Support configuration of resources in SecurityPolicys OIDC filter #3036
Description
In order to request a certain resource from the authorization server a resource can be specified in the OIDC authentication request. This is a feature which envoy itself already supports in its OIDC filter and it just has to be made configurable via envoy gateways SecurityPolicy.
Concrete use case:
The kubernets/dashboard is a web front-end which enables cluster administrators to explore the cluster contents in a web browser. To authenticate, a valid bearer token has to be specified in each request to the dashboard. Managed clusters from cloud providers are often integrated with some IdP solution (for example EntraID formerly known as AAD), which means the kubernets API accepts tokens issued from the IdP. There are various guides on the internet using the oauth2-proxy/oauth2-proxy to achive this for the dashboard. In those cases the oauth2-proxy requests tokens from the IdP and sends them along with upstream requests to the dashboard, seamlessly enabling authentication for it. But with envoy gateway there is no need to use this additional service as envoy already has everything on board to do this. However, in the particular case of AKS, a resource has to be specified when requesting such a token from the IdP, which the SecurityPolicy currently does not support.
I have already implemented this and would be happy to see this merged.