OIDC filter randomly failing in v1.2 due to missing information in token request

[jaynis]

Hi. With envoy gateway version 1.1.2 (envoy version 1.31.2) all my OIDC filters were working fine. I havent touched any of my SecurityPolicies and updated to 1.2.1 (envoy version 1.32.1) and now I get a OAuth flow failed error in the browser with oauth.missing_credentials in the envoy logs. When I enable debug logging I additionally see my IDP (Microsoft Entra ID fka AAD) complaining about a missing client_id in the POST body during the OIDC token request: AADSTS900144: The request body must contain the following parameter: 'client_id'.

I further troubleshooted this by doing a fresh envoy gateway installation in version 1.2.1 on a separate cluster and gradually applying configuration to it. While doing this I noticed that apparently OIDC is working fine in the beginning and then fails at some point. Furthermore, this seems to happen quite randomly: Sometimes a certain OIDC filter is working, then after some time of usage or after applying some unreleated envoy resources to the cluster it stops working and after some time it might even recover and be working again. Generally I have the feeling that the more different OIDC filters are in place on a cluster the more likely it is to cause this issue.

This issue might be related to #4625 which describes similar behavior with a different IDP, but suspects the nonce as the cause.

#4706, which is about a general instability of OIDC (in conjunction with JWT authorization), could be related as well.

[zhaohuabing]

@jaynis Could you please share your SecurityPolicy (Sensitive info can be extracted)? Do you use OIDC with JWT?