我已经创建了以下envoy配置,它将充当身份验证过滤器并与CIDP通信并获取访问令牌。一旦成功验证,就会重定向到不同的云运行服务。
node:
cluster: service_oauth2
id: test-id-1
static_resources:
listeners:
- name: listener_0
address:
socket_address: { address: 0.0.0.0, port_value: 8081 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
strip_matching_host_port: false
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: service_backend
http_filters:
- name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
token_endpoint:
cluster: google_oauth2
uri: https://oauth2.googleapis.com/token
timeout: 3s
authorization_endpoint: https://accounts.google.com/o/oauth2/v2/auth
redirect_uri: "https://%REQ(:authority)%/callback"
redirect_path_matcher:
path:
exact: /callback
signout_path:
path:
exact: /signout
forward_bearer_token: true
credentials:
client_id: "********"
token_secret:
name: token
sds_config:
path: "./token-secret.yaml"
auth_scopes:
- openid
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: google_oauth2
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: google_oauth2
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: oauth2.googleapis.com
port_value: 443
- name: service_backend
type: static
connect_timeout: 5s
http2_protocol_options: {}
load_assignment:
cluster_name: service_backend
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: myapp.cloudrun.app
port_value: 8080
字符串
但无法在本地启动docket容器。显示退出Proto约束验证失败(OAuth2ValidationError.Config:嵌入消息验证失败|由OAuth2ConfigValidationError.Credentials引起:嵌入的消息验证失败|由字段“token_formation”引起,原因:为必填项):
1条答案
按热度按时间c9qzyr3d1#
根据文档,您的配置文件中可能缺少所需的hmac_secret。请参阅下面的envoy.filters.http.oauth2配置示例:
字符串
您还可以在此link中读取OAuth2过滤器流