oidc: forward id token by zhaohuabing · Pull Request #8731 · envoyproxy/gateway

zhaohuabing · 2026-04-13T09:10:02Z

This PR adds support for forwarding OIDC ID tokens to upstream request headers via SecurityPolicy.spec.oidc.forwardIDToken.

Since the OAuth2 filte does not natively support ID token forwarding, a Lua filter is added to the HCM filter chain to copy the ID token from the cookie intto the Authorization or a custom header. We may switch this to the envoy oauth2 filter implementation later when ID token forwarding is directly supported in Envoy.

implement: #7343

netlify · 2026-04-13T09:10:10Z

✅ Deploy Preview for cerulean-figolla-1f9435 canceled.

Name	Link
🔨 Latest commit	`2f94aa9`
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69e62324386d8c0008e2f740

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 546bf57819

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

zhaohuabing · 2026-04-14T02:15:13Z

@codex

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 656eeb7c38

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

zhaohuabing · 2026-04-14T02:29:28Z

@codex

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d4beef0402

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

codecov · 2026-04-14T02:37:42Z

Codecov Report

❌ Patch coverage is 86.84211% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.44%. Comparing base (56cc3f7) to head (2f94aa9).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/xds/translator/oidc.go	86.11%	5 Missing and 5 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8731   +/-   ##
=======================================
  Coverage   74.43%   74.44%           
=======================================
  Files         245      245           
  Lines       38973    39046   +73     
=======================================
+ Hits        29010    29067   +57     
- Misses       7960     7971   +11     
- Partials     2003     2008    +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

zhaohuabing · 2026-04-14T04:11:31Z

/retest

guydc · 2026-04-16T14:12:30Z

prefer to wait for upstream solution and not rely on lua extension being enabled.

zhaohuabing · 2026-04-20T07:32:55Z

prefer to wait for upstream solution and not rely on lua extension being enabled.

Hi @guydc this helps cover use cases where Lua can be enabled. I’m also planning to address this in a future Envoy release—unfortunately I didn’t have enough time to include it in v1.38.0. Once that’s available, we can switch EG to use the native Envoy implementation.

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> add e2e test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> add release note Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> fix test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> fix test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

zhaohuabing · 2026-04-21T01:43:48Z

/retest

zhaohuabing · 2026-04-22T05:41:45Z

Closing this and wait for a native Envoy implementation.

zhaohuabing · 2026-04-22T07:29:59Z

prefer to wait for upstream solution and not rely on lua extension being enabled.

Hi @guydc closing this PR and wait for the upstream native solution.

zhaohuabing requested a review from a team as a code owner April 13, 2026 09:10

zhaohuabing marked this pull request as draft April 13, 2026 09:10

chatgpt-codex-connector Bot reviewed Apr 13, 2026

View reviewed changes

Comment thread internal/xds/translator/oidc.go

Comment thread test/e2e/testdata/oidc-securitypolicy.yaml

zhaohuabing force-pushed the impl-forward-token-id branch 7 times, most recently from 4a0e676 to 78d4389 Compare April 14, 2026 02:10

zhaohuabing force-pushed the impl-forward-token-id branch from 78d4389 to 656eeb7 Compare April 14, 2026 02:16

zhaohuabing marked this pull request as ready for review April 14, 2026 02:16

zhaohuabing force-pushed the impl-forward-token-id branch from 656eeb7 to dd4ee8b Compare April 14, 2026 02:21

chatgpt-codex-connector Bot reviewed Apr 14, 2026

View reviewed changes

Comment thread internal/xds/translator/oidc.go Outdated

Comment thread internal/xds/translator/testdata/out/xds-ir/oidc.secrets.yaml

zhaohuabing requested a review from arkodg April 14, 2026 02:23

chatgpt-codex-connector Bot reviewed Apr 14, 2026

View reviewed changes

Comment thread internal/xds/translator/oidc.go

zhaohuabing force-pushed the impl-forward-token-id branch from d4beef0 to 3d8b269 Compare April 14, 2026 02:55

zhaohuabing added this to the v1.8.0-rc.1 Release milestone Apr 14, 2026

zhaohuabing added 5 commits April 20, 2026 20:22

address comments

3123a2d

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

address comments

b899338

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

address comments

1c5782e

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

fix lint

57e03ed

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

zhaohuabing force-pushed the impl-forward-token-id branch from 5db5cb6 to 57e03ed Compare April 20, 2026 12:22

update release note

2f94aa9

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

zhaohuabing force-pushed the impl-forward-token-id branch from 0a52ad0 to 2f94aa9 Compare April 20, 2026 12:59

zhaohuabing closed this Apr 22, 2026

Conversation

zhaohuabing commented Apr 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

netlify Bot commented Apr 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for cerulean-figolla-1f9435 canceled.

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

Uh oh!

zhaohuabing commented Apr 14, 2026

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

Uh oh!

zhaohuabing commented Apr 14, 2026

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

codecov Bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

zhaohuabing commented Apr 14, 2026

Uh oh!

guydc commented Apr 16, 2026

Uh oh!

zhaohuabing commented Apr 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

zhaohuabing commented Apr 21, 2026

Uh oh!

zhaohuabing commented Apr 22, 2026

Uh oh!

zhaohuabing commented Apr 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

zhaohuabing commented Apr 13, 2026 •

edited

Loading

netlify Bot commented Apr 13, 2026 •

edited

Loading

codecov Bot commented Apr 14, 2026 •

edited

Loading

zhaohuabing commented Apr 20, 2026 •

edited

Loading