oauth2: per-route configuration#44235
Merged
Merged
Conversation
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
zhaohuabing
changed the title
zhaohuabing
force-pushed
the
oauth2-per-route-config
branch
from
5b6b4e6 to
4f3c568
Compare
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> format Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> update Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> update Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> fix test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> fix test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> improve the test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> fix test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> fix test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
zhaohuabing
force-pushed
the
oauth2-per-route-config
branch
2 times, most recently
from
c72f773 to
fbc27c6
Compare
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
zhaohuabing
force-pushed
the
oauth2-per-route-config
branch
from
fbc27c6 to
3bfa54c
Compare
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Member
Author
|
/retest |
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Member
Author
|
/retest |
Co-authored-by: code <wbphub@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
zhaohuabing
force-pushed
the
oauth2-per-route-config
branch
from
0769628 to
b577f23
Compare
wbpcode
reviewed
Apr 8, 2026
Member
Author
|
/retest |
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
auto-merge was automatically disabled
April 8, 2026 08:24
Head branch was pushed to by a user without write access
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
zhaohuabing
force-pushed
the
oauth2-per-route-config
branch
from
093d434 to
9840fdd
Compare
zhaohuabing
force-pushed
the
oauth2-per-route-config
branch
from
9492657 to
85a4d9f
Compare
Member
Author
|
/retest |
wbpcode
approved these changes
Apr 9, 2026
nshipilov
pushed a commit
to nshipilov/envoy
that referenced
this pull request
Apr 13, 2026
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: This PR adds per-route support for the OAuth2 filter. The OAuth2 filter is used in Envoy Gateway’s SecurityPolicy. Previously, Envoy Gateway created a separate OAuth2 filter per route on the HCM listener chain to achieve per-route behavior, which caused listener drains on SecurityPolicy create/update/delete. This change enables native per-route configuration and reduces listener churn. Additional Description: Risk Level: low Testing: the change is covered in unit tests, also manually verified with https://github.com/zhaohuabing/playground/tree/main/envoy/native-per-route-oauth2-oidc Docs Changes: The OAuth2 docs Release Notes: Yes Platform Specific Features: No [Optional Runtime guard:] No [Optional Fixes #Issue] Fixes envoyproxy#29641 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] No [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: code <wbphub@gmail.com> Signed-off-by: Nick Shipilov <nick.shipilov.n@gmail.com>
krinkinmu
pushed a commit
to grnmeira/envoy
that referenced
this pull request
Apr 20, 2026
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: This PR adds per-route support for the OAuth2 filter. The OAuth2 filter is used in Envoy Gateway’s SecurityPolicy. Previously, Envoy Gateway created a separate OAuth2 filter per route on the HCM listener chain to achieve per-route behavior, which caused listener drains on SecurityPolicy create/update/delete. This change enables native per-route configuration and reduces listener churn. Additional Description: Risk Level: low Testing: the change is covered in unit tests, also manually verified with https://github.com/zhaohuabing/playground/tree/main/envoy/native-per-route-oauth2-oidc Docs Changes: The OAuth2 docs Release Notes: Yes Platform Specific Features: No [Optional Runtime guard:] No [Optional Fixes #Issue] Fixes envoyproxy#29641 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] No [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: code <wbphub@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message: This PR adds per-route support for the OAuth2 filter. The OAuth2 filter is used in Envoy Gateway’s SecurityPolicy. Previously, Envoy Gateway created a separate OAuth2 filter per route on the HCM listener chain to achieve per-route behavior, which caused listener drains on SecurityPolicy create/update/delete. This change enables native per-route configuration and reduces listener churn.
Additional Description:
Risk Level: low
Testing: the change is covered in unit tests, also manually verified with https://github.com/zhaohuabing/playground/tree/main/envoy/native-per-route-oauth2-oidc
Docs Changes: The OAuth2 docs
Release Notes: Yes
Platform Specific Features: No
[Optional Runtime guard:] No
[Optional Fixes #Issue] Fixes #29641
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:] No
[Optional API Considerations:]