oauth2: make CSRF and code verifier token expiration configurable (#39877)

update-envoy[bot] · update-envoy[bot] · commit 0dc4d20f12e9 · 2025-07-02T02:25:53.000Z
Commit Message: oauth2: make CSRF and code verifier token expiration configurable Additional Description: Currently, the OAuth2 filter hardcodes the values of the CSRF and code verifier tokens to `600s` (10 minutes) . This limits flexibility for use cases where: - Users need shorter expiration (e.g., high-security scenarios). - Users need longer expiration (e.g., backward-compatibility). This PR makes both tokens configurable, adding `default_csrf_token_expires_in` and `default_code_verifier_token_expires_in` fields to the OAuth2 filter configuration. Both default to ``600s`` (10 minutes) if not specified, keeping backward compatibility. Risk Level: Low Testing: Added tests for cases where uses sets the values of the new fields in the configuration. The default values are already tested in almost all the tests. Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Gustavo Moyano <gustavo.g.moyano@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ d7a588d5ccdfd9bcccad57dd9b764683017e0da1
diff --git a/envoy/extensions/filters/http/oauth2/v3/oauth.proto b/envoy/extensions/filters/http/oauth2/v3/oauth.proto
@@ -126,7 +126,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 24]
+// [#next-free-field: 26]
 message OAuth2Config {
   enum AuthType {
     // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@@ -242,6 +242,18 @@ message OAuth2Config {
 
   // Optional additional prefix to use when emitting statistics.
   string stat_prefix = 22;
+
+  // Optional expiration time for the CSRF protection token cookie.
+  // The CSRF token prevents cross-site request forgery attacks during the OAuth2 flow.
+  // If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time
+  // for users to complete the OAuth2 authorization flow.
+  google.protobuf.Duration csrf_token_expires_in = 24;
+
+  // Optional expiration time for the code verifier cookie.
+  // The code verifier is stored in a secure, HTTP-only cookie during the OAuth2 authorization process.
+  // If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time
+  // for users to complete the OAuth2 authorization flow.
+  google.protobuf.Duration code_verifier_token_expires_in = 25;
 }
 
 // Filter config.
