3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-28 05:59:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

doc updates (#2433)

Browse source 
* remove reference to EdDSA, fix numbering, typo

* fix ppl example

* update jwt verification routes

* update kubernetes route

* update local oidc routes

* update mtls routes

* fix transmission policy

* policy -> routes

* update settings

* fix has

* update numbering
This commit is contained in:
Caleb Doxsey 2021-08-04 16:00:31 -06:00 committed by GitHub
parent 5332a752d0
commit 0d3ef4564e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 40 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

8
docs/docs/topics/getting-users-identity.md
View file

@ -12,7 +12,7 @@ This article describes how to retrieve a user's identity from a pomerium managed
To secure your app with signed headers, you'll need the following:
- An application you want users to connect to.
- A [JWT] library. We strongly recommend using `ES256` or `EdDSA` over `RSA` based algorithms which are often much faster. When in doubt, use `ES256`
- A [JWT] library. We strongly recommend using `ES256` over `RSA` based algorithms which are often much faster. When in doubt, use `ES256`
## Verification
@ -69,7 +69,7 @@ $ curl https://authenticate.int.example.com/.well-known/pomerium/jwks.json | jq
Though you will very likely be verifying signed-headers programmatically in your application's middleware, and using a third-party JWT library, if you are new to JWT it may be helpful to show what manual verification looks like.
1\. Provide pomerium with a base64 encoded Elliptic Curve ([NIST P-256] aka [secp256r1] aka prime256v1) Private Key. In production, you'd likely want to get these from your KMS.
1. Provide pomerium with a base64 encoded Elliptic Curve ([NIST P-256] aka [secp256r1] aka prime256v1) Private Key. In production, you'd likely want to get these from your KMS.
```bash
# see ./scripts/generate_self_signed_signing_key.sh
@ -85,13 +85,13 @@ Copy the base64 encoded value of your private key to `pomerium-proxy`'s environm
SIGNING_KEY=ZxqyyIPPX0oWrrOwsxXgl0hHnTx3mBVhQ2kvW1YB4MM=
```
1. Reload `pomerium-proxy`. Navigate to httpbin (by default, `https://httpbin.corp.${YOUR-DOMAIN}.com`), and login as usual. Click **request inspection**. Select `/headers'. Click **try it out** and then **execute**. You should see something like the following.
1. Reload `pomerium-proxy`. Navigate to httpbin (by default, `https://httpbin.corp.${YOUR-DOMAIN}.com`), and login as usual. Click **request inspection**. Select `/headers`. Click **try it out** and then **execute**. You should see something like the following.
![httpbin displaying jwt headers](./img/inspect-headers.png)
1. `X-Pomerium-Jwt-Assertion` is the signature value. It's less scary than it looks and basically just a compressed, json blob as described above. Navigate to [jwt.io] which provides a helpful GUI to manually verify JWT values.
2. Paste the value of `X-Pomerium-Jwt-Assertion` header token into the `Encoded` form. You should notice that the decoded values look much more familiar.
1. Paste the value of `X-Pomerium-Jwt-Assertion` header token into the `Encoded` form. You should notice that the decoded values look much more familiar.
![httpbin displaying decoded jwt](./img/verifying-headers-1.png)

2
docs/docs/topics/tcp-support.md
View file

@ -39,7 +39,7 @@ routes:
- email:
is: contractor@not-example.com
- groups:
has: ["datascience@example.com"]
has: "datascience@example.com"
```
Notes: