OAuth2: Add samesite attribute support for all OAuth2 supported cookie types

[Yueren-Wang]

Commit Message: OAuth2: Add samesite attribute support for all OAuth2 supported cookie types

Additional Description: The SameSite attribute offers three values to control whether cookies are shared within the same site or across different sites. It's an optional setting, with a "Disabled" option that omits the SameSite attribute altogether. By default, this setting is disabled to ensure no changes are made to existing deployments, but operators now have the option to enable SameSite. The six cookies supporting SameSite attribute are:

bearer_token_cookie
hmac_cookie
expires_cookie
id_token_cookie
refresh_token_cookie
nonce_cookie
The samesite attribute value allowed are:

Strict
Lax
None
Disabled (Default, if no value is set in config)
The operator can also optionally do not specify any SameSite attributes for cookie. This will result DISABLED value to be set for all cookie's SameSite attribute value. in this case no same site attribute will be returned by filter.

The operator can also choose different same site attribute to be configured by different cookies. This means the SameSite attributes for different cookies listed above can be different. Also the operator can optionally specify SameSite attribute for some cookie but miss it for others. it is not mandatory to specify SameSite explicitly for all cookies

Risk Level: Medium
Testing: unit
Docs Changes: proto is documented
Release Notes: changelog entry added

[repokitteh-read-only]

CC @envoyproxy/coverage-shephards: FYI only for changes made to (test/per_file_coverage.sh).
envoyproxy/coverage-shephards assignee is @RyanTheOptimist
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @abeyad
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #37952 was opened by Yueren-Wang.

see: more, trace.

[RyanTheOptimist]

/assign @mattklein123
Since it's oauth related

[Yueren-Wang]

/retest

[Yueren-Wang]

/retest

[mattklein123]

LGTM at a high level modulo outstanding comments.

/wait

[abeyad]

/lgtm api

[Yueren-Wang]

/ptal @abeyad re-approve required, thx!

[Yueren-Wang]

/retest

[Yueren-Wang]

/ptal @mattklein123

[abeyad]

/lgtm api

you will also need @mattklein123 approval for the entirety of the PR

[mattklein123]

Sorry needs main merge, thanks.

/wait

[Yueren-Wang]

Sorry needs main merge, thanks.

/wait

just merged main. all CI passed

[Yueren-Wang]

/ptal @mattklein123 Hi matt, friendly ping again. really wanted to get this merged in to unblock ourselves.

[Yueren-Wang]

/retest