Oauth2 support in Envoy xDS client

[htuch]

We should at least add support for an authorization header in the REST/gRPC clients. Beyond this, support for negotiating access tokens as described at https://developers.google.com/identity/protocols/OAuth2 and other auth, e.g. JWT, would be nice to have. We probably need the full auth flow if we want to maintain persistent connections beyond the lifetime that a static token would provide for.

[tschroed]

As discussed via email, I think there's a case to be made for a clean auth provider interface as there are likely other uses for something like this. To wit:

• oauth
• basic
• other org-specific auth mechanisms (e.g. cookies)
• even kerberos (I once worked at a place that did kerberos for web sites)

[htuch]

If we make the Google gRPC client a configurable alternative to the inbuilt client, we should probably align with the connection/call credentials scheme supported there, see https://grpc.io/docs/guides/auth.html.

[wora]

In addition to auth, do we care about load balancing and other settings?

[tschroed]

I'm uncertain how LB, etc. would interact with auth. Can you say more?

[wozz]

#3161 should resolve this issue

[mattklein123]

Closing as fixed.