authorize: return jwt claims in request headers (#688)

* authorize: refactor session loading, implement headers and query params * authorize: fix http recorder header, use constant for pomerium authorization header * fix compile * remove dead code * authorize: return jwt claims in request headers
2025-08-03 16:59:22 +02:00 · 2020-05-11 18:00:45 -06:00 · 2020-05-11 18:00:45 -06:00 · 5819bf1408
commit 5819bf1408
parent 352c2b851b
3 changed files with 99 additions and 17 deletions
--- a/authorize/session.go
+++ b/authorize/session.go
@ -1,10 +1,12 @@
 package authorize

 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"strings"

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding"
@ -73,3 +75,38 @@ func getJWTSetCookieHeaders(cookieStore sessions.SessionStore, rawjwt []byte) (m
 	}
 	return hdrs, nil
 }
+
+func getJWTClaimHeaders(options config.Options, encoder encoding.MarshalUnmarshaler, rawjwt []byte) (map[string]string, error) {
+	var claims map[string]jwtClaim
+	err := encoder.Unmarshal(rawjwt, &claims)
+	if err != nil {
+		return nil, err
+	}
+
+	hdrs := make(map[string]string)
+	for _, name := range options.JWTClaimsHeaders {
+		if claim, ok := claims[name]; ok {
+			hdrs["x-pomerium-claim-"+name] = strings.Join(claim, ",")
+		}
+	}
+	return hdrs, nil
+}
+
+type jwtClaim []string
+
+func (claim *jwtClaim) UnmarshalJSON(bs []byte) error {
+	var raw interface{}
+	err := json.Unmarshal(bs, &raw)
+	if err != nil {
+		return err
+	}
+	switch obj := raw.(type) {
+	case []interface{}:
+		for _, el := range obj {
+			*claim = append(*claim, fmt.Sprint(el))
+		}
+	default:
+		*claim = append(*claim, fmt.Sprint(obj))
+	}
+	return nil
+}