authorize: add sid to JWT claims (#2420)

* authorize: add sid to JWT claims * fix import ordering
2025-04-28 18:06:34 +02:00 · 2021-08-02 16:11:05 -06:00 · 2021-08-02 16:11:05 -06:00 · a64e5b5fa1
commit a64e5b5fa1
parent 97af64df60
2 changed files with 13 additions and 2 deletions
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@ -14,6 +14,7 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 )
 func TestHeadersEvaluator(t *testing.T) {
@ -41,10 +42,16 @@ func TestHeadersEvaluator(t *testing.T) {
 	t.Run("jwt", func(t *testing.T) {
 		output, err := eval(t,
-			[]proto.Message{},
+			[]proto.Message{
 				&session.Session{Id: "s1", ImpersonateSessionId: proto.String("s2")},
 				&session.Session{Id: "s2"},
 			},
 			&HeadersRequest{
 				FromAudience: "from.example.com",
 				ToAudience:   "to.example.com",
 				Session: RequestSession{
 					ID: "s1",
 				},
 			})
 		require.NoError(t, err)
@ -56,8 +63,8 @@ func TestHeadersEvaluator(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, claims["exp"], math.Round(claims["exp"].(float64)))
 		assert.LessOrEqual(t, claims["exp"], float64(time.Now().Add(time.Minute*6).Unix()),
 			"JWT should expire within 5 minutes, but got: %v", claims["exp"])
 		assert.Equal(t, "s1", claims["sid"], "should set session id to input session id")
 	})
 }
--- a/authorize/evaluator/opa/policy/headers.rego
+++ b/authorize/evaluator/opa/policy/headers.rego
@ -139,6 +139,9 @@ jwt_payload_groups = v {
 	true
 }
 # the session id is always set to the input session id, even if impersonating
 jwt_payload_sid := input.session.id
 base_jwt_claims := [
 	["iss", jwt_payload_iss],
 	["aud", jwt_payload_aud],
@ -149,6 +152,7 @@ base_jwt_claims := [
 	["user", jwt_payload_user],
 	["email", jwt_payload_email],
 	["groups", jwt_payload_groups],
 	["sid", jwt_payload_sid]
 ]
 additional_jwt_claims := [[k, v] |