authorize: add support for passing access or id token upstream (#3047)

* authorize: add support for passing access or id token upstream

* use an enum

authorize/evaluator/headers_evaluator.go

@@ -12,6 +12,7 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
 )
 
 // HeadersRequest is the input to the headers.rego script.
@@ -22,6 +23,8 @@ type HeadersRequest struct {
 	KubernetesServiceAccountToken             string         `json:"kubernetes_service_account_token"`
 	ToAudience                                string         `json:"to_audience"`
 	Session                                   RequestSession `json:"session"`
+	PassAccessToken                           bool           `json:"pass_access_token"`
+	PassIDToken                               bool           `json:"pass_id_token"`
 }
 
 // NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
@@ -37,6 +40,8 @@ func NewHeadersRequestFromPolicy(policy *config.Policy) *HeadersRequest {
 	for _, wu := range policy.To {
 		input.ToAudience = "https://" + wu.URL.Hostname()
 	}
+	input.PassAccessToken = policy.GetSetAuthorizationHeader() == configpb.Route_ACCESS_TOKEN
+	input.PassIDToken = policy.GetSetAuthorizationHeader() == configpb.Route_ID_TOKEN
 	return input
 }
 

authorize/evaluator/headers_evaluator_test.go

@@ -106,4 +106,40 @@ func TestHeadersEvaluator(t *testing.T) {
 		assert.Equal(t, "u2", claims["sub"], "should set subject to user id")
 		assert.Equal(t, "u2", claims["user"], "should set user to user id")
 	})
+
+	t.Run("access token", func(t *testing.T) {
+		output, err := eval(t,
+			[]proto.Message{
+				&session.Session{Id: "s1", OauthToken: &session.OAuthToken{
+					AccessToken: "ACCESS_TOKEN",
+				}},
+			},
+			&HeadersRequest{
+				FromAudience:    "from.example.com",
+				ToAudience:      "to.example.com",
+				Session:         RequestSession{ID: "s1"},
+				PassAccessToken: true,
+			})
+		require.NoError(t, err)
+
+		assert.Equal(t, "Bearer ACCESS_TOKEN", output.Headers.Get("Authorization"))
+	})
+
+	t.Run("id token", func(t *testing.T) {
+		output, err := eval(t,
+			[]proto.Message{
+				&session.Session{Id: "s1", IdToken: &session.IDToken{
+					Raw: "ID_TOKEN",
+				}},
+			},
+			&HeadersRequest{
+				FromAudience: "from.example.com",
+				ToAudience:   "to.example.com",
+				Session:      RequestSession{ID: "s1"},
+				PassIDToken:  true,
+			})
+		require.NoError(t, err)
+
+		assert.Equal(t, "Bearer ID_TOKEN", output.Headers.Get("Authorization"))
+	})
 }

authorize/evaluator/opa/policy/headers.rego

@@ -8,6 +8,8 @@ package pomerium.headers
 #   session:
 #     id: string
 #   to_audience: string
+#   pass_access_token: boolean
+#   pass_id_token: boolean
 #
 # data:
 #   issuer: string
@@ -153,7 +155,7 @@ base_jwt_claims := [
 	["user", jwt_payload_user],
 	["email", jwt_payload_email],
 	["groups", jwt_payload_groups],
-	["sid", jwt_payload_sid]
+	["sid", jwt_payload_sid],
 ]
 
 additional_jwt_claims := [[k, v] |
@@ -208,12 +210,24 @@ google_cloud_serverless_headers = h {
 }
 
 routing_key_headers = h {
-    input.enable_routing_key
-    h := [
-        ["x-pomerium-routing-key", crypto.sha256(input.session.id)]
-    ]
+	input.enable_routing_key
+	h := [["x-pomerium-routing-key", crypto.sha256(input.session.id)]]
 } else = [] {
-    true
+	true
+}
+
+pass_access_token_headers = h {
+	input.pass_access_token
+	h := [["Authorization", concat(" ", ["Bearer", session.oauth_token.access_token])]]
+} else = [] {
+	true
+}
+
+pass_id_token_headers = h {
+	input.pass_id_token
+	h := [["Authorization", concat(" ", ["Bearer", session.id_token.raw])]]
+} else = [] {
+	true
 }
 
 identity_headers := {key: values |
@@ -226,16 +240,19 @@ identity_headers := {key: values |
 				[ck, cv] := jwt_claims[_]
 				ck == k
 			],
-			[""]
+			[""],
 		)[0]
+
 		header_value := get_header_string_value(raw_header_value)
 	]
 
 	h3 := kubernetes_headers
 	h4 := [[k, v] | v := google_cloud_serverless_headers[k]]
 	h5 := routing_key_headers
+	h6 := pass_access_token_headers
+	h7 := pass_id_token_headers
 
-	h := array.concat(array.concat(array.concat(array.concat(h1, h2), h3), h4), h5)
+	h := array.concat(array.concat(array.concat(array.concat(array.concat(array.concat(h1, h2), h3), h4), h5), h6), h7)
 
 	some i
 	[key, v1] := h[i]