Option to overwrite every OAuth2Filter Cookie via OIDCCookieNames

[denniskniep]

FeatureRequest:
Can we extend SecurityPolicy.OIDC.CookieNames to be able to optionally overwrite every possible OAuth2Filter cookie name (adding: oauth_hmac, oauth_expires, refresh_token, oauth_nonce) see here? Currently you can only overwrite bearer_token and id_token.

UseCase:
I would like to be able to remove the internal OAuthFilter cookies before forwarding the request to upstream.

Happy to take this task.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[denniskniep]

not stale

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[denniskniep]

Not stale

[coro]

We also have interest in this, specifically for RefreshToken - we would like to be able to migrate from an existing OIDC solution with static refresh token cookie names, and having a preemptible refresh token name means we can seamlessly migrate specific routes over to Envoy.

[coro]

FYI @denniskniep I've submitted the API PR #5655 for this to kick off that conversation.

[coro]

As discussed in #5655 with @zhaohuabing, it sounds like instead of allowing configurability of these internal cookie names, the best way forwards would be for the core OAuth filter to automatically remove these cookies (RefreshToken-xxxxx, CodeVerifier-xxxxx and OAuthxxxxx-xxxxx) before forwarding to the Backend.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.