skipper: create OIDC filters only when -oidc-secrets-file is provided (…

…#2185)

Updates #2184

Signed-off-by: Alexander Yastrebov <[email protected]>

Signed-off-by: Alexander Yastrebov <[email protected]>

config/config.go

@@ -476,7 +476,7 @@ func NewConfig() *Config {
 	flag.StringVar(&cfg.Oauth2TokeninfoSubjectKey, "oauth2-tokeninfo-subject-key", "uid", "sets the access token to a header on the request with this name")
 	flag.StringVar(&cfg.Oauth2TokenCookieName, "oauth2-token-cookie-name", "oauth2-grant", "sets the name of the cookie where the encrypted token is stored")
 	flag.DurationVar(&cfg.WebhookTimeout, "webhook-timeout", 2*time.Second, "sets the webhook request timeout duration")
-	flag.StringVar(&cfg.OidcSecretsFile, "oidc-secrets-file", "", "file storing the encryption key of the OID Connect token")
+	flag.StringVar(&cfg.OidcSecretsFile, "oidc-secrets-file", "", "file storing the encryption key of the OID Connect token. Enables OIDC filters")
 	flag.DurationVar(&cfg.OIDCCookieValidity, "oidc-cookie-validity", time.Hour, "sets the cookie expiry time to +1h for OIDC filters, in case no 'exp' claim is found in the JWT token")
 	flag.DurationVar(&cfg.OidcDistributedClaimsTimeout, "oidc-distributed-claims-timeout", 2*time.Second, "sets the default OIDC distributed claims request timeout duration to 2000ms")
 	flag.Var(cfg.CredentialPaths, "credentials-paths", "directories or files to watch for credentials to use by bearerinjector filter")

docs/reference/filters.md

@@ -1460,6 +1460,9 @@ Skipper arguments:
 | `-oauth2-tokeninfo-subject-key` | **yes** | the key of the attribute containing the OAuth2 subject ID in the OAuth2 provider's tokeninfo JSON payload. Default: `uid`. Example: `-oauth2-tokeninfo-subject-key=sub` |
 
 ### OpenID Connect
+
+To enable OpenID Connect filters use `-oidc-secrets-file` command line flag.
+
 #### oauthOidcUserInfo
 
 ```

skipper.go

@@ -1487,13 +1487,6 @@ func run(o Options, sig chan os.Signal, idleConnsCH chan struct{}) error {
 		Tracer:       tracer,
 	}
 
-	oo := auth.OidcOptions{
-		CookieValidity: o.OIDCCookieValidity,
-		Timeout:        o.OIDCDistributedClaimsTimeout,
-		MaxIdleConns:   o.IdleConnectionsPerHost,
-		Tracer:         tracer,
-	}
-
 	who := auth.WebhookOptions{
 		Timeout:      o.WebhookTimeout,
 		MaxIdleConns: o.IdleConnectionsPerHost,
@@ -1522,9 +1515,6 @@ func run(o Options, sig chan os.Signal, idleConnsCH chan struct{}) error {
 		auth.TokenintrospectionWithOptions(auth.NewSecureOAuthTokenintrospectionAnyKV, tio),
 		auth.TokenintrospectionWithOptions(auth.NewSecureOAuthTokenintrospectionAllKV, tio),
 		auth.WebhookWithOptions(who),
-		auth.NewOAuthOidcUserInfosWithOptions(o.OIDCSecretsFile, o.SecretsRegistry, oo),
-		auth.NewOAuthOidcAnyClaimsWithOptions(o.OIDCSecretsFile, o.SecretsRegistry, oo),
-		auth.NewOAuthOidcAllClaimsWithOptions(o.OIDCSecretsFile, o.SecretsRegistry, oo),
 		auth.NewOIDCQueryClaimsFilter(),
 		apiusagemonitoring.NewApiUsageMonitoring(
 			o.ApiUsageMonitoringEnable,
@@ -1535,6 +1525,21 @@ func run(o Options, sig chan os.Signal, idleConnsCH chan struct{}) error {
 		admissionControlFilter,
 	)
 
+	if o.OIDCSecretsFile != "" {
+		opts := auth.OidcOptions{
+			CookieValidity: o.OIDCCookieValidity,
+			Timeout:        o.OIDCDistributedClaimsTimeout,
+			MaxIdleConns:   o.IdleConnectionsPerHost,
+			Tracer:         tracer,
+		}
+
+		o.CustomFilters = append(o.CustomFilters,
+			auth.NewOAuthOidcUserInfosWithOptions(o.OIDCSecretsFile, o.SecretsRegistry, opts),
+			auth.NewOAuthOidcAnyClaimsWithOptions(o.OIDCSecretsFile, o.SecretsRegistry, opts),
+			auth.NewOAuthOidcAllClaimsWithOptions(o.OIDCSecretsFile, o.SecretsRegistry, opts),
+		)
+	}
+
 	var swarmer ratelimit.Swarmer
 	var redisOptions *skpnet.RedisOptions
 	log.Infof("enable swarm: %v", o.EnableSwarm)