使用Docker创建Envoy OAuth2筛选器时出错

ars1skjm  于 2023-11-16  发布在  Docker
关注(0)|答案(1)|浏览(137)

我已经创建了以下envoy配置,它将充当身份验证过滤器并与CIDP通信并获取访问令牌。一旦成功验证,就会重定向到不同的云运行服务。

node:
  cluster: service_oauth2
  id: test-id-1

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 0.0.0.0, port_value: 8081 }
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          codec_type: AUTO
          strip_matching_host_port: false
          route_config:
            name: local_route           
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                route: 
                  cluster: service_backend
                
          http_filters:
          - name: envoy.filters.http.oauth2
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
              config:
                token_endpoint:
                  cluster: google_oauth2
                  uri: https://oauth2.googleapis.com/token
                  timeout: 3s
                authorization_endpoint: https://accounts.google.com/o/oauth2/v2/auth
                redirect_uri: "https://%REQ(:authority)%/callback"               
                redirect_path_matcher:
                  path:
                    exact: /callback
                signout_path:
                  path:
                    exact: /signout  
                forward_bearer_token: true                      
                credentials:
                  client_id: "********"
                  token_secret:
                    name: token
                    sds_config:
                      path: "./token-secret.yaml"
                auth_scopes:
                - openid
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router          
 
  clusters:
  - name: google_oauth2
    connect_timeout: 0.25s
    type: strict_dns
    lb_policy: round_robin
    dns_lookup_family: V4_ONLY    
    load_assignment:
      cluster_name: google_oauth2
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: oauth2.googleapis.com
                port_value: 443

  - name: service_backend
    type: static
    connect_timeout: 5s
    http2_protocol_options: {}
    load_assignment:
      cluster_name: service_backend
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: myapp.cloudrun.app
                port_value: 8080

字符串
但无法在本地启动docket容器。显示退出Proto约束验证失败(OAuth2ValidationError.Config:嵌入消息验证失败|由OAuth2ConfigValidationError.Credentials引起:嵌入的消息验证失败|由字段“token_formation”引起,原因:为必填项):

c9qzyr3d

c9qzyr3d1#

根据文档,您的配置文件中可能缺少所需的hmac_secret。请参阅下面的envoy.filters.http.oauth2配置示例:

config:
  token_endpoint:
    cluster: oauth
    uri: oauth.com/token
    timeout: 3s
  authorization_endpoint: https://oauth.com/oauth/authorize/
  redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback"
  redirect_path_matcher:
    path:
      exact: /callback
  signout_path:
    path:
      exact: /signout
  credentials:
    client_id: foo
    token_secret:
      name: token
      sds_config:
        path: "/etc/envoy/token-secret.yaml"
    hmac_secret:
      name: hmac
      sds_config:
        path: "/etc/envoy/hmac.yaml"
  # (Optional): defaults to 'user' scope if not provided
  auth_scopes:
  - user
  - openid
  - email
  # (Optional): set resource parameter for Authorization request
  resources:
  - oauth2-resource
  - http://example.com

字符串
您还可以在此link中读取OAuth2过滤器流

相关问题