Question: set-cookie on client response in successful ExtAuthz response

[mikehuston]

When using ExtAuthz HttpService, is there a way to set set-cookie header on the client response based on the same header in a response from a successful ExtAuthz request?

allowed_client_headers is close to what I want, but my read of the doc comments (and rudimentary manual tests) is that these response headers are only transferred to the client response for unsuccessful ExtAuthz requests, whereas I would like to set the set-cookie header on the client response for a successful ExtAuthz request. One use case for this is to extend a session cookie validity as the user remains active.

Could someone confirm this is correct, and perhaps suggest a workaround for this using other Envoy primitives? Ideally in order to best follow principle of least privilege, I'd prefer that the set-cookie header only be sent to the client and not upstream.

[mattklein123]

cc @dio @gsagula

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.

[dio]

I'm investigating this. Once it is possible to re-open the issue, I'll do it.

[dio]

There are two things here.

1. You need to set the response_header_to_add for the router. This can be done Today, through a config, e.g.

          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
			  request_headers_to_remove:
			  - i-dont-want-upstream-to-see-this
              response_headers_to_add:
              - header:
                  key: "foo"
                  value: "%REQ(foo)%"

However, you need to send that foo header to "upstream" through:

          - name: envoy.ext_authz
            config:
              http_service:
                server_uri:
                  uri: http://authorization-service:8080
                  cluster: service_authz
                  timeout: 2s
                authorization_response:
                  allowed_upstream_headers:
                    patterns:
                    - exact: foo

which probably you don't want to (hence the request_headers_to_remove). So the ask here, how to pass the intended headers (the response header from the ext_authz service) to, most likely, the router (so it understands the response headers to add (which are provided by ext_authz service) when responding to the client).

2. The config of response_header_to_add can't deal (yet) with repeated header key, which is normal for set-cookie.

              response_headers_to_add:
              - header:
                  key: "set-cookie"
                  value: "%REQ(set-cookie)%"

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.