Drop skipperOauthOidc cookies in oauthOidc filter (#3465)

The `skipperOauthOidc` cookies are only intended for Skipper, so they
don't need to be forwarded to the application.

With this PR we simply drop those cookies before forwarding the request.
This will reduce the overall header size of requests.
The implementation is inspired by the [`oauthGrant`
filter](https://github.com/zalando/skipper/blob/6b448b1fe90cc113e365be8fba7cd6d122ad7a6d/filters/auth/grantcookie.go#L93-L100)

Closes #3459

Signed-off-by: Andreas Skorczyk <[email protected]>

Author: AndreasSko

Diff for: filters/auth/oidc.go

@@ -788,9 +788,14 @@ func (f *tokenOidcFilter) Request(ctx filters.FilterContext) {
 	)
 	r := ctx.Request()
 
-	for _, cookie := range r.Cookies() {
+	// Retrieve skipperOauthOidc cookie for processing and remove it from downstream request
+	rCookies := r.Cookies()
+	r.Header.Del("Cookie")
+	for _, cookie := range rCookies {
 		if strings.HasPrefix(cookie.Name, f.cookiename) {
 			cookies = append(cookies, cookie)
+		} else {
+			r.AddCookie(cookie)
 		}
 	}
 	sessionCookie := mergerCookies(cookies)

Diff for: filters/auth/oidc_test.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"cmp"
 	"compress/flate"
 	"crypto/rsa"
 	"crypto/x509"
@@ -62,6 +63,19 @@ func newInsecureCookieJar() *insecureCookieJar {
 }
 
 func (jar *insecureCookieJar) SetCookies(u *url.URL, cookies []*http.Cookie) {
+	cookieMap := make(map[string]*http.Cookie)
+	for _, c := range jar.store[u.Hostname()] {
+		cookieMap[c.Name] = c
+	}
+	for _, c := range cookies {
+		cookieMap[c.Name] = c
+	}
+
+	cookies = make([]*http.Cookie, 0, len(cookieMap))
+	for _, c := range cookieMap {
+		cookies = append(cookies, c)
+	}
+
 	jar.store[u.Hostname()] = cookies
 }
 func (jar *insecureCookieJar) Cookies(u *url.URL) []*http.Cookie {
@@ -705,6 +719,7 @@ func TestOIDCSetup(t *testing.T) {
 		hostname           string
 		filter             string
 		queries            []string
+		cookies            []*http.Cookie
 		expected           int
 		expectRequest      string
 		expectNoCookies    bool
@@ -859,11 +874,20 @@ func TestOIDCSetup(t *testing.T) {
 		filter:           `oauthOidcUserInfo("{{ .OIDCServerURL }}", "valid-client", "mysec", "{{ .RedirectURL }}", "", "")`,
 		expected:         200,
 		expectCookieName: "skipperOauthOidc",
+	}, {
+		msg:                "cookies should be forwarded",
+		hostname:           "skipper.test",
+		filter:             `oauthOidcUserInfo("{{ .OIDCServerURL }}", "valid-client", "mysec", "{{ .RedirectURL }}", "", "")`,
+		cookies:            []*http.Cookie{{Name: "please-forward", Value: "me", Domain: "skipper.test", MaxAge: 7200}},
+		expected:           200,
+		expectRequest:      "please-forward=me",
+		expectCookieDomain: "skipper.test",
 	}} {
 		t.Run(tc.msg, func(t *testing.T) {
 			backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				requestDump, _ := httputil.DumpRequest(r, false)
 				assert.Contains(t, string(requestDump), tc.expectRequest, "expected request not fulfilled")
+				assert.NotContains(t, string(requestDump), cmp.Or(tc.expectCookieName, oauthOidcCookieName), "oidc cookie should be dropped")
 				w.Write([]byte("OK"))
 			}))
 			defer backend.Close()
@@ -949,6 +973,7 @@ func TestOIDCSetup(t *testing.T) {
 				Timeout: 1 * time.Second,
 				Jar:     newInsecureCookieJar(),
 			}
+			client.Jar.SetCookies(reqURL, tc.cookies)
 
 			// trigger OpenID Connect Authorization Code Flow
 			resp, err := client.Do(req)