envoyproxy/envoy

oauth2: configurable safety margin to expire cookies before the contained tokens expire

Open

#45,749 opened on Jun 22, 2026

View on GitHub
 (2 comments) (0 reactions) (0 assignees)C++ (5,373 forks)batch import
area/oauthenhancementhelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (Avg merge 8d) (303 merged PRs in 30d)

Description

Title: oauth2: configurable safety margin to expire cookies before the contained tokens expire

Description:

Add a configurable safety margin to the OAuth2 HTTP filter so that the browser cookies it sets expire slightly earlier than the tokens they carry. This is the mirror of the jwt_authn filter's clock_skew_seconds. It shortens cookie validity so a request never arrives at the upstream.

This will prevent errors when the request processing takes seconds or a minute, and the upstream service invokes other services on behalf of the browser user, using the JWT injected by the OAuth2 filter. Using clock_skew_seconds does not help because the initial request gets accepted by the OAuth2 filter

A proposal:

  http_filters:
  - name: envoy.filters.http.oauth2
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
      config:
        # ...
        # Expire/treat the auth cookies as invalid this many seconds before the
        # contained token actually expires. Forces re-auth/refresh proactively.
        cookie_expiry_margin: 30s   # name TBD

Contributor guide