OAuth2 Credential (proto)

This extension has the qualified name envoy.http.injected_credentials.oauth2

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.

Tip

This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

Warning

This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.

extensions.http.injected_credentials.oauth2.v3.OAuth2

[extensions.http.injected_credentials.oauth2.v3.OAuth2 proto]

OAuth2 extension can be used to retrieve an OAuth2 access token from an authorization server and inject it into the proxied requests. Currently, only the Client Credentials Grant flow is supported. The access token will be injected into the request headers using the Authorization header as a bearer token.

{
  "token_endpoint": {...},
  "scopes": [],
  "client_credentials": {...},
  "token_fetch_retry_interval": {...}
}
token_endpoint

(config.core.v3.HttpUri, REQUIRED) Endpoint on the authorization server to retrieve the access token from. Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-3.2) for details.

scopes

(repeated string) Optional list of OAuth scopes to be claimed in the authorization request. Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-4.4.2) for details.

client_credentials

(extensions.http.injected_credentials.oauth2.v3.OAuth2.ClientCredentials, REQUIRED) Client Credentials Grant. Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) for details.

token_fetch_retry_interval

(Duration) The interval between two successive retries to fetch token from Identity Provider. Default is 2 secs. The interval must be at least 1 second.

extensions.http.injected_credentials.oauth2.v3.OAuth2.ClientCredentials

[extensions.http.injected_credentials.oauth2.v3.OAuth2.ClientCredentials proto]

Credentials to authenticate client to the authorization server. Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3) for details.

{
  "client_id": ...,
  "client_secret": {...},
  "auth_type": ...
}
client_id

(string, REQUIRED) Client ID. Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details.

client_secret

(extensions.transport_sockets.tls.v3.SdsSecretConfig, REQUIRED) Client secret. Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details.

auth_type

(extensions.http.injected_credentials.oauth2.v3.OAuth2.AuthType) The method to use when sending credentials to the authorization server. Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details.

Enum extensions.http.injected_credentials.oauth2.v3.OAuth2.AuthType

[extensions.http.injected_credentials.oauth2.v3.OAuth2.AuthType proto]

BASIC_AUTH

(DEFAULT) ⁣The client_id and client_secret will be sent using HTTP Basic authentication scheme.

URL_ENCODED_BODY

⁣The client_id and client_secret will be sent in the URL encoded request body. This type should only be used when Auth server does not support Basic authentication.