save session in the authorization request

internal/mcp/handler_authorization.go

@@ -2,11 +2,14 @@ package mcp
 
 import (
 	"errors"
+	"fmt"
 	"net/http"
 
+	"github.com/go-jose/go-jose/v3/jwt"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 
+	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/oauth21"
 )
@@ -20,7 +23,14 @@ func (srv *Handler) Authorize(w http.ResponseWriter, r *http.Request) {
 
 	ctx := r.Context()
 
-	v, err := oauth21.ParseCodeGrantAuthorizeRequest(r)
+	sessionID, err := getSessionFromRequest(r)
+	if err != nil {
+		log.Ctx(ctx).Error().Err(err).Msg("session is not present, this is a misconfigured request")
+		http.Error(w, "internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	v, err := oauth21.ParseCodeGrantAuthorizeRequest(r, sessionID)
 	if err != nil {
 		log.Ctx(ctx).Error().Err(err).Msg("failed to parse authorization request")
 		oauth21.ErrorResponse(w, http.StatusBadRequest, oauth21.InvalidRequest)
@@ -55,3 +65,23 @@ func (srv *Handler) Authorize(w http.ResponseWriter, r *http.Request) {
 
 	http.Error(w, "not implemented", http.StatusNotImplemented)
 }
+
+func getSessionFromRequest(r *http.Request) (string, error) {
+	h := r.Header.Get(httputil.HeaderPomeriumJWTAssertion)
+	if h == "" {
+		return "", fmt.Errorf("missing %s header", httputil.HeaderPomeriumJWTAssertion)
+	}
+
+	token, err := jwt.ParseSigned(h)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse JWT: %w", err)
+	}
+	var m map[string]any
+	_ = token.UnsafeClaimsWithoutVerification(&m)
+	sessionID, ok := m["sid"].(string)
+	if !ok {
+		return "", fmt.Errorf("missing session ID in JWT")
+	}
+
+	return sessionID, nil
+}