Skip to content

feat(oidc): forward id token#9367

Open
zhaohuabing wants to merge 6 commits into
envoyproxy:mainfrom
zhaohuabing:forward_id_token
Open

feat(oidc): forward id token#9367
zhaohuabing wants to merge 6 commits into
envoyproxy:mainfrom
zhaohuabing:forward_id_token

Conversation

@zhaohuabing

@zhaohuabing zhaohuabing commented Jun 29, 2026

Copy link
Copy Markdown
Member

What this PR does / why we need it:

Which issue(s) this PR fixes:

Implements #7343


PR Checklist

  • Authorship & ownership: Coding agents / AI assistants are welcome, but I have reviewed every change, understand how and why it works, can explain and maintain it, and take full responsibility for this PR. I have not submitted generated output I do not understand.
  • DCO: All commits are signed off (git commit -s). See DCO: Sign your work.
  • API agreed first: If this PR contains API changes (changes under /api), the API was discussed and agreed before the implementation. The API change can be in a separate PR, or in the same PR, but the API must be agreed before implementation. N/A if this PR does not contain API changes.
  • Required checks pass: make generate gen-check, make lint, and the unit-test/coverage build pass. (Flaky e2e failures are not considered breakages, but gen-check, lint, and coverage MUST pass.)
  • Tests added/updated: New/changed code is covered by appropriate tests. N/A if this PR does not contain code changes.
  • Docs: User-facing changes update the docs, either in this PR or a follow-up PR. N/A if this PR does not contain user-facing changes.
  • Release notes: For any non-trivial change, added a release-note fragment under release-notes/current/<section>/<pr-number>-<slug>.md (see release-notes/current/README.md for sections and naming). N/A if this PR does not contain non-trivial changes.
  • Generated files committed: Ran make gen-check and committed the result if API/helm charts/modules changed.
  • Scope & compatibility: The PR is reasonably scoped (no unrelated changes) and preserves backward compatibility, or any breaking change is called out above and documented in release-notes/current/breaking_changes/.
  • Codex review: Requested a Codex review and addressed all of its comments.
  • Copilot review: Requested a Copilot review and addressed all of its comments.

@zhaohuabing zhaohuabing requested a review from a team as a code owner June 29, 2026 05:19
@netlify

netlify Bot commented Jun 29, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 35d106e
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6a446bcd66793600082eea17
😎 Deploy Preview https://deploy-preview-9367--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@zhaohuabing zhaohuabing marked this pull request as draft June 29, 2026 05:20
@zhaohuabing zhaohuabing force-pushed the forward_id_token branch 2 times, most recently from b20f2c5 to be813bc Compare June 29, 2026 05:32
@zhaohuabing zhaohuabing marked this pull request as ready for review June 29, 2026 05:32
@zhaohuabing zhaohuabing requested a review from Copilot June 29, 2026 05:32
@zhaohuabing

Copy link
Copy Markdown
Member Author

@codex review

@zhaohuabing zhaohuabing force-pushed the forward_id_token branch 2 times, most recently from 2331c21 to 3558ee6 Compare June 29, 2026 05:34

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for forwarding an OIDC ID token to upstream requests via a new SecurityPolicy.spec.oidc.forwardIDToken field, wiring it through Gateway API translation into the generated Envoy OAuth2 filter config, and updating docs/tests accordingly.

Changes:

  • Introduces forwardIDToken API + CRD schema validation (header name constraints, Host disallow, Authorization conflict with forwardAccessToken).
  • Translates forwardIDToken into IR and Envoy OAuth2 per-route config (ForwardIdToken), including special handling when targeting Authorization.
  • Updates e2e/translation/CEL tests, generated docs, and bumps go-control-plane to a version that includes the needed Envoy API.

Reviewed changes

Copilot reviewed 14 out of 20 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
api/v1alpha1/oidc_types.go Adds forwardIDToken API field + kubebuilder/CEL validations and header constraints.
charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml Generated CRD schema updates for forwardIDToken.header validation/description.
charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml Same CRD schema updates in the other Helm chart packaging.
go.mod Bumps go-control-plane deps to pick up required Envoy OAuth2 API.
go.sum Corresponding sum updates for module dependency bump.
internal/gatewayapi/securitypolicy.go Validates forwardIDToken during translation and plumbs it into IR.
internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml Adds forwardIDToken input to GatewayAPI translation testdata.
internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml Updates expected GatewayAPI translation output/IR with forwardIDToken.
internal/ir/xds.go Extends IR OIDC struct with ForwardIDToken.
internal/ir/zz_generated.deepcopy.go Generated deepcopy support for new IR field.
internal/xds/translator/oidc.go Emits Envoy OAuth2 ForwardIdToken and adjusts PreserveAuthorizationHeader when needed.
internal/xds/translator/testdata/in/xds-ir/oidc.yaml Adds forwardIDToken to translator IR input testdata.
internal/xds/translator/testdata/out/xds-ir/oidc.routes.yaml Updates expected translator output to include forwardIdToken config.
release-notes/current/new_features/9366-oidc-forward-id-token.md Release note fragment describing the new feature.
site/content/en/latest/api/extension_types.md Generated API docs updated for the new forwardIDToken field.
test/cel-validation/securitypolicy_test.go Adds CEL validation test cases for header constraints and Authorization conflict.
test/e2e/testdata/oidc-securitypolicy.yaml Configures e2e SecurityPolicy to enable ID token forwarding on a custom header.
test/e2e/tests/oidc.go Extends OIDC e2e test to assert the upstream receives the configured forwarded header.
test/go.mod Updates test module dependencies in lockstep with root module.
test/go.sum Corresponding sum updates for the test module dependency bump.
Files not reviewed (1)
  • internal/ir/zz_generated.deepcopy.go: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/gatewayapi/securitypolicy.go Outdated
Comment thread internal/xds/translator/oidc.go Outdated
@zhaohuabing zhaohuabing added this to the v1.9.0-rc.1 Release milestone Jun 29, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: be813bc40d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread internal/xds/translator/oidc.go
Comment thread go.mod
@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 94.73684% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 75.21%. Comparing base (6916245) to head (35d106e).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
internal/gatewayapi/securitypolicy.go 92.85% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #9367      +/-   ##
==========================================
+ Coverage   75.18%   75.21%   +0.03%     
==========================================
  Files         252      252              
  Lines       41037    41056      +19     
==========================================
+ Hits        30854    30881      +27     
+ Misses       8088     8081       -7     
+ Partials     2095     2094       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing requested a review from Copilot June 29, 2026 07:44
@zhaohuabing

Copy link
Copy Markdown
Member Author

@codex review

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 19 out of 26 changed files in this pull request and generated 2 comments.

Files not reviewed (1)
  • internal/ir/zz_generated.deepcopy.go: Generated file

Comment thread internal/xds/translator/oidc.go Outdated
Comment thread release-notes/current/new_features/9367-oidc-forward-id-token.md

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

// +kubebuilder:validation:XValidation:rule="!(has(self.forwardAccessToken) && self.forwardAccessToken && has(self.forwardIDToken) && self.forwardIDToken.header.lowerAscii() == 'authorization')", message="forwardAccessToken cannot be true when forwardIDToken.header is Authorization"

P2 Badge Reject passthrough conflicts with ID-token headers

This validation only blocks the forwardAccessToken/Authorization collision, but the new field is still accepted with passThroughAuthHeader: true and forwardIDToken.header equal to a JWT extraction header, including the default Authorization header. The new API comment below documents that Envoy strips the configured forward-ID-token header before JWT authn can read it; with the existing OAuth2-before-JWT filter order and buildHeaderMatchers defaulting passthrough to Authorization: Bearer, such non-browser bearer requests are stripped and redirected/rejected instead of being validated by JWT. Please reject this combination in validation/translation or avoid stripping the passthrough header path.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 19 out of 26 changed files in this pull request and generated 3 comments.

Files not reviewed (1)
  • internal/ir/zz_generated.deepcopy.go: Generated file

Comment thread internal/gatewayapi/securitypolicy.go
Comment thread release-notes/current/new_features/9367-oidc-forward-id-token.md
Comment thread internal/xds/translator/oidc.go
@zhaohuabing

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 553ce53810

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread test/e2e/tests/oidc.go
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6ac3cb9cf7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +664 to +665
if strings.EqualFold(fwdHeader, "Authorization") {
return fmt.Errorf("the OIDC.ForwardIDToken header %q cannot be the Authorization header when passThroughAuthHeader is enabled and a JWT provider reads from it", fwdHeader)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Allow Authorization ID-token passthrough

When passThroughAuthHeader is enabled with forwardIDToken.header: Authorization and a JWT provider uses the default Authorization extractor, this rejects the policy during translation. Envoy's OAuth2 filter checks pass_through_matcher before it sanitizes the Authorization header, so bearer-token clients are not stripped in this case; rejecting it blocks the intended mixed flow where browser OIDC sessions forward the ID token on Authorization while non-browser clients pass their bearer token through to JWT validation.

Useful? React with 👍 / 👎.

@zhaohuabing zhaohuabing Jun 29, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Envoy rejects configs whose pass_through_matcher matches forward_id_token header, because forward_id_token header is owned by envoy and should not be sent by the clients.

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing

Copy link
Copy Markdown
Member Author

/retest

# Conflicts:
#	examples/extension-server/go.mod
#	examples/extension-server/go.sum
#	go.mod
#	go.sum
#	test/go.mod
#	test/go.sum
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants