oauth2: configurable safety margin to expire cookies before the contained tokens expire
#45,749 opened on Jun 22, 2026
Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (Avg merge 8d) (303 merged PRs in 30d)
Description
Title: oauth2: configurable safety margin to expire cookies before the contained tokens expire
Description:
Add a configurable safety margin to the OAuth2 HTTP filter so that the browser cookies it sets expire slightly earlier than the tokens they carry. This is the mirror of the jwt_authn filter's clock_skew_seconds. It shortens cookie validity so a request never arrives at the upstream.
This will prevent errors when the request processing takes seconds or a minute, and the upstream service invokes other services on behalf of the browser user, using the JWT injected by the OAuth2 filter. Using clock_skew_seconds does not help because the initial request gets accepted by the OAuth2 filter
A proposal:
http_filters:
- name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
# ...
# Expire/treat the auth cookies as invalid this many seconds before the
# contained token actually expires. Forces re-auth/refresh proactively.
cookie_expiry_margin: 30s # name TBD