Drop skipperOauthOidc cookies in oauthOidc filter

The `skipperOauthOidc` cookies are
only intended for Skipper, so they
don't need to be forwarded to the
application.

With this PR we simply drop those
cookies before forwarding the
request.
This will reduce the overall
header size of requests.
The implementation is
inspired by the
[`oauthGrant` filter](https://github.com/zalando/skipper/blob/6b448b1fe90cc113e365be8fba7cd6d122ad7a6d/filters/auth/grantcookie.go#L93-L100)

Signed-off-by: Andreas Skorczyk <[email protected]>

Author: AndreasSko

filters/auth/oidc.go

@@ -788,9 +788,14 @@ func (f *tokenOidcFilter) Request(ctx filters.FilterContext) {
 	)
 	r := ctx.Request()
 
-	for _, cookie := range r.Cookies() {
+	// Retrieve skipperOauthOidc cookie for processing and remove it from downstream request
+	rCookies := r.Cookies()
+	r.Header.Del("Cookie")
+	for _, cookie := range rCookies {
 		if strings.HasPrefix(cookie.Name, f.cookiename) {
 			cookies = append(cookies, cookie)
+		} else {
+			r.AddCookie(cookie)
 		}
 	}
 	sessionCookie := mergerCookies(cookies)

filters/auth/oidc_test.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"cmp"
 	"compress/flate"
 	"crypto/rsa"
 	"crypto/x509"
@@ -718,6 +719,7 @@ func TestOIDCSetup(t *testing.T) {
 		hostname           string
 		filter             string
 		queries            []string
+		cookies            []*http.Cookie
 		expected           int
 		expectRequest      string
 		expectNoCookies    bool
@@ -872,11 +874,20 @@ func TestOIDCSetup(t *testing.T) {
 		filter:           `oauthOidcUserInfo("{{ .OIDCServerURL }}", "valid-client", "mysec", "{{ .RedirectURL }}", "", "")`,
 		expected:         200,
 		expectCookieName: "skipperOauthOidc",
+	}, {
+		msg:                "cookies should be forwarded",
+		hostname:           "skipper.test",
+		filter:             `oauthOidcUserInfo("{{ .OIDCServerURL }}", "valid-client", "mysec", "{{ .RedirectURL }}", "", "")`,
+		cookies:            []*http.Cookie{{Name: "please-forward", Value: "me", Domain: "skipper.test", MaxAge: 7200}},
+		expected:           200,
+		expectRequest:      "please-forward=me",
+		expectCookieDomain: "skipper.test",
 	}} {
 		t.Run(tc.msg, func(t *testing.T) {
 			backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				requestDump, _ := httputil.DumpRequest(r, false)
 				assert.Contains(t, string(requestDump), tc.expectRequest, "expected request not fulfilled")
+				assert.NotContains(t, string(requestDump), cmp.Or(tc.expectCookieName, oauthOidcCookieName), "oidc cookie should be dropped")
 				w.Write([]byte("OK"))
 			}))
 			defer backend.Close()
@@ -963,6 +974,10 @@ func TestOIDCSetup(t *testing.T) {
 				Jar:     newInsecureCookieJar(),
 			}
 
+			for _, c := range tc.cookies {
+				client.Jar.SetCookies(reqURL, []*http.Cookie{c})
+			}
+
 			// trigger OpenID Connect Authorization Code Flow
 			resp, err := client.Do(req)
 			if err != nil {