I've been trying to get this Envoy config working properly. I am attempting to us the OAuth client credentials injector to fetch a token from an endpoint that requires client TLS auth. I have the cluster configured as follows:

  - name: token_endpoint
    connect_timeout: 
      seconds: 30
    type: STRICT_DNS
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        common_tls_context:
          tls_certificate_sds_secret_configs:
          - name: client_cert
          validation_context:
            trusted_ca:
              filename: /etc/ssl/certs/ca-certificates.crt
            match_typed_subject_alt_names:
            - san_type: DNS
              matcher:
                exact: token-provider

I also have the credentials injector configured as so:

          - name: envoy.filters.http.credential_injector
            typed_config:
              "@type": type.googleapis/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
              allow_request_without_credential: false
              overwrite: true
              credential:
                name: envoy.http.injected_credentials.oauth2
                typed_config:
                  "@type": type.googleapis/envoy.extensions.http.injected_credentials.oauth2.v3.OAuth2
                  token_endpoint:
                    cluster: token_endpoint
                    timeout: 10s
                    uri: ";
                  scopes:
                    - openid
                    - nwapi
                  client_credentials:
                    client_id: <client_id>
                    client_secret:
                      name: client_secret

Secrets, for reference:

  secrets:
  - name: client_secret
    generic_secret:
      secret:
        environment_variable: CLIENT_SECRET
  - name: client_cert
    tls_certificate:
      certificate_chain:
        environment_variable: CLIENT_CERT
      private_key:
        environment_variable: CLIENT_KEY

Here's the error I get:

[2025-03-06 18:10:11.199][1][debug][connection] [source/common/tls/cert_validator/default_validator:264] verify cert failed: SAN matcher
[2025-03-06 18:10:11.199][1][trace][connection] [source/common/tls/ssl_handshaker:149] [Tags: "ConnectionId":"0"] ssl error occurred while read: SSL
[2025-03-06 18:10:11.199][1][debug][connection] [source/common/tls/ssl_socket:248] [Tags: "ConnectionId":"0"] remote address:x.x.x.x:443,TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end

Now I have verified that the upstream server certificate in question has a SAN that matches what I have here in the SAN matcher config. Furthermore, if I remove the match_typed_subject_alt_names (or if I remove the trusted_ca), it simply doesn't present the client certificates to the upstream host at all.

How is this config supposed to work?

I was expecting the credentials injector to successfully retrieve an OAuth token from the endpoint, as I've verified I can do this outside of Envoy.