Envoy Oauth2 Filter helloworld

Envoy Oauth2 Filter

A simple sample demonstrating Envoy's Oauth2 Filter.

Basically, this filter will handle all the details for OAuth 2.0 for Web Server Applications and once a user is validated, it will forward the user to the backend application.

Web applications can certainly handle the oauth2 flow (see flask plugin) but this filter manages the sessions for you and after a successful login, provides an HMAC confirmation that a login happened and optionally the raw access_token for the user that logged in.

As with the nature of envoy, this configuration will act to do all the legwork for you and present a backend service you run with the user's oauth2 authentication token (i.,e envoy does the whole oauth2 flow for you).

At a high level, its basically

  1. user access a url handled by envoy
  2. envoy presents user with oauth2 flow and redirects to google
  3. user logs into google and is redirected back to envoy
  4. envoy completes the oauth2 flow and acquires the user's access_token.
  5. envoy signs an hmac cookie and sends that to the user along with a redirect to the url requested in 1
  6. user requests the URL and provides the hmac cookies forward
  7. envoy verifies the cookies and forwards the requests to the backend server
  8. backend server verifies the hmac values match and extracts optionally the access_token

images/login_flow.png

Note, part of this tutorial is inspired by veehaitch@. The enhancement i added is to do hmac validation.

Setup

This tutorial runs envoy and backend server locally for testing. Envoy will run on port :8081 while the backend server on :8082, both over TLS.

Configure client_id/secret

The first step is to configure an oauth2 client_id and client_secret. For google cloud, configure one here.

For this tutorial, you can set the Authorized Redirect Uri value to https://envoy.esodemoapp2.com:8081.
images/client_id.png

Note, I've setup DNS resolution on that domain to point back to "localhost" (which is where this tutorial takes place and where envoy and backend servers run)

$ nslookup envoy.esodemoapp2.com 8.8.8.8
Name:	envoy.esodemoapp2.com
Address: 127.0.0.1

$ nslookup backend.esodemoapp2.com 8.8.8.8
Name:	backend.esodemoapp2.com
Address: 127.0.0.1

Once you have the client_id and secret,

for the client_id, edit proxy.yaml and set the value:

    credentials:
      client_id: "248066739582-h498t6035hm9lvp5u9jelm8i67rp43vq.apps.googleusercontent.com"

for the client_secret, edit token-secret.yaml file and enter it in there

also note, the HMAC secret is also specified in a file appropriately named hmac-secret.yaml

The token-secret, client_id and client_secret are now all set

Start Envoy

First get the latest envoy binary:

 docker cp `docker create envoyproxy/envoy-dev:latest`:/usr/local/bin/envoy .

Then just run envoy

./envoy --base-id 0 -c envoy.yaml

Start backend service

Now run the backend service webserver

go run main.go --validateUser

In an incognito browser, goto

This will redirect you back to google oauth2 login screens where you can login.

Once logged in, you'll get redirected back though envoy and ultimately to the backend service.

THe backend service will receive the following

  • OauthExpires: when this cookie expires
  • Host: the standard host header
  • BearerToken: this is the raw oauth2 access_token. This value is optionally enabled using the forward_bearer_token: true flag in proxy.yaml
  • OauthHMAC: the hmac of hmac(OauthExpiresHostBearerToken)

The backend service will verify the HMAC cookies sent by envoy using the shared secret value that envoy was setup with. In other words, the backend service should extract the cookies and host header and perform the same HMAC and check the authenticity of the provided cookie.

The provided backend service does one optional flow as well: it uses oauth2 tokeninfo endpoint to determine who the user is

You can also terminate envoy's session by invoking the /signout url at anytime. This will invalidate all the cookies.

One more thing to note, while users can use any system to perform oauth2 flows, Scopes are restricted or sensitive. In other words, you can't just ask a user for their cloud-platform enabled access_token and start doing stuff.

Similar Resources

Identity - An OAuth2 identity provider that operates over gRPC

Otter Social Identity Provider An OAuth2 identity provider that operates over

May 2, 2022

Golang OAuth2.0 server

Golang OAuth2.0 server

Aug 24, 2022

JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd

login-service login-service is a standalone minimalistic login server providing a (JWT)[https://jwt.io/] login for multiple login backends. Abstract l

Feb 12, 2022

Envoy-eds-server - Envoy EDS server is a working Envoy Discovery Service implementation

envoy-eds-server Intro Envoy EDS server is a working Envoy Discovery Service imp

Apr 2, 2022

Envoy utility to process envoy config for fast development and debugging.

envoyconf-tools Envoy is a proxy, really awesome and we are devs who often use it, face errors and struggle to debug it, when envoy config's source is

Oct 31, 2021

A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

Nov 17, 2021

Oauth2-golang - Oauth2 Golang Mysql

Oauth2-golang - Oauth2 Golang Mysql

Sep 16, 2022

Hazelcast Storage for go-oauth2/oauth2

Hazelcast Storage for go-oauth2/oauth2

Jan 26, 2022

A WASM Filter for Envoy Proxy written in Golang

envoy-proxy-wasm-filter-golang A WASM Filter for Envoy Proxy written in Golang Build tinygo build -o optimized.wasm -scheduler=none -target=wasi ./mai

Nov 6, 2022

A basic helloworld golang web program , just for personal use

Standard Go Project Layout Overview This is a basic helloworld golang web progra

Aug 6, 2022

Caddy log filter module with a log field filter to extract the user from a basic Authorization HTTP-Header

caddy-basic-auth-filter This packages contains a log field filter to extract the user from a basic Authorization HTTP-Header. Installation xcaddy buil

May 10, 2022

Envoy filters in Go

Envoy filters in Go

EGo-Demo This is a demo of how to build a Golang filter for Envoy, based on the Envoy Filter Example project, by using Go's CGo feature. It is still a

Oct 7, 2022

Lightweight, CRD based envoy control plane for kubernetes

Lighweight, CRD based Envoy control plane for Kubernetes: Implemented as a Kubernetes Operator Deploy and manage an Envoy xDS server using the Discove

Nov 3, 2022

Envoy file based dynamic routing using kubernetes config map

Envoy File Based Dynamic Routing Config mapを使用してEnvoy File Based Dynamic Routingを実現します。 概要 アーキテクチャとしては、 +----------+ +--------------+ +-----------

Dec 30, 2022

json to rpc example with envoy, go, grpc, redis

grpc-redis-envoy-example json to rpc example with envoy, go, grpc, redis Run Make sure you have docker installed locally Run the services docker-com

Feb 10, 2022

Json to rpc example with envoy, go, grpc, nats

grpc-nats-envoy json to rpc example with envoy, go, grpc, redis This repo is a mirror of https://github.com/charlesonunze/grpc-redis-envoy-example It

Dec 7, 2021

Envoy introspection for golang

Envoy introspection Demo Build the extension (.wasm file): make wasm Start the upstream service: docker run -d -p 3030:80 kennethreitz/httpbin Run th

Nov 30, 2021

Using Envoy Proxy to load-balance gRPC services on GKE with header value based Session Affinity

Using Envoy Proxy to load-balance gRPC services on GKE with header value based S

Aug 24, 2022

Sesame: an Ingress controller for Kubernetes that works by deploying the Envoy proxy as a reverse proxy and load balancer

Sesame Overview Sesame is an Ingress controller for Kubernetes that works by dep

Dec 28, 2021
Comments
  • Fixed typed_config and wrong pointer to envoy yaml config file

    Fixed typed_config and wrong pointer to envoy yaml config file

    The typed_config changed from type.googleapis.com/envoy.extensions.filters.http.oauth2.v3alpha.OAuth2 -> type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2.

    The instructions in readme has the start command ./envoy --base-id 0 -c envoy.yaml however no envoy.yaml exists in the project. Should be proxy.yaml.

Oauth2-golang - Oauth2 Golang Mysql

Oauth2-golang - Oauth2 Golang Mysql

Sep 16, 2022
Hazelcast Storage for go-oauth2/oauth2

Hazelcast Storage for go-oauth2/oauth2

Jan 26, 2022
A standalone, specification-compliant, OAuth2 server written in Golang.
A standalone, specification-compliant,  OAuth2 server written in Golang.

Go OAuth2 Server This service implements OAuth 2.0 specification. Excerpts from the specification are included in this README file to describe differe

Dec 28, 2022
Go login handlers for authentication providers (OAuth1, OAuth2)
Go login handlers for authentication providers (OAuth1, OAuth2)

gologin Package gologin provides chainable login http.Handler's for Google, Github, Twitter, Facebook, Bitbucket, Tumblr, or any OAuth1 or OAuth2 auth

Dec 30, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..

loginsrv loginsrv is a standalone minimalistic login server providing a JWT login for multiple login backends. ** Attention: Update to v1.3.0 for Goog

Dec 24, 2022
Go OAuth2

OAuth2 for Go oauth2 package contains a client implementation for OAuth 2.0 spec. Installation go get golang.org/x/oauth2 Or you can manually git clo

Jan 8, 2023
Golang OAuth2 server library

OSIN Golang OAuth2 server library OSIN is an OAuth2 server library for the Go language, as specified at http://tools.ietf.org/html/rfc6749 and http://

Dec 23, 2022
A Sample Integration of Google and GitHub OAuth2 in Golang (GoFiber) utilising MongoDB

Go Oauth Server This is sample OAuth integration written in GoLang that also uses MongoDB. This is a sample TODO Application where people can Create a

Dec 27, 2022
Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider

dispans Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider. The name comes from the Swedish word dispen

Dec 22, 2021
Identity-service - An OAuth2 identity provider that operates over gRPC

Identity-service - An OAuth2 identity provider that operates over gRPC

May 2, 2022