Credential Injector Filter: OAuth2 client credential extension #33702
Conversation
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
| @@ -3,464 +3,421 @@ EXTENSIONS = { | |||
| # | |||
| # Access loggers | |||
| # | |||
|
|
|||
There was a problem hiding this comment.
oh, I will fix unnecessary formatting.
vikaschoudhary16
force-pushed
the
client-cred-oauth2
branch
from
446b6af to
dfdab41
Compare
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
|
I will work on |
| timer_ = dispatcher_->createTimer([this]() -> void { asyncGetAccessToken(); }); | ||
| ENVOY_LOG(debug, "onGetAccessTokenSuccess: Token fetched successfully, expires in {} seconds.", | ||
| expires_in.count()); | ||
| timer_->enableTimer(expires_in / 2); |
There was a problem hiding this comment.
I think the things about timer could be simper. You completely needn't create the timer again and again. You can only create one and enable/disable it according your requirement here.
|
/wait |
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
There was a problem hiding this comment.
thanks for iterating @vikaschoudhary16
a bunch of docs nits, but otherwise lgtm
docs/root/configuration/http/http_filters/_include/credential-injector-oauth2-filter.yaml
Outdated
Show resolved
Hide resolved
docs/root/configuration/http/http_filters/_include/credential-injector-oauth2-filter.yaml
Show resolved
Hide resolved
docs/root/configuration/http/http_filters/_include/credential-injector-generic-filter.yaml
Show resolved
Hide resolved
docs/root/configuration/http/http_filters/_include/credential-injector-oauth2-filter.yaml
Show resolved
Hide resolved
docs/root/configuration/http/http_filters/credential_injector_filter.rst
Outdated
Show resolved
Hide resolved
docs/root/configuration/http/http_filters/credential_injector_filter.rst
Outdated
Show resolved
Hide resolved
docs/root/configuration/http/http_filters/credential_injector_filter.rst
Outdated
Show resolved
Hide resolved
docs/root/configuration/http/http_filters/credential_injector_filter.rst
Outdated
Show resolved
Hide resolved
docs/root/configuration/http/http_filters/credential_injector_filter.rst
Outdated
Show resolved
Hide resolved
docs/root/configuration/http/http_filters/credential_injector_filter.rst
Outdated
Show resolved
Hide resolved
| return absl::NotFoundError("Failed to get oauth2 token from token provider"); | ||
| } | ||
|
|
||
| headers.setCopy(Envoy::Http::CustomHeaders::get().Authorization, token); |
| thread_local_cluster->httpAsyncClient().send( | ||
| std::move(msg), *this, | ||
| Envoy::Http::AsyncClient::RequestOptions().setTimeout( | ||
| std::chrono::milliseconds(PROTOBUF_GET_MS_REQUIRED(uri_, timeout)))); |
There was a problem hiding this comment.
What will happen if the client was destructed because the xDS updating and then the a response is received from remote server?
I think you may need to store the in-flight-request here and use the result to cancel any pending request when the client is destructed.
There was a problem hiding this comment.
thanks for pointing out. Addressed it.
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
|
/docs |
|
Docs for this Pull Request will be rendered here: https://storage.googleapis.com/envoy-pr/33702/docs/index.html The docs are (re-)rendered each time the CI |
There was a problem hiding this comment.
docs lgtm, thanks again @vikaschoudhary16 for working on this
handing over to @wbpcode and @adisuissa for signoff
test/extensions/filters/http/credential_injector/credential_injector_oauth_integration_test.cc
Outdated
Show resolved
Hide resolved
test/extensions/filters/http/credential_injector/credential_injector_oauth_integration_test.cc
Outdated
Show resolved
Hide resolved
test/extensions/filters/http/credential_injector/credential_injector_oauth_integration_test.cc
Outdated
Show resolved
Hide resolved
test/extensions/filters/http/credential_injector/credential_injector_oauth_integration_test.cc
Outdated
Show resolved
Hide resolved
|
|
||
| #include "test/mocks/event/mocks.h" | ||
| #include "test/mocks/server/factory_context.h" | ||
| #include "test/mocks/thread_local/mocks.h" | ||
| #include "test/mocks/upstream/cluster_manager.h" | ||
|
|
||
| #include "gtest/gtest.h" | ||
|
|
||
| namespace Envoy { | ||
| namespace Extensions { | ||
| namespace Http { | ||
| namespace InjectedCredentials { | ||
| namespace OAuth2 { |
There was a problem hiding this comment.
I think all these oauth2 tests should be placed in the test/extensions/http/credential_injector/oauth2?
And seems the unit tests are pretty simple (although the integration tests are great)
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
|
Thanks a lot @wbpcode @adisuissa @phlax for guidance and feedback. really appreciate!! |
Commit Message:
This PR is follow up to #30850 and is adding oauth2(client credential grant) extension. At a high level, oauth2 extension has
TokenProviderwhich runs on main thread to fetch token from oauth server and sets tls slot with the received token. All worker threads then access this token from tls to inject requestHeaders during decodeHeaders.Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]