diff --git a/authorize/log.go b/authorize/log.go index 691b378fc..78a1f799a 100644 --- a/authorize/log.go +++ b/authorize/log.go @@ -5,6 +5,7 @@ import ( "strings" envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/go-jose/go-jose/v3/jwt" "github.com/rs/zerolog" "github.com/pomerium/pomerium/authorize/evaluator" @@ -161,6 +162,17 @@ func populateLogEvent( return evt.Str(string(field), u.GetEmail()) case log.AuthorizeLogFieldHost: return evt.Str(string(field), in.GetAttributes().GetRequest().GetHttp().GetHost()) + case log.AuthorizeLogFieldIDToken: + if s, ok := s.(*session.Session); ok { + evt = evt.Str("id-token", s.GetIdToken().GetRaw()) + + if t, err := jwt.ParseSigned(s.GetIdToken().GetRaw()); err == nil { + var m map[string]any + _ = t.UnsafeClaimsWithoutVerification(&m) + evt = evt.Interface("id-token-claims", m) + } + } + return evt case log.AuthorizeLogFieldImpersonateEmail: if impersonateDetails != nil { evt = evt.Str(string(field), impersonateDetails.email) diff --git a/authorize/log_test.go b/authorize/log_test.go index f6a8907e9..a52147d1f 100644 --- a/authorize/log_test.go +++ b/authorize/log_test.go @@ -46,6 +46,9 @@ func Test_populateLogEvent(t *testing.T) { headers := map[string]string{"X-Request-Id": "CHECK-REQUEST-ID"} s := &session.Session{ Id: "SESSION-ID", + IdToken: &session.IDToken{ + Raw: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2OTAzMTU4NjIsImV4cCI6MTcyMTg1MTg2MiwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.AAojgaG0fjMFwMCAC6YALHHMFIZEedFSP_vMGhiHhso", + }, } sa := &user.ServiceAccount{ Id: "SERVICE-ACCOUNT-ID", @@ -68,6 +71,7 @@ func Test_populateLogEvent(t *testing.T) { {log.AuthorizeLogFieldCheckRequestID, s, `{"check-request-id":"CHECK-REQUEST-ID"}`}, {log.AuthorizeLogFieldEmail, s, `{"email":"EMAIL"}`}, {log.AuthorizeLogFieldHost, s, `{"host":"HOST"}`}, + {log.AuthorizeLogFieldIDToken, s, `{"id-token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2OTAzMTU4NjIsImV4cCI6MTcyMTg1MTg2MiwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.AAojgaG0fjMFwMCAC6YALHHMFIZEedFSP_vMGhiHhso","id-token-claims":{"Email":"jrocket@example.com","GivenName":"Johnny","Role":["Manager","Project Administrator"],"Surname":"Rocket","aud":"www.example.com","exp":1721851862,"iat":1690315862,"iss":"Online JWT Builder","sub":"jrocket@example.com"}}`}, {log.AuthorizeLogFieldImpersonateEmail, s, `{"impersonate-email":"IMPERSONATE-EMAIL"}`}, {log.AuthorizeLogFieldImpersonateSessionID, s, `{"impersonate-session-id":"IMPERSONATE-SESSION-ID"}`}, {log.AuthorizeLogFieldImpersonateUserID, s, `{"impersonate-user-id":"IMPERSONATE-USER-ID"}`}, diff --git a/internal/log/authorize.go b/internal/log/authorize.go index 0898e0939..1b12aca40 100644 --- a/internal/log/authorize.go +++ b/internal/log/authorize.go @@ -16,6 +16,7 @@ const ( AuthorizeLogFieldEmail AuthorizeLogField = "email" AuthorizeLogFieldHeaders = AuthorizeLogField(headersFieldName) AuthorizeLogFieldHost AuthorizeLogField = "host" + AuthorizeLogFieldIDToken AuthorizeLogField = "id-token" AuthorizeLogFieldImpersonateEmail AuthorizeLogField = "impersonate-email" AuthorizeLogFieldImpersonateSessionID AuthorizeLogField = "impersonate-session-id" AuthorizeLogFieldImpersonateUserID AuthorizeLogField = "impersonate-user-id" @@ -63,6 +64,7 @@ var authorizeLogFieldLookup = map[AuthorizeLogField]struct{}{ AuthorizeLogFieldEmail: {}, AuthorizeLogFieldHeaders: {}, AuthorizeLogFieldHost: {}, + AuthorizeLogFieldIDToken: {}, AuthorizeLogFieldImpersonateEmail: {}, AuthorizeLogFieldImpersonateSessionID: {}, AuthorizeLogFieldImpersonateUserID: {},