3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 19:06:33 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: log id token claims separately from id token (#4394)

Browse source
This commit is contained in:
Caleb Doxsey 2023-07-26 11:45:10 -06:00 committed by GitHub
parent 05c6de3642
commit 6c1416fc0f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
authorize/log.go
View file

@ -164,12 +164,15 @@ func populateLogEvent(
return evt.Str(string(field), in.GetAttributes().GetRequest().GetHttp().GetHost()) return evt.Str(string(field), in.GetAttributes().GetRequest().GetHttp().GetHost())
case log.AuthorizeLogFieldIDToken: case log.AuthorizeLogFieldIDToken:
if s, ok := s.(*session.Session); ok { if s, ok := s.(*session.Session); ok {
evt = evt.Str("id-token", s.GetIdToken().GetRaw()) evt = evt.Str(string(field), s.GetIdToken().GetRaw())
}
return evt
case log.AuthorizeLogFieldIDTokenClaims:
if s, ok := s.(*session.Session); ok {
if t, err := jwt.ParseSigned(s.GetIdToken().GetRaw()); err == nil { if t, err := jwt.ParseSigned(s.GetIdToken().GetRaw()); err == nil {
var m map[string]any var m map[string]any
_ = t.UnsafeClaimsWithoutVerification(&m) _ = t.UnsafeClaimsWithoutVerification(&m)
evt = evt.Interface("id-token-claims", m) evt = evt.Interface(string(field), m)
} }
} }
return evt return evt

3
authorize/log_test.go
View file

@ -71,7 +71,8 @@ func Test_populateLogEvent(t *testing.T) {
{log.AuthorizeLogFieldCheckRequestID, s, `{"check-request-id":"CHECK-REQUEST-ID"}`}, {log.AuthorizeLogFieldCheckRequestID, s, `{"check-request-id":"CHECK-REQUEST-ID"}`},
{log.AuthorizeLogFieldEmail, s, `{"email":"EMAIL"}`}, {log.AuthorizeLogFieldEmail, s, `{"email":"EMAIL"}`},
{log.AuthorizeLogFieldHost, s, `{"host":"HOST"}`}, {log.AuthorizeLogFieldHost, s, `{"host":"HOST"}`},
{log.AuthorizeLogFieldIDToken, s, `{"id-token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2OTAzMTU4NjIsImV4cCI6MTcyMTg1MTg2MiwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.AAojgaG0fjMFwMCAC6YALHHMFIZEedFSP_vMGhiHhso","id-token-claims":{"Email":"jrocket@example.com","GivenName":"Johnny","Role":["Manager","Project Administrator"],"Surname":"Rocket","aud":"www.example.com","exp":1721851862,"iat":1690315862,"iss":"Online JWT Builder","sub":"jrocket@example.com"}}`}, {log.AuthorizeLogFieldIDToken, s, `{"id-token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2OTAzMTU4NjIsImV4cCI6MTcyMTg1MTg2MiwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.AAojgaG0fjMFwMCAC6YALHHMFIZEedFSP_vMGhiHhso"}`},
{log.AuthorizeLogFieldIDTokenClaims, s, `{"id-token-claims":{"Email":"jrocket@example.com","GivenName":"Johnny","Role":["Manager","Project Administrator"],"Surname":"Rocket","aud":"www.example.com","exp":1721851862,"iat":1690315862,"iss":"Online JWT Builder","sub":"jrocket@example.com"}}`},
{log.AuthorizeLogFieldImpersonateEmail, s, `{"impersonate-email":"IMPERSONATE-EMAIL"}`}, {log.AuthorizeLogFieldImpersonateEmail, s, `{"impersonate-email":"IMPERSONATE-EMAIL"}`},
{log.AuthorizeLogFieldImpersonateSessionID, s, `{"impersonate-session-id":"IMPERSONATE-SESSION-ID"}`}, {log.AuthorizeLogFieldImpersonateSessionID, s, `{"impersonate-session-id":"IMPERSONATE-SESSION-ID"}`},
{log.AuthorizeLogFieldImpersonateUserID, s, `{"impersonate-user-id":"IMPERSONATE-USER-ID"}`}, {log.AuthorizeLogFieldImpersonateUserID, s, `{"impersonate-user-id":"IMPERSONATE-USER-ID"}`},

2
internal/log/authorize.go
View file

@ -17,6 +17,7 @@ const (
AuthorizeLogFieldHeaders = AuthorizeLogField(headersFieldName) AuthorizeLogFieldHeaders = AuthorizeLogField(headersFieldName)
AuthorizeLogFieldHost AuthorizeLogField = "host" AuthorizeLogFieldHost AuthorizeLogField = "host"
AuthorizeLogFieldIDToken AuthorizeLogField = "id-token" AuthorizeLogFieldIDToken AuthorizeLogField = "id-token"
AuthorizeLogFieldIDTokenClaims AuthorizeLogField = "id-token-claims"
AuthorizeLogFieldImpersonateEmail AuthorizeLogField = "impersonate-email" AuthorizeLogFieldImpersonateEmail AuthorizeLogField = "impersonate-email"
AuthorizeLogFieldImpersonateSessionID AuthorizeLogField = "impersonate-session-id" AuthorizeLogFieldImpersonateSessionID AuthorizeLogField = "impersonate-session-id"
AuthorizeLogFieldImpersonateUserID AuthorizeLogField = "impersonate-user-id" AuthorizeLogFieldImpersonateUserID AuthorizeLogField = "impersonate-user-id"
@ -65,6 +66,7 @@ var authorizeLogFieldLookup = map[AuthorizeLogField]struct{}{
AuthorizeLogFieldHeaders: {}, AuthorizeLogFieldHeaders: {},
AuthorizeLogFieldHost: {}, AuthorizeLogFieldHost: {},
AuthorizeLogFieldIDToken: {}, AuthorizeLogFieldIDToken: {},
AuthorizeLogFieldIDTokenClaims: {},
AuthorizeLogFieldImpersonateEmail: {}, AuthorizeLogFieldImpersonateEmail: {},
AuthorizeLogFieldImpersonateSessionID: {}, AuthorizeLogFieldImpersonateSessionID: {},
AuthorizeLogFieldImpersonateUserID: {}, AuthorizeLogFieldImpersonateUserID: {},