proposal: add a filter for injecting credentials into outgoing HTTP requests

[yskopets]

Title: Add a filter for injecting credentials into outgoing HTTP requests

Description:

It would be conventient to have a standard filter that can inject credentials into outgoing HTTP requests (as a value of Authorization header).

The most common use cases:

1. OAuth2 access token credential
2. basic auth credential
3. opaque bearer token credential

The primary focus of this proposal is on injecting OAuth2 access token credential.

Proposal:

Add an HTTP filter with the following configuration model:

- name: envoy.filters.network.http_connection_manager
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
    http_filters:
    - name: envoy.filters.http.credentials
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.http.credentials.v3alpha.Injector
        config:
          rules:
          - match:
              ... # HTTP requests to match
            inject:
              credential: { ... } # credential to inject

If the list of rules is empty, the filter will have no effect.

With regards to OAuth2 support:

• the filter will allow a user to specify client_id and client_password
• and let filter to acquire OAuth2 access token through Client Credentials Grant flow
• the filter will also take care of refreshing access token

Usage examples:

Injecting OAuth2 access token

- name: envoy.filters.network.http_connection_manager
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
    http_filters:
    - name: envoy.filters.http.credentials
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.http.credentials.v3alpha.Injector
        config:
          rules:
          - match:
              prefix: /
            inject:
              credential:
                oauth2:
                  token_endpoint:
                    cluster: oauth
                    uri: oauth.com/token
                    timeout: 3s
                  client_credentials:
                    client_id:
                      secret:
                        name: client-id
                        sds_config:
                          path: "/var/run/secret/credentials/oauth2/client-id.yaml"
                    client_password:
                      secret:
                        name: client-password
                        sds_config:
                          path: "/var/run/secret/credentials/oauth2/client-password.yaml"
                  # (Optional)
                  scopes:
                  - "example"

Injecting basic auth credentials

- name: envoy.filters.network.http_connection_manager
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
    http_filters:
    - name: envoy.filters.http.credentials
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.http.credentials.v3alpha.Injector
        config:
          rules:
          - match:
              prefix: /
            inject:
              credential:
                basic:
                  username:
                    secret:
                      name: username
                      sds_config:
                        path: "/var/run/secret/credentials/basic/username.yaml"
                  password:
                    secret:
                      name: password
                      sds_config:
                        path: "/var/run/secret/credentials/basic/password.yaml"

Injecting opaque bearer token credential

- name: envoy.filters.network.http_connection_manager
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
    http_filters:
    - name: envoy.filters.http.credentials
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.http.credentials.v3alpha.Injector
        config:
          rules:
          - match:
              prefix: /
            inject:
              credential:
                generic:
                  prefix: "Bearer "
                  value:
                    secret:
                      name: bearer-token
                      sds_config:
                        path: "/var/run/secret/credentials/generic/bearer-token.yaml"

[wbpcode]

Could you give some more descriptions about the specific scenes?

IMO, this may be useful in the mesh where the mTLS is disabled and authentication is necessary.

[mbana]

We are also interested in this.

We want/need client_credentials: https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow because Envoy supports only authorization_code: https://github.com/envoyproxy/envoy/blob/main/source/extensions/filters/http/oauth2/oauth_client.cc#L25.

Do you have a branch or image I could use for testing, if you're already implemented it, that is.

[tedli]

Seriously, I need this feature, and I believe I'm not alone.

There was an out of maintenance service (A) which runs robustly for years. But the service (B) this old service depends on, got updated, that introduced auth for existing apis. (A calls B)
So a proxy is needed to inject credentials into request from A to consume B, because not willing to touch the code of A.

[wbpcode]

Seriously, I need this feature, and I believe I'm not alone.

There was an out of maintenance service (A) which runs robustly for years. But the service (B) this old service depends on, got updated, that introduced auth for existing apis. (A calls B) So a proxy is needed to inject credentials into request from A to consume B, because not willing to touch the code of A.

Sounds reasonable scene.

[wbpcode]

I tagged this issue to help wanted. But based on our contributing policy, we need a maintainer (@envoyproxy/envoy-maintainers) to sponsor this feature. Because we will add a new extension.

Check this https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md#adding-new-extensions for more info.

cc @yskopets

[tedli]

It would be convenient if this can affect at route level. So in an istio mesh, we can create EnvoyFilter cr to patch virtual_host, to tell which route need this, also the workload selector could be used to tell which pod need this.

[irab]

I'm keen to have this feature as well. There's a great use case for an outbound edge proxy, adding some protection against malicious code.

Say for example an internal service A needs to access an external service like GitHub. Current practice is to inject a PAT into the container, which can be retrieved by either code execution on the container or privileged access at a node or cluster level. If we move the PAT token out of the container and/or cluster then we can protect against malicious actors with code execution.

Authorisation could be managed with service account + outbound domain allowlists, with JWT validation?

[deva26]

We would be very much interested in this feature getting implemented. +100