oauth filter: set token cookies regardless of forward_bearer_token op…

…tion and ability to disable bearertoken and refreshtoken cookie (#35839)

**Commit Message:**
oauth filter: set token cookies regardless of forward_bearer_token
option + ability to disable refreshtoken and bearertoken cookie

**Additional Description:**
Unconditionally set the BearerToken, IdToken, and RefreshToken cookies
in the response. The documentation of forward_bearer_token states
"Forward the OAuth token as a XXX to upstream web service." It's
confusing for this behavior to affect response cookies as well.

This change alone would set the raw bearer token in the client browser
which is undesirable by some.

Therefore introduced further properties to disable single cookies, if
necessary:
* `disable_access_token_set_cookie`
* `disable_refresh_token_set_cookie`

Like it was done here: envoyproxy/envoy#33825

Risk Level: Low
Testing: Included
Docs Changes: N/A
Release Notes: Included
Platform Specific Features: N/A
Fixes: envoyproxy/envoy#32566

---------

Signed-off-by: Dennis Kniep <[email protected]>

Mirrored from https://github.com/envoyproxy/envoy @ 46e8da9d1b01ecf120d503bd0449a3041cb63399

envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -84,7 +84,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 19]
+// [#next-free-field: 21]
 message OAuth2Config {
   enum AuthType {
     // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@@ -125,7 +125,7 @@ message OAuth2Config {
   bool forward_bearer_token = 7;
 
   // If set to true, preserve the existing authorization header.
-  // By default Envoy strips the existing authorization header before forwarding upstream.
+  // By default the client strips the existing authorization header before forwarding upstream.
   // Can not be set to true if forward_bearer_token is already set to true.
   // Default value is false.
   bool preserve_authorization_header = 16;
@@ -169,11 +169,23 @@ message OAuth2Config {
   // This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``default_expires_in`` is used.
   google.protobuf.Duration default_refresh_token_expires_in = 15;
 
-  // If set to true, Envoy will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID
+  // If set to true, the client will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID
   // Token is too large for HTTP cookies (longer than 4096 characters). Enabling this option will only disable setting the cookie response header, the filter
   // will still process incoming ID Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
   // sessions would not set the IdToken cookie header.
   bool disable_id_token_set_cookie = 17;
+
+  // If set to true, the client will not set a cookie for Access Token even if one is received from the Identity Provider.
+  // Enabling this option will only disable setting the cookie response header, the filter
+  // will still process incoming Access Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
+  // sessions would not set the Access Token cookie header.
+  bool disable_access_token_set_cookie = 19;
+
+  // If set to true, the client will not set a cookie for Refresh Token even if one is received from the Identity Provider.
+  // Enabling this option will only disable setting the cookie response header, the filter
+  // will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
+  // sessions would not set the Refresh Token cookie header.
+  bool disable_refresh_token_set_cookie = 20;
 }
 
 // Filter config.