oidc: set csrf token expiration (envoyproxy#7188)

zhaohuabing · web-flow · commit 193f5f78c482 · 2025-10-15T17:27:25.000+08:00
* set csrf token expiration

Signed-off-by: Huabing Zhao &lt;zhaohuabing@gmail.com&gt;

* support configuring CSRF Token TTL in the API

Signed-off-by: Huabing Zhao &lt;zhaohuabing@gmail.com&gt;

---------

Signed-off-by: Huabing Zhao &lt;zhaohuabing@gmail.com&gt;
diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go
@@ -130,6 +130,16 @@ type OIDC struct {
 	// +optional
 	DefaultRefreshTokenTTL *gwapiv1.Duration `json:"defaultRefreshTokenTTL,omitempty"`
 
+	// CSRFTokenTTL defines how long the CSRF token generated during the OAuth2 authorization flow remains valid.
+	//
+	// This duration determines the lifetime of the CSRF cookie, which is validated against the CSRF token
+	// in the "state" parameter when the provider redirects back to the callback endpoint.
+	//
+	// If omitted, Envoy Gateway defaults the token expiration to 10 minutes.
+	//
+	// +optional
+	CSRFTokenTTL *gwapiv1.Duration `json:"csrfTokenTTL,omitempty"`
+
 	// Disable token encryption. When set to true, both the access token and the ID token will be stored in plain text.
 	// This option should only be used in secure environments where token encryption is not required.
 	// Default is false (tokens are encrypted).
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -3958,6 +3958,16 @@ spec:
                           If not specified, defaults to "IdToken-(randomly generated uid)"
                         type: string
                     type: object
+                  csrfTokenTTL:
+                    description: |-
+                      CSRFTokenTTL defines how long the CSRF token generated during the OAuth2 authorization flow remains valid.
+
+                      This duration determines the lifetime of the CSRF cookie, which is validated against the CSRF token
+                      in the "state" parameter when the provider redirects back to the callback endpoint.
+
+                      If omitted, Envoy Gateway defaults the token expiration to 10 minutes.
+                    pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+                    type: string
                   defaultRefreshTokenTTL:
                     description: |-
                       DefaultRefreshTokenTTL is the default lifetime of the refresh token.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -3957,6 +3957,16 @@ spec:
                           If not specified, defaults to "IdToken-(randomly generated uid)"
                         type: string
                     type: object
+                  csrfTokenTTL:
+                    description: |-
+                      CSRFTokenTTL defines how long the CSRF token generated during the OAuth2 authorization flow remains valid.
+
+                      This duration determines the lifetime of the CSRF cookie, which is validated against the CSRF token
+                      in the "state" parameter when the provider redirects back to the callback endpoint.
+
+                      If omitted, Envoy Gateway defaults the token expiration to 10 minutes.
+                    pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+                    type: string
                   defaultRefreshTokenTTL:
                     description: |-
                       DefaultRefreshTokenTTL is the default lifetime of the refresh token.
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -1221,12 +1221,24 @@ func (t *Translator) buildOIDC(
 	if oidc.DefaultTokenTTL != nil {
 		if d, err := time.ParseDuration(string(*oidc.DefaultTokenTTL)); err == nil {
 			irOIDC.DefaultTokenTTL = ir.MetaV1DurationPtr(d)
+		} else {
+			return nil, fmt.Errorf("invalid defaultTokenTTL: %w", err)
 		}
 	}
 
 	if oidc.DefaultRefreshTokenTTL != nil {
 		if d, err := time.ParseDuration(string(*oidc.DefaultRefreshTokenTTL)); err == nil {
 			irOIDC.DefaultRefreshTokenTTL = ir.MetaV1DurationPtr(d)
+		} else {
+			return nil, fmt.Errorf("invalid defaultRefreshTokenTTL: %w", err)
+		}
+	}
+
+	if oidc.CSRFTokenTTL != nil {
+		if d, err := time.ParseDuration(string(*oidc.CSRFTokenTTL)); err == nil {
+			irOIDC.CSRFTokenTTL = ir.MetaV1DurationPtr(d)
+		} else {
+			return nil, fmt.Errorf("invalid csrfTokenTTL: %w", err)
 		}
 	}
 
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml
@@ -99,6 +99,7 @@ securityPolicies:
       defaultTokenTTL: 30m
       refreshToken: true
       defaultRefreshTokenTTL: 24h
+      csrfTokenTTL: 35m
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: SecurityPolicy
   metadata:
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml
@@ -200,6 +200,7 @@ securityPolicies:
         group: null
         kind: null
         name: client1-secret
+      csrfTokenTTL: 35m
       defaultRefreshTokenTTL: 24h
       defaultTokenTTL: 30m
       forwardAccessToken: true
@@ -361,6 +362,7 @@ xdsIR:
             clientID: client1.apps.googleusercontent.com
             clientSecret: '[redacted]'
             cookieSuffix: b0a1b740
+            csrfTokenTTL: 35m0s
             defaultRefreshTokenTTL: 24h0m0s
             defaultTokenTTL: 30m0s
             forwardAccessToken: true
diff --git a/internal/ir/xds.go b/internal/ir/xds.go
@@ -1141,6 +1141,9 @@ type OIDC struct {
 	// DefaultRefreshTokenTTL is the default lifetime of the refresh token.
 	DefaultRefreshTokenTTL *metav1.Duration `json:"defaultRefreshTokenTTL,omitempty"`
 
+	// CSRFTokenTTL configures the lifetime of the csrf token Envoy stores in the cookie.
+	CSRFTokenTTL *metav1.Duration `json:"csrfTokenTTL,omitempty"`
+
 	// CookieSuffix will be added to the name of the cookies set by the oauth filter.
 	// Adding a suffix avoids multiple oauth filters from overwriting each other's cookies.
 	// These cookies are set by the oauth filter, including: AccessToken,
diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go
diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go
@@ -231,6 +231,10 @@ func oauth2Config(securityFeatures *ir.SecurityFeatures) (*oauth2v3.OAuth2, erro
 		oauth2.Config.EndSessionEndpoint = *oidc.Provider.EndSessionEndpoint
 	}
 
+	if oidc.CSRFTokenTTL != nil {
+		oauth2.Config.CsrfTokenExpiresIn = durationpb.New(oidc.CSRFTokenTTL.Duration)
+	}
+
 	return oauth2, nil
 }
 
diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml
@@ -42,6 +42,7 @@ http:
         defaultTokenTTL: 1h
         refreshToken: true
         defaultRefreshTokenTTL: 48h
+        csrfTokenTTL: 35m
   - name: "second-route"
     hostname: "*"
     pathMatch:
diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml
@@ -44,6 +44,7 @@
                   sdsConfig:
                     ads: {}
                     resourceApiVersion: V3
+              csrfTokenExpiresIn: 2100s
               defaultExpiresIn: 3600s
               defaultRefreshTokenExpiresIn: 172800s
               forwardBearerToken: true
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -18,6 +18,7 @@ new features: |
   Added cacheDuration for remoteJWKS in SecurityPolicy.
   Added support for DisableTokenEncryption in OIDC authn to disable encryption of ID and access tokens stored in cookies.
   Added support for OCSP stapling in the listener TLS certificates.
+  Added support for CSRFTokenTTL in OIDC authn to configure the lifetime of the CSRF token used during the OAuth2 authorization code flow.
 
 bug fixes: |
   Fixed %ROUTE_KIND% operator to be lower-cased when used by clusterStatName in EnvoyProxy API.
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -3393,6 +3393,7 @@ _Appears in:_
 | `defaultTokenTTL` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ |  false  |  | DefaultTokenTTL is the default lifetime of the id token and access token.<br />Please note that Envoy will always use the expiry time from the response<br />of the authorization server if it is provided. This field is only used when<br />the expiry time is not provided by the authorization.<br />If not specified, defaults to 0. In this case, the "expires_in" field in<br />the authorization response must be set by the authorization server, or the<br />OAuth flow will fail. |
 | `refreshToken` | _boolean_ |  false  |  | RefreshToken indicates whether the Envoy should automatically refresh the<br />id token and access token when they expire.<br />When set to true, the Envoy will use the refresh token to get a new id token<br />and access token when they expire.<br />If not specified, defaults to false. |
 | `defaultRefreshTokenTTL` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ |  false  |  | DefaultRefreshTokenTTL is the default lifetime of the refresh token.<br />This field is only used when the exp (expiration time) claim is omitted in<br />the refresh token or the refresh token is not JWT.<br />If not specified, defaults to 604800s (one week).<br />Note: this field is only applicable when the "refreshToken" field is set to true. |
+| `csrfTokenTTL` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ |  false  |  | CSRFTokenTTL defines how long the CSRF token generated during the OAuth2 authorization flow remains valid.<br />This duration determines the lifetime of the CSRF cookie, which is validated against the CSRF token<br />in the "state" parameter when the provider redirects back to the callback endpoint.<br />If omitted, Envoy Gateway defaults the token expiration to 10 minutes. |
 | `disableTokenEncryption` | _boolean_ |  false  |  | Disable token encryption. When set to true, both the access token and the ID token will be stored in plain text.<br />This option should only be used in secure environments where token encryption is not required.<br />Default is false (tokens are encrypted). |
 | `passThroughAuthHeader` | _boolean_ |  false  |  | Skips OIDC authentication when the request contains a header that will be extracted by the JWT filter. Unless<br />explicitly stated otherwise in the extractFrom field, this will be the "Authorization: Bearer ..." header.<br />The passThroughAuthHeader option is typically used for non-browser clients that may not be able to handle OIDC<br />redirects and wish to directly supply a token instead.<br />If not specified, defaults to false. |
 
diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml
@@ -44239,6 +44239,16 @@ spec:
                           If not specified, defaults to "IdToken-(randomly generated uid)"
                         type: string
                     type: object
+                  csrfTokenTTL:
+                    description: |-
+                      CSRFTokenTTL defines how long the CSRF token generated during the OAuth2 authorization flow remains valid.
+
+                      This duration determines the lifetime of the CSRF cookie, which is validated against the CSRF token
+                      in the "state" parameter when the provider redirects back to the callback endpoint.
+
+                      If omitted, Envoy Gateway defaults the token expiration to 10 minutes.
+                    pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+                    type: string
                   defaultRefreshTokenTTL:
                     description: |-
                       DefaultRefreshTokenTTL is the default lifetime of the refresh token.
diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
@@ -26927,6 +26927,16 @@ spec:
                           If not specified, defaults to "IdToken-(randomly generated uid)"
                         type: string
                     type: object
+                  csrfTokenTTL:
+                    description: |-
+                      CSRFTokenTTL defines how long the CSRF token generated during the OAuth2 authorization flow remains valid.
+
+                      This duration determines the lifetime of the CSRF cookie, which is validated against the CSRF token
+                      in the "state" parameter when the provider redirects back to the callback endpoint.
+
+                      If omitted, Envoy Gateway defaults the token expiration to 10 minutes.
+                    pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+                    type: string
                   defaultRefreshTokenTTL:
                     description: |-
                       DefaultRefreshTokenTTL is the default lifetime of the refresh token.

Original file line number	Diff line number	Diff line change
`@@ -1221,12 +1221,24 @@ func (t *Translator) buildOIDC(`
`1221`	`1221`	`if oidc.DefaultTokenTTL != nil {`
`1222`	`1222`	`if d, err := time.ParseDuration(string(*oidc.DefaultTokenTTL)); err == nil {`
`1223`	`1223`	`irOIDC.DefaultTokenTTL = ir.MetaV1DurationPtr(d)`
	`1224`	`+ } else {`
	`1225`	`+ return nil, fmt.Errorf("invalid defaultTokenTTL: %w", err)`
`1224`	`1226`	`}`
`1225`	`1227`	`}`
`1226`	`1228`
`1227`	`1229`	`if oidc.DefaultRefreshTokenTTL != nil {`
`1228`	`1230`	`if d, err := time.ParseDuration(string(*oidc.DefaultRefreshTokenTTL)); err == nil {`
`1229`	`1231`	`irOIDC.DefaultRefreshTokenTTL = ir.MetaV1DurationPtr(d)`
	`1232`	`+ } else {`
	`1233`	`+ return nil, fmt.Errorf("invalid defaultRefreshTokenTTL: %w", err)`
	`1234`	`+ }`
	`1235`	`+ }`
	`1236`	`+`
	`1237`	`+ if oidc.CSRFTokenTTL != nil {`
	`1238`	`+ if d, err := time.ParseDuration(string(*oidc.CSRFTokenTTL)); err == nil {`
	`1239`	`+ irOIDC.CSRFTokenTTL = ir.MetaV1DurationPtr(d)`
	`1240`	`+ } else {`
	`1241`	`+ return nil, fmt.Errorf("invalid csrfTokenTTL: %w", err)`
`1230`	`1242`	`}`
`1231`	`1243`	`}`
`1232`	`1244`
Original file line number	Diff line number	Diff line change
`@@ -231,6 +231,10 @@ func oauth2Config(securityFeatures ir.SecurityFeatures) (oauth2v3.OAuth2, erro`
`231`	`231`	`oauth2.Config.EndSessionEndpoint = *oidc.Provider.EndSessionEndpoint`
`232`	`232`	`}`
`233`	`233`
	`234`	`+ if oidc.CSRFTokenTTL != nil {`
	`235`	`+ oauth2.Config.CsrfTokenExpiresIn = durationpb.New(oidc.CSRFTokenTTL.Duration)`
	`236`	`+ }`
	`237`	`+`
`234`	`238`	`return oauth2, nil`
`235`	`239`	`}`
`236`	`240`