Skip to content

feat: make OIDC passThroughAuthHeader and refreshToken configurable#430

Merged
jmpalomares merged 3 commits into
mainfrom
chore/configurable-oidc-passthrough-refreshtoken
Apr 27, 2026
Merged

feat: make OIDC passThroughAuthHeader and refreshToken configurable#430
jmpalomares merged 3 commits into
mainfrom
chore/configurable-oidc-passthrough-refreshtoken

Conversation

@jmpalomares
Copy link
Copy Markdown
Contributor

@jmpalomares jmpalomares commented Apr 24, 2026
edited
Loading

Summary

  • Expose envoy.security.passThroughAuthHeader and envoy.security.refreshToken (also per-policy via envoy.security.policies[].*) in the common SecurityPolicy template so services can match the proven graylog OIDC setup.
  • Defaults stay at passThroughAuthHeader: true / refreshToken: true to preserve prior behavior. Services hitting "JWT is missing" (e.g. arena) can opt into passThroughAuthHeader: false so unauthenticated requests are rejected at the gateway instead of forwarded.
  • Bumps: common 1.3.6 → 1.3.7, microservice 0.5.6 → 0.5.7, monolith 0.5.7 → 0.5.8.

Test plan

  • helm lint parcellab/microservice passes
  • helm template with default values renders passThroughAuthHeader: true and refreshToken: true
  • helm template with explicit overrides renders the supplied values
  • Deploy arena (PR parcelLab/arena#18) with microservice 0.5.7 + passThroughAuthHeader: false and confirm OIDC login works end-to-end

🤖 Generated with Claude Code

@jmpalomares @claude
feat: make OIDC passThroughAuthHeader and refreshToken configurable
e8a08de 
Expose envoy.security.passThroughAuthHeader and envoy.security.refreshToken
(also per-policy) so services can match the proven graylog OIDC setup.
Defaults change to passThroughAuthHeader: false and refreshToken: true,
which rejects unauthenticated requests at the gateway and keeps sessions
alive via refresh tokens.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 24, 2026 15:11
@jmpalomares jmpalomares requested review from a team as code owners April 24, 2026 15:11
@github-actions github-actions Bot added the yaml label Apr 24, 2026
@jmpalomares @claude
chore: default passThroughAuthHeader to true to preserve prior behavior
5bcab6f 
Restore the previous hardcoded behavior as the default so that existing
services opt in to false explicitly when needed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes Envoy Gateway OIDC passThroughAuthHeader and refreshToken configurable (globally and per-policy) in the shared SecurityPolicy template, and bumps chart versions to publish the change.

Changes:

  • Add configurable envoy.security.passThroughAuthHeader / envoy.security.refreshToken with per-policy overrides in the common SecurityPolicy template.
  • Change rendered defaults to passThroughAuthHeader: false and refreshToken: true.
  • Bump chart versions: common 1.3.6 → 1.3.7, microservice 0.5.6 → 0.5.7, monolith 0.5.7 → 0.5.8.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
parcellab/common/templates/_securitypolicies.tpl Introduces per-policy/global config for OIDC passThroughAuthHeader and refreshToken, and renders them into the SecurityPolicy OIDC spec.
parcellab/common/Chart.yaml Bumps common library chart version to release the template change.
parcellab/microservice/Chart.yaml Bumps microservice chart version to consume the updated common chart.
parcellab/monolith/Chart.yaml Bumps monolith chart version to consume the updated common chart.

Comment thread parcellab/common/templates/_securitypolicies.tpl
Comment thread parcellab/common/templates/_securitypolicies.tpl Outdated
Comment thread parcellab/common/templates/_securitypolicies.tpl Outdated
@jmpalomares @claude
chore: guard OIDC nil values and document new knobs
e16e501 
- Treat explicit null passThroughAuthHeader / refreshToken as unset so
  Helm does not render "<no value>" and break the SecurityPolicy YAML.
- Add commented examples for the new settings in microservice and
  monolith values.yaml.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jmpalomares jmpalomares merged commit 8eb5a1c into main Apr 27, 2026
3 checks passed
@jmpalomares jmpalomares deleted the chore/configurable-oidc-passthrough-refreshtoken branch April 27, 2026 08:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@andibeuge andibeuge andibeuge approved these changes

@kpplis kpplis kpplis approved these changes

Assignees

No one assigned

Labels

yaml

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jmpalomares @andibeuge @kpplis