SecurityPolicy oidc.provider.authorizationEndpoint ineffective without tokenEndpointΒ #7459
Description
When configuring a SecurityPolicy like:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
spec:
oidc:
provider:
issuer: https://accounts.google.com
authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline
tokenEndpoint: https://oauth2.googleapis.com/tokenIn order for either authorizationEndpoint or tokenEndpoint to be effective, both must be specified in the configuration. Otherwise the field that is set is silently ignored.
This appears to be the invalid logic at internal/gatewayapi/securitypolicy.go:1426:
// Discover the token and authorization endpoints from the issuer's well-known url if not explicitly specified.
// EG assumes that the issuer url uses the same protocol and CA as the token endpoint.
// If we need to support different protocols or CAs, we need to add more fields to the OIDCProvider CRD.
if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil {
discoveredConfig, err := t.fetchEndpointsFromIssuer(provider.Issuer, providerTLS)
if err != nil {
return nil, err
}
tokenEndpoint = discoveredConfig.TokenEndpoint
authorizationEndpoint = discoveredConfig.AuthorizationEndpoint
// endSessionEndpoint is optional, and we prioritize using the one provided in the well-known configuration.
if discoveredConfig.EndSessionEndpoint != nil && *discoveredConfig.EndSessionEndpoint != "" {
endSessionEndpoint = discoveredConfig.EndSessionEndpoint
}
} else {
tokenEndpoint = *provider.TokenEndpoint
authorizationEndpoint = *provider.AuthorizationEndpoint
endSessionEndpoint = provider.EndSessionEndpoint
}My goal here was to add a URL parameter to the authorization endpoint to get refresh tokens working. It should have discovered the token endpoint without me having to provide it as it would have done had I not set an authorization endpoint.