jwt: require logged in user to return .pomerium/jwt (#3809)

jwt: require logged in user to return .pomerium/jwt (#3807) * jwt: require logged in user to return .pomerium/jwt * fix test * update test Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
2025-07-24 20:18:13 +02:00 · 2022-12-13 14:28:37 -07:00 · 2022-12-13 14:28:37 -07:00 · 0b3d4f3a6f
commit 0b3d4f3a6f
parent ebee7c7920
4 changed files with 24 additions and 5 deletions
--- a/proxy/handlers.go
+++ b/proxy/handlers.go
@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/url"

+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/gorilla/mux"

 	"github.com/pomerium/pomerium/internal/httputil"
@ -178,12 +179,25 @@ func (p *Proxy) ProgrammaticLogin(w http.ResponseWriter, r *http.Request) error

 // jwtAssertion returns the current request's JWT assertion (rfc7519#section-10.3.1).
 func (p *Proxy) jwtAssertion(w http.ResponseWriter, r *http.Request) error {
-	assertionJWT := r.Header.Get(httputil.HeaderPomeriumJWTAssertion)
-	if assertionJWT == "" {
+	rawAssertionJWT := r.Header.Get(httputil.HeaderPomeriumJWTAssertion)
+	if rawAssertionJWT == "" {
 		return httputil.NewError(http.StatusNotFound, errors.New("jwt not found"))
 	}
+
+	assertionJWT, err := jwt.ParseSigned(rawAssertionJWT)
+	if err != nil {
+		return httputil.NewError(http.StatusNotFound, errors.New("jwt not found"))
+	}
+
+	var dst struct {
+		Subject string `json:"sub"`
+	}
+	if assertionJWT.UnsafeClaimsWithoutVerification(&dst) != nil || dst.Subject == "" {
+		return httputil.NewError(http.StatusUnauthorized, errors.New("jwt not found"))
+	}
+
 	w.Header().Set("Content-Type", "application/jwt")
 	w.WriteHeader(http.StatusOK)
-	_, _ = io.WriteString(w, assertionJWT)
+	_, _ = io.WriteString(w, rawAssertionJWT)
 	return nil
 }