Sync Gloo APIs to v1.5.x (#68)

* Sync Gloo APIs to v1.5.x

Author: sam-heilbron

api/gloo/enterprise.gloo/v1/auth_config.proto

@@ -16,6 +16,7 @@ import "google/api/annotations.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
+import "google/protobuf/empty.proto";
 
 
 // This is the user-facing auth configuration. When processed by Gloo, certain configuration types (i.a. oauth, opa)
@@ -301,6 +302,34 @@ message HeaderConfiguration {
   string id_token_header = 1;
 }
 
+// The json web key set (JWKS) (https://tools.ietf.org/html/rfc7517) is discovered at an interval
+// from a remote source. When keys rotate in the remote source, there may be a delay in the
+// local source picking up those new keys. Therefore, a user could execute a request with a token
+// that has been signed by a key in the remote JWKS, but the local cache doesn't have the key yet.
+// The request would fail because the key isn't contained in the local set. Since most IdPs publish key
+// keys in their remote JWKS before they are used, this is not an issue most of the time.
+// This policy lets you define the behavior for when a user has a token with a key
+// not yet in the local cache.
+message JwksOnDemandCacheRefreshPolicy {
+  oneof policy {
+    // Never refresh the local JWKS cache on demand. If a key is not in the cache, it is assumed to be malicious.
+    // This is the default policy since we assume that IdPs publish keys before they rotate them,
+    // and frequent polling finds the newest keys.
+    google.protobuf.Empty never = 1;
+
+    // If a key is not in the cache, fetch the most recent keys from the IdP and update the cache.
+    // NOTE: This should only be done in trusted environments, since missing keys will each trigger
+    // a request to the IdP. Using this in an environment exposed to the internet will allow malicious agents to
+    // execute a DDoS attack by spamming protected endpoints with tokens signed by invalid keys.
+    google.protobuf.Empty always = 2;
+
+    // If a key is not in the cache, fetch the most recent keys from the IdP and update the cache.
+    // This value sets the number of requests to the IdP per polling interval. If that limit is exceeded,
+    // we will stop fetching from the IdP for the remainder of the polling interval.
+    uint32 max_idp_req_per_polling_interval = 3;
+  }
+}
+
 message OidcAuthorizationCode {
   // your client id as registered with the issuer
   string client_id = 1;
@@ -341,6 +370,12 @@ message OidcAuthorizationCode {
   // If not specified, the default value is 30 minutes.
   google.protobuf.Duration discovery_poll_interval = 12;
 
+  // If a user executes a request with a key that is not found in the JWKS, it could be
+  // that the keys have rotated on the remote source, and not yet in the local cache.
+  // This policy lets you define the behavior for how to refresh the local cache during a request
+  // where an invalid key is provided
+  JwksOnDemandCacheRefreshPolicy jwks_cache_refresh_policy = 13;
+
   // in the future we may implement this:
   // add optional configuration for validation of the access token received during the OIDC flow
   // AccessTokenValidation access_token_validation = 8;
@@ -545,6 +580,12 @@ message ExtAuthConfig {
     // If not specified, the default value is 30 minutes.
     google.protobuf.Duration discovery_poll_interval = 12;
 
+    // If a user executes a request with a key that is not found in the JWKS, it could be
+    // that the keys have rotated on the remote source, and not yet in the local cache.
+    // This policy lets you define the behavior for how to refresh the local cache during a request
+    // where an invalid key is provided
+    JwksOnDemandCacheRefreshPolicy jwks_cache_refresh_policy = 13;
+
     // in the future we may implement this:
     // add optional configuration for validation of the access token received during the OIDC flow
     // AccessTokenValidation access_token_validation = 8;