diff --git a/api/envoy/extensions/filters/http/oauth2/v3/oauth.proto b/api/envoy/extensions/filters/http/oauth2/v3/oauth.proto index 28766ca518dac..660d6c9d08934 100644 --- a/api/envoy/extensions/filters/http/oauth2/v3/oauth.proto +++ b/api/envoy/extensions/filters/http/oauth2/v3/oauth.proto @@ -149,9 +149,28 @@ message OAuth2Credentials { [(validate.rules).string = {pattern: "^$|^[^\\x00-\\x1f\\x7f \",;<>\\\\]+$"}]; } +// Configuration for the ``post_logout_redirect_uri`` parameter used in OpenID Connect +// RP-Initiated Logout requests. +message PostLogoutRedirectUri { + oneof config { + option (validate.required) = true; + + // Do not include the ``post_logout_redirect_uri`` parameter in requests to the + // configured ``end_session_endpoint``. + bool disabled = 1 [(validate.rules).bool = {const: true}]; + + // URI to send as the ``post_logout_redirect_uri`` parameter. Supports header formatting + // tokens. For more information, including details on header value syntax, see the + // documentation on :ref:`custom request headers `. + // + // The URI should be registered with the authorization server. + string uri = 2 [(validate.rules).string = {min_len: 1}]; + } +} + // OAuth config // -// [#next-free-field: 28] +// [#next-free-field: 29] message OAuth2Config { enum AuthType { // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body. @@ -187,6 +206,16 @@ message OAuth2Config { // If configured, the OAuth2 filter will redirect users to this endpoint when they access the signout_path. string end_session_endpoint = 23; + // Controls the ``post_logout_redirect_uri`` parameter sent to the OpenID Connect + // ``end_session_endpoint``. + // This field is optional and should be set only if ``openid`` is in the ``auth_scopes``, + // the ``end_session_endpoint`` is configured, and the authorization server supports the + // OpenID Connect RP-Initiated Logout specification. + // + // If unset, Envoy preserves the historical behavior and sends the request scheme, authority, + // and ``/`` path as ``post_logout_redirect_uri``. + PostLogoutRedirectUri post_logout_redirect_uri = 28; + // Credentials used for OAuth. OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}];