authorize: use jwt insead of state struct (#514)

authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-08-03 16:59:22 +02:00 · 2020-03-10 11:19:26 -07:00 · 2020-03-10 11:19:26 -07:00 · 8d1732582e
commit 8d1732582e
parent a477af9378
61 changed files with 1083 additions and 1264 deletions
--- a/internal/encoding/jws/jws.go
+++ b/internal/encoding/jws/jws.go
@ -3,9 +3,6 @@
 package jws // import "github.com/pomerium/pomerium/internal/encoding/jws"

 import (
-	"encoding/base64"
-
-	"github.com/pomerium/pomerium/internal/cryptutil"
 	"github.com/pomerium/pomerium/internal/encoding"

 	jose "gopkg.in/square/go-jose.v2"
@ -31,30 +28,6 @@ func NewHS256Signer(key []byte, issuer string) (encoding.MarshalUnmarshaler, err
 	return &JSONWebSigner{Signer: sig, key: key, Issuer: issuer}, nil
 }

-// NewES256Signer creates a NIST P-256 (aka secp256r1 aka prime256v1) JWT signer
-// from a base64 encoded private key.
-//
-// RSA is not supported due to performance considerations of needing to sign each request.
-// Go's P-256 is constant-time and SHA-256 is faster on 64-bit machines and immune
-// to length extension attacks.
-// See : https://cloud.google.com/iot/docs/how-tos/credentials/keys
-func NewES256Signer(privKey, issuer string) (*JSONWebSigner, error) {
-	decodedSigningKey, err := base64.StdEncoding.DecodeString(privKey)
-	if err != nil {
-		return nil, err
-	}
-	key, err := cryptutil.DecodePrivateKey(decodedSigningKey)
-	if err != nil {
-		return nil, err
-	}
-	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: key},
-		(&jose.SignerOptions{}).WithType("JWT"))
-	if err != nil {
-		return nil, err
-	}
-	return &JSONWebSigner{Signer: sig, key: key, Issuer: issuer}, nil
-}
-
 // Marshal signs, and serializes a JWT.
 func (c *JSONWebSigner) Marshal(x interface{}) ([]byte, error) {
 	s, err := jwt.Signed(c.Signer).Claims(x).CompactSerialize()