Revert changes introduced in PR #663

[ggmoy]

Description

The changes introduced in envoyproxy/envoy PR #40228 and envoyproxy/examples PR #663 broke the passthrough functionality of the OAuth2 filter: OAuth2 cookies were removed for requests matching the pass_through_matcher configuration. This affected setups with multiple OAuth2 filter instances using different pass_through_matcher configurations, because the first matching instance removed the OAuth2 cookies--even when a passthrough was intended--impacting subsequent filters that still needed those cookies.

This PR reverts the changes introduced by envoyproxy/examples PR #663 and unblocks envoyproxy/envoy PR #40228.

[phlax]

@zhaohuabing for some reason im unable to assign you this - would you mind reviewing

[phlax]

@ggmoy not sure why ci is not running on this - could you amend commit or add an empty commit to try and force it

[ggmoy]

@ggmoy not sure why ci is not running on this - could you amend commit or add an empty commit to try and force it

@phlax, I added a test commit just to force the CI (I'll revert it then). I can see the following message on the checks tab:

This workflow is awaiting approval from a maintainer in #814.

[zhaohuabing]

@ggmoy Do we need the cookie attributes in the request to make PR envoyproxy/envoy#40718 work?

[phlax]

ah yep - apologies @ggmoy - i was travelling and didnt check properly - kicked ci and its passing

[phlax]

@zhaohuabing once you approve happy to move these prs through

[zhaohuabing]

@zhaohuabing once you approve happy to move these prs through

I'm a little lost here - why do we need cookie attributes for the requests?

[ggmoy]

@ggmoy Do we need the cookie attributes in the request to make PR envoyproxy/envoy#40718 work?

Good point, @zhaohuabing. Just looking a little deeper, the changes introduced in PR [#663] should not be affecting. Let me try to run those tests locally to understand why the BearerToken can't be found in token_storage when the call to /hub/user is made.

[ggmoy]

@zhaohuabing once you approve happy to move these prs through

I'm a little lost here - why do we need cookie attributes for the requests?

@zhaohuabing , the BearerToken cookie is needed to access /hub/user. You can see this in line 27.

[zhaohuabing]

@zhaohuabing , the BearerToken cookie is needed to access /hub/user. You can see this in line 27.

Yes, but does the current shell already extracts the BearerToken from the response and use it in the request?

TOKEN=$(echo "$RESPONSE" | grep "set-cookie: BearerToken=" | sed -E 's/^set-cookie: (BearerToken=[^;]+);.*$/\1/')

[ggmoy]

@zhaohuabing , the BearerToken cookie is needed to access /hub/user. You can see this in line 27.

Yes, but does the current shell already extracts the BearerToken from the response and use it in the request?

TOKEN=$(echo "$RESPONSE" | grep "set-cookie: BearerToken=" | sed -E 's/^set-cookie: (BearerToken=[^;]+);.*$/\1/')

Yes, it does. You can see it in the output of the failing of job #48171552179. It is calling curl with the extracted BearerToken:

1257 ERROR: curl (http://localhost:11901/hub/user --cookie OauthHMAC=SqqBu46Ff0h5gaLHs1ifwiBhVfBGE4Zswfq9MIVZUnQ= --cookie OauthExpires=1755267220 --cookie BearerToken=oDrkjNsyWJ0QCl1Yieul-u9Q0ngz5ViEs3UNAMADvDGT8kG9vSbWthAbQAdgY9z8fecP2s4N4xJ4rznxTzBWbA)

[ggmoy]

@zhaohuabing / @phlax, I found the issue. It is not related with the changes introduced in PR [#663]. So sorry for the confusion!

I'll close this PR and open a new one with the final fix.