Credential Injector Filter: OAuth2 client credential extension

CODEOWNERS

@@ -348,6 +348,7 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 /*/extensions/filters/http/credential_injector @zhaohuabing @kyessenov
 /*/extensions/http/injected_credentials/common @zhaohuabing @kyessenov
 /*/extensions/http/injected_credentials/generic @zhaohuabing @kyessenov
+/*/extensions/http/injected_credentials/oauth2 @vikaschoudhary16 @wbpcode
 
 # Lua cluster specifier
 /*/extensions/router/cluster_specifiers/lua @StarryVae @wbpcode

api/envoy/extensions/http/injected_credentials/oauth2/v3/oauth2.proto

@@ -5,6 +5,8 @@ package envoy.extensions.http.injected_credentials.oauth2.v3;
 import "envoy/config/core/v3/http_uri.proto";
 import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
 
+import "google/protobuf/duration.proto";
+
 import "xds/annotations/v3/status.proto";
 
 import "udpa/annotations/status.proto";
@@ -18,7 +20,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 
 // [#protodoc-title: OAuth2 Credential]
-// [#not-implemented-hide:]
 // [#extension: envoy.http.injected_credentials.oauth2]
 
 // OAuth2 extension can be used to retrieve an OAuth2 access token from an authorization server and inject it into the
@@ -67,4 +68,9 @@ message OAuth2 {
     // Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) for details.
     ClientCredentials client_credentials = 3;
   }
+
+  // The interval between two successive retries to fetch token from Identity Provider. Default is 2 secs.
+  // The interval must be at least 1 second.
+  google.protobuf.Duration token_fetch_retry_interval = 4
+      [(validate.rules).duration = {gte {seconds: 1}}];
 }

docs/BUILD

@@ -27,9 +27,6 @@ filegroup(
             "root/**/envoy-dynamic-filesystem-demo.yaml",
             "root/operations/_include/traffic_tapping_*.yaml",
             "root/configuration/http/http_filters/_include/checksum_filter.yaml",
-            # TODO(phlax/windows-dev): figure out how to get this working on windows
-            #      "Error: unable to read file: /etc/ssl/certs/ca-certificates.crt"
-            "root/configuration/http/http_filters/_include/credential-injector-filter.yaml",
             "root/configuration/http/http_filters/_include/dns-cache-circuit-breaker.yaml",
             "root/configuration/other_features/_include/dlb.yaml",
             "root/configuration/other_features/_include/hyperscan_matcher.yaml",

docs/root/configuration/http/http_filters/_include/credential-injector-filter.yaml → docs/root/configuration/http/http_filters/_include/credential-injector-generic-filter.yaml

@@ -37,9 +37,6 @@ static_resources:
                   "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
                   credential:
                     name: credential
-                    sds_config:
-                      path_config_source:
-                        path: /home/ubuntu/credential.yaml
           - name: envoy.filters.http.router
             typed_config:
               "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
@@ -55,3 +52,13 @@ static_resources:
               socket_address:
                 address: 127.0.0.1
                 port_value: 8080
+
+  secrets:
+  - name: credential
+    generic_secret:
+      secret:
+        inline_string: "Basic base64EncodedUsernamePassword"
+  - name: credential-bearer
+    generic_secret:
+      secret:
+        inline_string: "Bearer myToken"

docs/root/configuration/http/http_filters/_include/credential-injector-oauth2-filter.yaml

@@ -0,0 +1,80 @@
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 10000
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              - match:
+                  prefix: "/"
+                route:
+                  cluster: local-backend-service
+          http_filters:
+          - name: envoy.filters.http.credential_injector
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
+              credential:
+                name: envoy.http.injected_credentials.oauth2
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.oauth2.v3.OAuth2
+                  token_endpoint:
+                    cluster: okta.ad
+                    timeout: 3s
+                    uri: "https://dev-1178504991.okta.com/oauth2/default/v1/token"
+                  client_credentials:
+                    client_id: some-client-id
+                    client_secret:
+                      name: client-secret
+          - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+  clusters:
+  - lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: okta.ad
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: dev-1178504991.okta.com
+                port_value: 443
+    name: okta.ad
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        sni: dev-1178504991.okta.com
+    type: LOGICAL_DNS
+  - name: local-backend-service
+    type: LOGICAL_DNS
+    dns_lookup_family: V4_ONLY
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: local-backend-service
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: 127.0.0.1
+                port_value: 8000
+
+  secrets:
+  - name: client-secret
+    generic_secret:
+      secret:
+        inline_string: "lL0FWQUMnWizwG0JPop3ccEaC1pNZn5uYYnTbVQM"

docs/root/configuration/http/http_filters/credential_injector_filter.rst

@@ -1,14 +1,10 @@
 .. _config_http_filters_credential_injector:
 
-Credential Injector
+Credential injector
 ===================
 
 The credential injector HTTP filter serves the purpose of injecting credentials into outgoing HTTP requests.
 
-The filter configuration is used to retrieve the credentials, or they can be fetched from a remote source
-such as an OAuth2 authorization server. The credentials obtained are then injected into the ``Authorization``
-header of the proxied HTTP requests, utilizing either the ``Basic`` or ``Bearer`` scheme.
-
 Notice: This filter is intended to be used for workload authentication, which means that the identity associated
 with the inserted credential is considered as the identity of the workload behind the Envoy proxy (in this case,
 Envoy is typically deployed as a sidecar alongside that workload).
@@ -24,40 +20,58 @@ Configuration
 * This filter should be configured with the type URL ``type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector``.
 * :ref:`v3 API reference <envoy_v3_api_msg_extensions.filters.http.credential_injector.v3.CredentialInjector>`
 
-Currently the filter supports :ref:`generic <envoy_v3_api_msg_extensions.http.injected_credentials.generic.v3.Generic>` only.
-Other credential types can be supported as extensions.
+The filter is configured with one of the following supported ``credential_injector`` extensions. Extensions are responsible for fetching the credentials
+from the source. The credentials obtained are then injected into the ``Authorization`` header of the proxied HTTP requests, utilizing either the ``Basic``
+or ``Bearer`` scheme.
+
+Generic credential injector
+---------------------------
+* This extension should be configured with the type URL ``type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic``.
+* :ref:`generic <envoy_v3_api_msg_extensions.http.injected_credentials.generic.v3.Generic>`
 
 Here is an example configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.
 
-.. literalinclude:: _include/credential-injector-filter.yaml
+.. literalinclude:: _include/credential-injector-generic-filter.yaml
     :language: yaml
-    :lines: 28-41
-    :caption: :download:`credential-injector-filter.yaml <_include/credential-injector-filter.yaml>`
+    :lines: 29-39
+    :linenos:
+    :lineno-start: 29
+    :caption: :download:`credential-injector-filter.yaml <_include/credential-injector-generic-filter.yaml>`
 
 
-credential.yaml for Basic Auth:
+Credential which is being used to inject a ``Basic Auth`` credential into the proxied requests:
 
-.. code-block:: yaml
+.. literalinclude:: _include/credential-injector-generic-filter.yaml
+    :language: yaml
+    :lines: 57-60
+    :linenos:
+    :lineno-start: 57
+    :caption: :download:`credential-injector-filter.yaml <_include/credential-injector-generic-filter.yaml>`
 
-  resources:
-  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
-    name: credential
-    generic_secret:
-      secret:
-        inline_string: "Basic base64EncodedUsernamePassword"
+It can also be configured to inject a ``Bearer`` token into the proxied requests.
 
-It can also be configured to inject a Bearer token into the proxied requests.
+Credential for ``Bearer`` token:
 
-credential.yaml for Bearer Token:
+.. literalinclude:: _include/credential-injector-generic-filter.yaml
+    :language: yaml
+    :lines: 61-64
+    :linenos:
+    :lineno-start: 61
+    :caption: :download:`credential-injector-filter.yaml <_include/credential-injector-generic-filter.yaml>`
 
-.. code-block:: yaml
+OAuth2 credential injector (client credential grant)
+----------------------------------------------------
+* This extension should be configured with the type URL ``type.googleapis.com/envoy.extensions.http.injected_credentials.oauth2.v3.OAuth2``.
+* :ref:`oauth2 client credentials grant <envoy_v3_api_msg_extensions.http.injected_credentials.oauth2.v3.OAuth2>`
 
-  resources:
-  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
-    name: credential
-    generic_secret:
-      secret:
-        inline_string: "Bearer myToken"
+Here is an example configuration with OAuth2 client credential injector, which injects an OAuth2 token into the proxied requests.
+
+.. literalinclude:: _include/credential-injector-oauth2-filter.yaml
+    :language: yaml
+    :lines: 25-39
+    :linenos:
+    :lineno-start: 25
+    :caption: :download:`credential-injector-filter.yaml <_include/credential-injector-oauth2-filter.yaml>`
 
 Statistics
 ----------
@@ -71,3 +85,18 @@ The HTTP credential injector filter outputs statistics in the ``http.<stat_prefi
   ``injected``, Counter, Total number of requests with injected credentials
   ``failed``, Counter, Total number of requests that failed to inject credentials
   ``already_exists``, Counter, Total number of requests that already had credentials and overwrite is false
+
+OAuth2 client credential injector extension specific statistics are also emitted in the ``http.<stat_prefix>.credential_injector.oauth2.`` namespace.
+
+.. csv-table::
+  :header: Name, Type, Description
+  :widths: 1, 1, 2
+
+  ``token_requested``, Counter, Total number of token requests sent to the OAuth2 server
+  ``token_fetched``, Counter, Total number of successful token fetches from the OAuth2 server
+  ``token_fetch_failed_on_client_secret``, Counter, Total number of times token request not sent due to missing client secret
+  ``token_fetch_failed_on_cluster_not_found``, Counter, Total number of times token request not sent due to missing OAuth2 server cluster
+  ``token_fetch_failed_on_bad_response_code``, Counter, Total number of times OAuth2 server responded with non-200 response code
+  ``token_fetch_failed_on_bad_token``, Counter, Total number of times OAuth2 server responded with bad token
+  ``token_fetch_failed_on_stream_reset``, Counter, Total number of times http stream with OAuth2 server got reset
+

source/extensions/extensions_build_config.bzl

@@ -403,6 +403,7 @@ EXTENSIONS = {
     #
 
     "envoy.http.injected_credentials.generic":              "//source/extensions/http/injected_credentials/generic:config",
+    "envoy.http.injected_credentials.oauth2":               "//source/extensions/http/injected_credentials/oauth2:config",
 
     #
     # QUIC extensions

source/extensions/extensions_metadata.yaml

@@ -906,6 +906,13 @@ envoy.http.injected_credentials.generic:
   status: alpha
   type_urls:
   - envoy.extensions.http.injected_credentials.generic.v3.Generic
+envoy.http.injected_credentials.oauth2:
+  categories:
+  - envoy.http.injected_credentials
+  security_posture: unknown
+  status: alpha
+  type_urls:
+  - envoy.extensions.http.injected_credentials.oauth2.v3.OAuth2
 envoy.internal_redirect_predicates.allow_listed_routes:
   categories:
   - envoy.internal_redirect_predicates

source/extensions/filters/http/credential_injector/config.cc

@@ -32,11 +32,13 @@ CredentialInjectorFilterFactory::createFilterFactoryFromProtoTyped(
       proto_config.credential().typed_config(), context.messageValidationVisitor(),
       *config_factory);
   CredentialInjectorSharedPtr credential_injector =
-      config_factory->createCredentialInjectorFromProto(*message, context);
+      config_factory->createCredentialInjectorFromProto(
+          *message, stats_prefix + "credential_injector.", context);
 
-  FilterConfigSharedPtr config = std::make_shared<FilterConfig>(
-      std::move(credential_injector), proto_config.overwrite(),
-      proto_config.allow_request_without_credential(), stats_prefix, context.scope());
+  FilterConfigSharedPtr config =
+      std::make_shared<FilterConfig>(std::move(credential_injector), proto_config.overwrite(),
+                                     proto_config.allow_request_without_credential(),
+                                     stats_prefix + "credential_injector.", context.scope());
   return [config](Envoy::Http::FilterChainFactoryCallbacks& callbacks) -> void {
     callbacks.addStreamDecoderFilter(std::make_shared<CredentialInjectorFilter>(config));
   };

source/extensions/filters/http/credential_injector/credential_injector_filter.cc

@@ -12,7 +12,7 @@ FilterConfig::FilterConfig(CredentialInjectorSharedPtr credential_injector, bool
                            Stats::Scope& scope)
     : injector_(credential_injector), overwrite_(overwrite),
       allow_request_without_credential_(allow_request_without_credential),
-      stats_(generateStats(stats_prefix + "credential_injector.", scope)) {}
+      stats_(generateStats(stats_prefix, scope)) {}
 
 // Inject configured credential to the HTTP request header.
 // return true if successful

source/extensions/http/injected_credentials/common/factory.h

@@ -15,6 +15,7 @@ class NamedCredentialInjectorConfigFactory : public Config::TypedFactory {
 public:
   virtual CredentialInjectorSharedPtr
   createCredentialInjectorFromProto(const Protobuf::Message& config,
+                                    const std::string& stats_prefix,
                                     Server::Configuration::FactoryContext& context) PURE;
 
   std::string category() const override { return "envoy.http.injected_credentials"; }

source/extensions/http/injected_credentials/common/factory_base.h

@@ -16,11 +16,12 @@ class CredentialInjectorFactoryBase : public NamedCredentialInjectorConfigFactor
 public:
   CredentialInjectorSharedPtr
   createCredentialInjectorFromProto(const Protobuf::Message& proto_config,
+                                    const std::string& stats_prefix,
                                     Server::Configuration::FactoryContext& context) override {
     return createCredentialInjectorFromProtoTyped(
         MessageUtil::downcastAndValidate<const ConfigProto&>(proto_config,
                                                              context.messageValidationVisitor()),
-        context);
+        stats_prefix, context);
   }
 
   ProtobufTypes::MessagePtr createEmptyConfigProto() override {
@@ -34,7 +35,7 @@ class CredentialInjectorFactoryBase : public NamedCredentialInjectorConfigFactor
 
 private:
   virtual CredentialInjectorSharedPtr
-  createCredentialInjectorFromProtoTyped(const ConfigProto&,
+  createCredentialInjectorFromProtoTyped(const ConfigProto&, const std::string&,
                                          Server::Configuration::FactoryContext&) PURE;
 
   const std::string name_;

source/extensions/http/injected_credentials/generic/config.cc

@@ -27,7 +27,8 @@ secretsProvider(const envoy::extensions::transport_sockets::tls::v3::SdsSecretCo
 
 Common::CredentialInjectorSharedPtr
 GenericCredentialInjectorFactory::createCredentialInjectorFromProtoTyped(
-    const Generic& config, Server::Configuration::FactoryContext& context) {
+    const Generic& config, const std::string& /*stats_prefix*/,
+    Server::Configuration::FactoryContext& context) {
   const auto& credential_secret = config.credential();
   auto& server_context = context.serverFactoryContext();
   auto& cluster_manager = server_context.clusterManager();

source/extensions/http/injected_credentials/generic/config.h

@@ -23,7 +23,7 @@ class GenericCredentialInjectorFactory : public Common::CredentialInjectorFactor
 
 private:
   Common::CredentialInjectorSharedPtr
-  createCredentialInjectorFromProtoTyped(const Generic& config,
+  createCredentialInjectorFromProtoTyped(const Generic& config, const std::string& stats_prefix,
                                          Server::Configuration::FactoryContext& context) override;
 };