authorization request sent to the OAuth provider. This acts as an identifier representing protected resource the client is requesting a token for. |
There was a problem hiding this comment.
representing protected resource -> representing the protected resources
There was a problem hiding this comment.
Hi @snowp , I have made the corresponding change.
Signed-off-by: Sudeepto Roy <sudeepto.roy@gmail.com>
5 participants
Commit Message: added support for resource param in authorization request
Risk Level: low
Testing: unit test added
Docs Changes: added
Release Notes: na
Platform Specific Features: na
Fixes #15124