Skip to content

oauth2: post_logout_redirect_uri #45270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
zhaohuabing wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

oauth2: post_logout_redirect_uri #45270

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 30 additions & 1 deletion api/envoy/extensions/filters/http/oauth2/v3/oauth.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,9 +149,28 @@ message OAuth2Credentials {
[(validate.rules).string = {pattern: "^$|^[^\\x00-\\x1f\\x7f \",;<>\\\\]+$"}];
}

// Configuration for the ``post_logout_redirect_uri`` parameter used in OpenID Connect
// RP-Initiated Logout requests.
message PostLogoutRedirectUri {
oneof config {
option (validate.required) = true;

// Do not include the ``post_logout_redirect_uri`` parameter in requests to the
// configured ``end_session_endpoint``.
bool disabled = 1 [(validate.rules).bool = {const: true}];

// URI to send as the ``post_logout_redirect_uri`` parameter. Supports header formatting
// tokens. For more information, including details on header value syntax, see the
// documentation on :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`.
//
// The URI should be registered with the authorization server.
string uri = 2 [(validate.rules).string = {min_len: 1}];
}
}

// OAuth config
//
// [#next-free-field: 28]
// [#next-free-field: 29]
message OAuth2Config {
enum AuthType {
// The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
Expand Down Expand Up @@ -187,6 +206,16 @@ message OAuth2Config {
// If configured, the OAuth2 filter will redirect users to this endpoint when they access the signout_path.
string end_session_endpoint = 23;

// Controls the ``post_logout_redirect_uri`` parameter sent to the OpenID Connect
// ``end_session_endpoint``.
// This field is optional and should be set only if ``openid`` is in the ``auth_scopes``,
// the ``end_session_endpoint`` is configured, and the authorization server supports the
// OpenID Connect RP-Initiated Logout specification.
//
// If unset, Envoy preserves the historical behavior and sends the request scheme, authority,
// and ``/`` path as ``post_logout_redirect_uri``.
PostLogoutRedirectUri post_logout_redirect_uri = 28;

// Credentials used for OAuth.
OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}];

Expand Down
Loading