Home

Awesome

OpenID Connect WASM Filter

Workflow badge

An Envoy proxy extension that handles end-user authentication using OpenID Connect(OIDC). Only Authorization code flow is supported.

Deployment

Filter builds are hosted on WebAssemblyHub

Extension overview

The extension is written in Rust and the compile target is wasm32-wasi. The filter is written against the WebAssembly for Proxies (ABI specification) . Tested with envoy:v1.17.

Extension Paths

The extension will handle request to these paths differently and applications should not use the same paths.

PathDescription
/callbackpath on the proxy the authorization server redirects the end-user back to after authentication.
/startStarts a OpenID Connect Authorization flow
/sign_outClears the session with the extension, does not clear the session with the IdP

Usage

Configuration

The filter can be configured through. Note that some fields are optional with default values.

FieldTypeDefaultDescription
redirect_uriString/callbackURL the authorization server redirects the end-user back to after authentication
cookie_nameStringoidcSessionCookie name that holds the session cookie for the user
scopeslist[String]["openid"]Scopes the filter will request from the authorization server
auth_clusterStringauth_server_clusterEnvoy cluster that the filter will use to issue token request to the authorization server
auth_urlStringRequiredThe URL that unauthenticated end-users will be redirected to.
token_urlStringRequiredThe URL that the filter will issue token requests against
client_idStringRequiredOAuth 2.0 / OIDC client ID
client_secretStringRequiredOAuth 2.0 / OIDC client secret
extra_paramslist[[String, String]][]Extra query parameters the filter will add to the authorization redirect to the authorization server

Upstream Request Headers

The filter will add the received tokens from the authorization server to request headers. Upstream application will receive request with tokens in the following request headers. NOTE: Upstream applications are responsible for validation of the received tokens.

HeaderTokenDescription
AuthorizationAccess tokenThe access token from the successful authoriziation flow will be added by the filter to request in the Authorization header. The token will be added as a bearer token
X-Forwarded-ID-Tokenid tokenThe ID token, if returned from the authorization server, will be added as a value to the X-Forwarded-ID-Token header