Skip to content

A OpenID Connect and OAuth 2.0 WebAssembly proxy filter.

Notifications You must be signed in to change notification settings

sonhal/wasm-oauth-filter

Repository files navigation

OpenID Connect WASM Filter

Workflow badge

An Envoy proxy extension that handles end-user authentication using OpenID Connect(OIDC). Only Authorization code flow is supported.

Deployment

Filter builds are hosted on WebAssemblyHub

Extension overview

The extension is written in Rust and the compile target is wasm32-wasi. The filter is written against the WebAssembly for Proxies (ABI specification) . Tested with envoy:v1.17.

Extension Paths

The extension will handle request to these paths differently and applications should not use the same paths.

Path Description
/callback path on the proxy the authorization server redirects the end-user back to after authentication.
/start Starts a OpenID Connect Authorization flow
/sign_out Clears the session with the extension, does not clear the session with the IdP

Usage

Configuration

The filter can be configured through. Note that some fields are optional with default values.

Field Type Default Description
redirect_uri String /callback URL the authorization server redirects the end-user back to after authentication
cookie_name String oidcSession Cookie name that holds the session cookie for the user
scopes list[String] ["openid"] Scopes the filter will request from the authorization server
auth_cluster String auth_server_cluster Envoy cluster that the filter will use to issue token request to the authorization server
auth_url String Required The URL that unauthenticated end-users will be redirected to.
token_url String Required The URL that the filter will issue token requests against
client_id String Required OAuth 2.0 / OIDC client ID
client_secret String Required OAuth 2.0 / OIDC client secret
extra_params list[[String, String]] [] Extra query parameters the filter will add to the authorization redirect to the authorization server

Upstream Request Headers

The filter will add the received tokens from the authorization server to request headers. Upstream application will receive request with tokens in the following request headers. NOTE: Upstream applications are responsible for validation of the received tokens.

Header Token Description
Authorization Access token The access token from the successful authoriziation flow will be added by the filter to request in the Authorization header. The token will be added as a bearer token
X-Forwarded-ID-Token id token The ID token, if returned from the authorization server, will be added as a value to the X-Forwarded-ID-Token header

About

A OpenID Connect and OAuth 2.0 WebAssembly proxy filter.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages