From a70254ab76baf97a217b3e357d0f49bf3a1263fc Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Tue, 14 Jul 2020 08:33:24 -0600
Subject: [PATCH] kubernetes apiserver integration (#1063)

* sessions: support bearer tokens in authorization

* wip

* remove dead code

* refactor signed jwt code

* use function

* update per comments

* fix test
---
 authorize/check_response.go                   | 34 +++++--
 authorize/evaluator/evaluator.go              | 99 +++++++++++++------
 authorize/evaluator/evaluator_test.go         |  4 +-
 authorize/evaluator/opa/policy/authz.rego     |  7 +-
 authorize/evaluator/opa/policy/statik.go      |  2 +-
 authorize/grpc.go                             |  2 +-
 config/policy.go                              |  3 +
 go.sum                                        |  9 --
 internal/sessions/header/header_store.go      | 14 ++-
 internal/sessions/header/header_store_test.go | 23 +++++
 10 files changed, 140 insertions(+), 57 deletions(-)
 create mode 100644 internal/sessions/header/header_store_test.go

diff --git a/authorize/check_response.go b/authorize/check_response.go
index 91e71a533..cf8109455 100644
--- a/authorize/check_response.go
+++ b/authorize/check_response.go
@@ -9,6 +9,7 @@ import (
 	envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
 	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
 	envoy_type "github.com/envoyproxy/go-control-plane/envoy/type"
+	"github.com/golang/protobuf/ptypes/wrappers"
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc/codes"
 
@@ -25,7 +26,9 @@ func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v2.C
 	}
 
 	requestHeaders = append(requestHeaders,
-		mkHeader(httputil.HeaderPomeriumJWTAssertion, reply.SignedJWT))
+		mkHeader(httputil.HeaderPomeriumJWTAssertion, reply.SignedJWT, false))
+
+	requestHeaders = append(requestHeaders, getKubernetesHeaders(reply)...)
 
 	return &envoy_service_auth_v2.CheckResponse{
 		Status: &status.Status{Code: int32(codes.OK), Message: "OK"},
@@ -82,10 +85,10 @@ func (a *Authorize) htmlDeniedResponse(code int32, reason string, headers map[st
 	}
 
 	envoyHeaders := []*envoy_api_v2_core.HeaderValueOption{
-		mkHeader("Content-Type", "text/html"),
+		mkHeader("Content-Type", "text/html", false),
 	}
 	for k, v := range headers {
-		envoyHeaders = append(envoyHeaders, mkHeader(k, v))
+		envoyHeaders = append(envoyHeaders, mkHeader(k, v, false))
 	}
 
 	return &envoy_service_auth_v2.CheckResponse{
@@ -104,10 +107,10 @@ func (a *Authorize) htmlDeniedResponse(code int32, reason string, headers map[st
 
 func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers map[string]string) *envoy_service_auth_v2.CheckResponse {
 	envoyHeaders := []*envoy_api_v2_core.HeaderValueOption{
-		mkHeader("Content-Type", "text/plain"),
+		mkHeader("Content-Type", "text/plain", false),
 	}
 	for k, v := range headers {
-		envoyHeaders = append(envoyHeaders, mkHeader(k, v))
+		envoyHeaders = append(envoyHeaders, mkHeader(k, v, false))
 	}
 
 	return &envoy_service_auth_v2.CheckResponse{
@@ -138,11 +141,30 @@ func (a *Authorize) redirectResponse(in *envoy_service_auth_v2.CheckRequest) *en
 	})
 }
 
-func mkHeader(k, v string) *envoy_api_v2_core.HeaderValueOption {
+func getKubernetesHeaders(reply *evaluator.Result) []*envoy_api_v2_core.HeaderValueOption {
+	var requestHeaders []*envoy_api_v2_core.HeaderValueOption
+	if reply.MatchingPolicy != nil && reply.MatchingPolicy.KubernetesServiceAccountToken != "" {
+		requestHeaders = append(requestHeaders,
+			mkHeader("Authorization", "Bearer "+reply.MatchingPolicy.KubernetesServiceAccountToken, false))
+
+		if reply.UserEmail != "" {
+			requestHeaders = append(requestHeaders, mkHeader("Impersonate-User", reply.UserEmail, false))
+		}
+		for _, group := range reply.UserGroups {
+			requestHeaders = append(requestHeaders, mkHeader("Impersonate-Group", group, true))
+		}
+	}
+	return requestHeaders
+}
+
+func mkHeader(k, v string, shouldAppend bool) *envoy_api_v2_core.HeaderValueOption {
 	return &envoy_api_v2_core.HeaderValueOption{
 		Header: &envoy_api_v2_core.HeaderValue{
 			Key:   k,
 			Value: v,
 		},
+		Append: &wrappers.BoolValue{
+			Value: shouldAppend,
+		},
 	}
 }
diff --git a/authorize/evaluator/evaluator.go b/authorize/evaluator/evaluator.go
index 07726ce20..fc783ca33 100644
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@@ -38,8 +38,9 @@ const (
 
 // Evaluator specifies the interface for a policy engine.
 type Evaluator struct {
-	rego  *rego.Rego
-	query rego.PreparedEvalQuery
+	rego     *rego.Rego
+	query    rego.PreparedEvalQuery
+	policies []config.Policy
 
 	clientCA         string
 	authenticateHost string
@@ -51,6 +52,7 @@ type Evaluator struct {
 func New(options *config.Options) (*Evaluator, error) {
 	e := &Evaluator{
 		authenticateHost: options.AuthenticateURL.Host,
+		policies:         options.Policies,
 	}
 	if options.ClientCA != "" {
 		e.clientCA = options.ClientCA
@@ -129,33 +131,40 @@ func (e *Evaluator) Evaluate(ctx context.Context, req *Request) (*Result, error)
 		return &deny[0], nil
 	}
 
-	signedJWT, err := e.SignedJWT(req)
+	payload := e.JWTPayload(req)
+
+	signedJWT, err := e.SignedJWT(payload)
 	if err != nil {
 		return nil, fmt.Errorf("error signing JWT: %w", err)
 	}
 
+	evalResult := &Result{
+		MatchingPolicy: getMatchingPolicy(res[0].Bindings.WithoutWildcards(), e.policies),
+		SignedJWT:      signedJWT,
+	}
+	if e, ok := payload["email"].(string); ok {
+		evalResult.UserEmail = e
+	}
+	if gs, ok := payload["groups"].([]string); ok {
+		evalResult.UserGroups = gs
+	}
+
 	allow := allowed(res[0].Bindings.WithoutWildcards())
 	if allow {
-		return &Result{
-			Status:    http.StatusOK,
-			Message:   "OK",
-			SignedJWT: signedJWT,
-		}, nil
+		evalResult.Status = http.StatusOK
+		evalResult.Message = "OK"
+		return evalResult, nil
 	}
 
 	if req.Session.ID == "" {
-		return &Result{
-			Status:    http.StatusUnauthorized,
-			Message:   "login required",
-			SignedJWT: signedJWT,
-		}, nil
+		evalResult.Status = http.StatusUnauthorized
+		evalResult.Message = "login required"
+		return evalResult, nil
 	}
 
-	return &Result{
-		Status:    http.StatusForbidden,
-		Message:   "forbidden",
-		SignedJWT: signedJWT,
-	}, nil
+	evalResult.Status = http.StatusForbidden
+	evalResult.Message = "forbidden"
+	return evalResult, nil
 }
 
 // ParseSignedJWT parses the input signature and return its payload.
@@ -167,17 +176,8 @@ func (e *Evaluator) ParseSignedJWT(signature string) ([]byte, error) {
 	return object.Verify(&(e.jwk.(*ecdsa.PrivateKey).PublicKey))
 }
 
-// SignedJWT returns the signature of given request.
-func (e *Evaluator) SignedJWT(req *Request) (string, error) {
-	signerOpt := &jose.SignerOptions{}
-	signer, err := jose.NewSigner(jose.SigningKey{
-		Algorithm: jose.ES256,
-		Key:       e.jwk,
-	}, signerOpt.WithHeader("kid", e.kid))
-	if err != nil {
-		return "", err
-	}
-
+// JWTPayload returns the JWT payload for a request.
+func (e *Evaluator) JWTPayload(req *Request) map[string]interface{} {
 	payload := map[string]interface{}{
 		"iss": e.authenticateHost,
 	}
@@ -200,6 +200,19 @@ func (e *Evaluator) SignedJWT(req *Request) (string, error) {
 			payload["groups"] = du.GetGroups()
 		}
 	}
+	return payload
+}
+
+// SignedJWT returns the signature of given request.
+func (e *Evaluator) SignedJWT(payload map[string]interface{}) (string, error) {
+	signerOpt := &jose.SignerOptions{}
+	signer, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.ES256,
+		Key:       e.jwk,
+	}, signerOpt.WithHeader("kid", e.kid))
+	if err != nil {
+		return "", err
+	}
 
 	bs, err := json.Marshal(payload)
 	if err != nil {
@@ -266,9 +279,31 @@ type (
 
 // Result is the result of evaluation.
 type Result struct {
-	Status    int
-	Message   string
-	SignedJWT string
+	Status         int
+	Message        string
+	SignedJWT      string
+	MatchingPolicy *config.Policy
+
+	UserEmail  string
+	UserGroups []string
+}
+
+func getMatchingPolicy(vars rego.Vars, policies []config.Policy) *config.Policy {
+	result, ok := vars["result"].(map[string]interface{})
+	if !ok {
+		return nil
+	}
+
+	idx, err := strconv.Atoi(fmt.Sprint(result["route_policy_idx"]))
+	if err != nil {
+		return nil
+	}
+
+	if idx >= len(policies) {
+		return nil
+	}
+
+	return &policies[idx]
 }
 
 func allowed(vars rego.Vars) bool {
diff --git a/authorize/evaluator/evaluator_test.go b/authorize/evaluator/evaluator_test.go
index 6fc7c9887..f8833764d 100644
--- a/authorize/evaluator/evaluator_test.go
+++ b/authorize/evaluator/evaluator_test.go
@@ -80,7 +80,7 @@ func TestEvaluator_SignedJWT(t *testing.T) {
 			URL:    "https://example.com",
 		},
 	}
-	signedJWT, err := e.SignedJWT(req)
+	signedJWT, err := e.SignedJWT(e.JWTPayload(req))
 	require.NoError(t, err)
 	assert.NotEmpty(t, signedJWT)
 
@@ -101,7 +101,7 @@ func TestEvaluator_JWTWithKID(t *testing.T) {
 			URL:    "https://example.com",
 		},
 	}
-	signedJWT, err := e.SignedJWT(req)
+	signedJWT, err := e.SignedJWT(e.JWTPayload(req))
 	require.NoError(t, err)
 	assert.NotEmpty(t, signedJWT)
 
diff --git a/authorize/evaluator/opa/policy/authz.rego b/authorize/evaluator/opa/policy/authz.rego
index dedfc4b16..db7a8f0d8 100644
--- a/authorize/evaluator/opa/policy/authz.rego
+++ b/authorize/evaluator/opa/policy/authz.rego
@@ -3,7 +3,8 @@ package pomerium.authz
 default allow = false
 
 
-route_policy := first_allowed_route_policy(input.http.url)
+route_policy_idx := first_allowed_route_policy_idx(input.http.url)
+route_policy := data.route_policies[route_policy_idx]
 session := input.databroker_data.session
 user := input.databroker_data.user
 directory_user := input.databroker_data.directory_user
@@ -84,8 +85,8 @@ deny[reason] {
 }
 
 # returns the first matching route
-first_allowed_route_policy(input_url) = first_policy {
-	first_policy := [policy | some i, policy; policy = data.route_policies[i]; allowed_route(input.http.url, policy)][0]
+first_allowed_route_policy_idx(input_url) = first_policy_idx {
+	first_policy_idx := [idx | some idx, policy; policy = data.route_policies[idx]; allowed_route(input.http.url, policy)][0]
 }
 
 allowed_route(input_url, policy){
diff --git a/authorize/evaluator/opa/policy/statik.go b/authorize/evaluator/opa/policy/statik.go
index d38c16221..a497cdd4b 100644
--- a/authorize/evaluator/opa/policy/statik.go
+++ b/authorize/evaluator/opa/policy/statik.go
@@ -9,6 +9,6 @@ import (
 const Rego = "rego" // static asset namespace
 
 func init() {
-	data := "PK\x03\x04\x14\x00\x08\x00\x08\x00ct\xd9P\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n\x00	\x00authz.regoUT\x05\x00\x01\x1a\xb6\xf4^\xacWMs\xdb6\x10=\x13\xbfb\x83\\\xc4\x96\xa6\x92~\x1c\xaa\x8c\xeafr\xea\xa1u&iO\x1c\x85\x81\xc8\x95\x88\x84\x04X\x00\xac\xed\xb8\xfe\xef\x9d\x05H\x8b\x92%\xda\xads\xb1\xc8\xc5\xc3\xdb}\xbb\xcb\x05\xdc\x8a\xe2\xb3\xd8\"\xb4\xbaA#\xbb&\x15\x9d\xab\xbe0V\xe2Ft\xb5\x03Q\xd7\xfa\x12\x96\xb0\x11\xb5E\xc6\x98\xd1\x9d\xc3\xbc\xd5\xb5,\xaea\xb1\x84\x8d4\xd6\xe5\x1e\x85e>^\x9dI\xd5v.\xad\x9ck\xd3\xce\xd41\xb3h\xad\xd4\x8av\x85\xa5R8\xb16\xfa3\x9a\x9c\x1e\xd3\x1e\xc0:\x8b\xe64\x8aVY)\x0d\x16N\x9b\xeb|\x1a\xbc\x8fc\x8c=\xef\x15\xb5\xdd\xba\x96\x05\x0b/7,\x1aG\x9e\xbe&\xeb[\x8f\xf8SQBP9Y\x08\x87\xe5\xeb\xa2@ka\xb9\x04g:d\xb7;\xc2B\x1b\x0b\xad\xc1M-\xb7\x95;A\xfc\xe6\xe2\xdd\xfb@>\x00\xef\xa8\xa2Q\xba\x1at\x95.i\x89_\xbc\xfd\xe3\xd7\x8b\xdf\xdfs\x16\x15\xbaSn\xa6\xd7\x9f\xb0p\xe9\x16\xdd8\xbf\x15\x8a\x12\x8dM\x80\x87\x00\xcf\xdeh\xe5\x8c\xae\xcf\xde\xe1_\x1dZw\xf6\x9bg\xe4	d\xab8\x86\x9f\xe1\xc5c\xf9.\x8c\xdcJ5\xde8\xd2\xbc\xbe\x06l\x84\xacwj)\xcb\xa9\xb7Q\xf4{\xda\x87\x1e!\x88\xcd\xf2\xd5\x98hkt\xd7\xeeX\xacn\xb0\xb7E\xfb\x15L\xbd\x95\xb6\xc3r@\x1c\xf5r\x1f\xb7\x1f\xb7lZ4V+\xe1\xf0P\xc3d\xd40tZ\xdf\xac\xe9\x88(\x0fD\xa7\x1dM\xc8<M\xfa\xb5\x14\x97\xba\x11R\x1dx\xef\x8d\x91\x8f<\x97*\x0f\x86\xd9\xae\x8e\xc9\xf1*\x06\x9c\xcd\xc2\xef*\x9eP\xfd\x9f\x1c?\x90\xdc\xff\x11\xcd0\xd9\xa03\xb5\xddEQh\xe5h\xcf\xc1\x98J\x80\xcf\xd3a\xcb\x9c\xc7,R\xda\xc1\xa3\xc0\xa2l\xa4\xe2{\xbe\xfdp\x92\x16\xfc\xd2\xce7\xd6\xd8\xa0r$\xbb\x96\xd6\xcd\xfc\xa8\xf2\x18\x9b\xf4\xed\xb5+@<\x15\xeb	\xef%\xaakPZ\x9dy\xab\x0f\xc3\xc2\xc6\xe8\x06\x04\xcd\x07\xa9\xb6!\xa4\x90M\xcb\x08\x9f\x19\x14V\xab\x95\xff\x04\xfc#,!\xfb\xe1\xc5\xf7	\xf0A\x07\xe5\"8Z\x85\xc4L*y\x94\x86\xe3\x12&\x02\xfa\xe9\xc7\x04\xb8T\x7f\x8bZ\x96P\xd4\x12\x95\x83\x02\x8d\x93\x1b?\xa2)2i\xf3\xb5\xd65\x8a\xa1\x9f\xa4\xcd=>\x0f\xf8|\x84\xef+\xfc .$\xd6\xa0\xeb\x8c\xb2\xe0*\x0cG\x1f4\xc2\x15\x15%\xd4\xa7\x92=t\x1e\xe6t\x14\xc2pn\xf6\xe7\xe8\x0d\x8b\xf6\xde\x17K\xc8\xfa\xc7\x7f\xc0\x7f.2\x81`x\xd5\xff\xc2\x12|\xaeG\x1e$\xdaL\xae^\xc1\x9e\xf3{-\x13\xb6\xc7\xab\xec\x85\x9f\xc0G\xc0\xf9\x18w\xd3\x8f&2\xe6z\xfd\x89bk\x85\xb1H\x86\x91$\x16\xedk\xb6\xba3\xc5\x88\x90\xf6\xde\x91\x1e\x82\xe9\xd8\x94W\x8f\x05\x0bW=\x12jp\x8b'i\x0f\xc5O\x87L5\x1a\x9d\x95\xc1\x9a\x00\x0f\x9bx\x02\x9c\xc7\xfe\xc0\xe6\xec\xf6\xab\xf3>\xf3\xbcQ\xb0\x1d\xafD?\x10\x03$>(ZZi\xebo\x1a\xfb\x0c\xde|?\x0f\x93\xd58\x15o\xd84\x99\x87\xa7\xf3\x0eyp\xc28{)\x0f\xfb \xa5\xd6\x18\x18\xd3\xb0\xf3H\x9d'\x1a\xe8d\x14\xc2U\xd3\xda\x9e\xc4\xd9\xeb\x1a\x02\x17\xae\"7\xf7\xb5\xdd\xd72\xd5\xe1\xa7\x1c\xfb=\x93j\x9e\xca\xda\xeb1\x98\xfb\xe984\xa7\x87$Gt\xf9\"\xedz\xd9:C#\xf2\x06\xb8-*l\x90/ <$\xc0\xa9e\xf9\x02\xe8g\xc8\xe1\x02|\xc6n)\xb2,O\xee\xb0\x01c\xc4%-\xd3\xad\xc8\xfbO7R\x954\xa0s\xeb\x8cT\xdb\xdcvk\x1fe\xaef,\x8a>\xce\xce\x173\x9a\x96\x99]\x9d\xc7\x8b\xf9<>\x9fe\x1f\xe6\xabo\xe3Y\xf6\xe1\xfc\xf9\xea\x9b\xf8c\xc2\xa2\xc8:\x93\xc0\xcb\x98\x86h\x14\xea\x05J\x9bF\xd4\xf2K\xf8\xbc|C\xf4\xbe\xbd\xbc#\xcb\xbdN>\xe7\xfeZ\xe4\xcc]9N\x83	\xd5\x83\x9f\xf5`vx\x87\xeaoJ\xe1\xcd\x17\xec\x8a\x86\x85mk\xe9\x86E\xfe\x0b\x8f\x87\xff\x01\xae|\x1f|\xc7\xa2\xab\xec\xe5\x8a\x1e\xfb\xcb\x19Q\x1f\x9c\xef\xf4'\xf1\xa7>\xf1\x02\xd0{\xb8r\x92\x8d\xdd\xb2\x7f\x03\x00\x00\xff\xffPK\x07\x08\xcb\xeau\x85!\x04\x00\x00P\x0e\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00\xaan\xd9P\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x00	\x00authz_test.regoUT\x05\x00\x01P\xac\xf4^\xccWAO\xeb8\x10>'\xbf\xc2\xf2iY\xb5\x8d\xb8VB\x0bB\xab\xd5\x1ev\x8b\x80w\xaa\xaa\xc8M\xe65~$q\xb0\x1dQ\xa8\xfa\xdf\x9f\xc6v\xd2\xa6$\x0f\x13\x81\x1e\\Hl\xcf\xcc7\xdf|\x9f	\x15K\x1e\xd8\x06H%\n\x90\xbc.f\xac\xd6\xd9K\x18jP:\x86\x82\xf1<fy.\x9e %\xbb00\x8f\xe4\x89\xeb,\x0c\x82\x94i6\x93\xa2\xd6\x10W\"\xe7	\x07E\x98\"\xcb]\x18\x04\x01U\xa2\x96	\xd09\xa1\xb0eE\x95\xc3,\x11\x05\x9d\x98=\x971\xae\x15HE\xe7dI\xb7\x97\xc7\xa7Va\x10\xecWM\x1d^V\xb5\x9ea\xb5\xb5\x14\x0f c|\xc4J\xae\x10(\xc5EI\xe7d\x17\x92\x93\x1f\x8a\x15b\x9e\"\x0c|<\xa7\x9d#{\x0b\x07wLx\x80o\xa6i\x0c\xe8b\xc2\xcd=\xe2\xea\xc2\xca\xb4\xae\x0c\x16Bki\xc2pe\x1eE\xc7\xb1\xe4$\xc8Avq\x16\x9e[;\xa7d\x1f\xee\x1b\xfem\x0eDV\nM\xbc\xd8G\x9c\xae\x93\xc3\x08z0M\xec\x99\x8a\xe9\x0cOD\xacYi\x86\x93\x8a\x82\xf1\xd2\x8e\xe7t8\x81enL\x9d\xf5i\x9d\x83\x08J!J\xb8l\x95\xd8-\xb6z?\xef\xd1\xfa\x15\xf3X\xacC\xfb9\x9d\x90\xc3\xc8\x7f\x08\xb8\xec\x0e\xee0\x0b\xe3\x85\x14Jn\xad\xe0=\x901vX\x8b\xf5\x9b\x86\xf0a\xe0\x03\xfb\xaf\xeau\xce\x93O\xb8\x0c\xae0\xcd\x8d\xc9\xfe\xad\xc4\xdb\x07J\xcd\x13\xa6!\xbdJ\x12PH\x88\x965\x8cg \xdcw:\x181\xc2^\xad\xf7\x89\\\xc2w\xbe\xb52\x7f\x9e\x9akeP\xec}#\x1e\xb2UO)\x7f\xd6\xcc\xad5\xc4\x9c\xbd\xff\x86\x0d\xe4\xba@\xf2\x0fJp\x06\xfd\x04-\xf8\xd14F\x07\xd1\xac\x81\x1d\x1dK\xa2ie\x84(>\xbd\x9b7fsh\x88\xa5\x05/]\xcdL(}\x8a\xa63\xbdDH\x15\xa3Ps\xbe\xc9\xf4\xef\x99\xa1=x\xbd\xb8\xbd\xb32n\xd0xX\xddD\x16\xa03a\xae\xaf\xc5\xcd\xfd\xbf\x8b\xff\xef\\\xe9a\xb2\x1av\x80\xa5\x16\x95\xf3\xd8B\xf2\x0d/\x0dJ%\n\x10\xf6u\xd5\x98\xccXiz-J-E>\xbd\x85\xc7\x1a\x94\x9e\xfe\xd7\x94_\xd2\x7f\xfe\xbew\xceu$\xf7q\xfce\xc5\xf5\x85yt\xfedRA\\\xcb\x1c\xeb\xe0\xaf\xf9\x05i\xd7\xfe\xe8\x03\x88\xd5#\xfc\xd8\xf8\xebQ\xd13\x134SI\x06\x05\x90\x8b\x0b\xdb\x12\xb5\xab\xe8\x14\xb3\xd6\xb5\nna\xbc\xd9:\xa4\xa3-\xa6\x86x;5;\xa2\xd6>\xcdz\x1f6:!\xbb\x81\x91\xee\xcf\xde\x1f\xdfs`l\x1a5&O\xf4Q\x89\xde\xce\x13\xf9%\xf2@d3\xb56\x1c\xcc&\xe4\xe6\xd7\xe3\xeaW\x83\xfd\x00\xf0W\xc3\xd1\x07\x83g\x8b\xe6\xae7\xb24\xaa<Ib\xff\x12\xf8\xb5\xd8\x83\xa1\x0d\x1f\xe8\x0em\xe1\xdf[\xf3\xc5\xef\xd9YO\x90W\x13\xbd\x94\xb4\xff\xd5\x8c!\xe4Up?\x1d\x126\xf0\x8eY\x9b\xe3\x98w\xf6\xa7'#=\x8d\xb5I\xdc\xa6\xcb\xe5\xdf\\\x9b`\xb9}~Y\xd9\xe6~\x06\x00\x00\xff\xffPK\x07\x08\x1b0\xfc\xd2\x02\x03\x00\x00\x04\x10\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00ct\xd9P\xcb\xeau\x85!\x04\x00\x00P\x0e\x00\x00\n\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\x00\x00\x00\x00authz.regoUT\x05\x00\x01\x1a\xb6\xf4^PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\xaan\xd9P\x1b0\xfc\xd2\x02\x03\x00\x00\x04\x10\x00\x00\x0f\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81b\x04\x00\x00authz_test.regoUT\x05\x00\x01P\xac\xf4^PK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00\x87\x00\x00\x00\xaa\x07\x00\x00\x00\x00"
+	data := "PK\x03\x04\x14\x00\x08\x00\x08\x001\xa8\xe9P\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n\x00	\x00authz.regoUT\x05\x00\x01\xaf\x85\x07_\xacW\xcdr\xdb6\x10>\x13O\xb1A.bKSN\x7f\x0eUFu39\xf5\xd0:\x93\xb4'\x8e\x82@$$\"!\x01\x16\x00k;\xae\xdf\xbd\xb3\x00iQ\x94\xc4\xa8u.\xa6\xb8\xf8\xf6\xdb_\xee\xc2\x0d\xcf?\xf1\xad\x80F\xd7\xc2\xc8\xb6Ny\xeb\xca\xcf\x84\x14b\xc3\xdb\xca\x01\xaf*}\x03K\xd8\xf0\xca\nB\x88\xd1\xad\x13\xac\xd1\x95\xcc\xef\x98,na\xb1\x84\x8d4\xd61\x8f\x14\x05\x1b#fR5\xadKK\xe7\x9a\xb45U\xbcG\x81\xea\x05w<\x1d\x08\xa5\xb0\xd9\x98dE\xac\xb0Vj\x85\n\x81\x10\xd5\xd6F\x7f\x12\x86y\x86\x0e@Z+\xcci\x14\x9e\x92B\x1a\x91;m\xee\xd84x\x1fG\x08y\xde\xe5\xa3i\xd7\x95\xccIx\xb9'\xd1\xd0\xdd\xf4\x15J\xdfx\xc4\x9f\n\xd3)\x94\x939w\xa2x\x95\xe7\xc2ZX.\xc1\x99V\x90\x87\x1da\xae\x8d\x85\xc6\x88M%\xb7\xa5;A\xfc\xfa\xfa\xed\xbb@\xde\x03\x1f\xa9\xa2A\x92k\xe1J]\xe0\x11\xbd~\xf3\xc7\xaf\xd7\xbf\xbf\xa3$\xcau\xab\xdcL\xaf?\x8a\xdc\xa5[\xe1\x86U)\x05/\x84\xb1	\xd0\xe0\xe0\xc5k\xad\x9c\xd1\xd5\xc5[\xf1W+\xac\xbb\xf8\xcd3\xd2\x04\xb2U\x1c\xc3\xcfpy.\xdf\xb5\x91[\xa9\x86\x8a\x83\x98\xd7w j.\xab]\xb4\x98\xe5\xd4\xcb\xd0\xfb\xbd\xd8\xfb\xeeB\x88\xcd\xd8jH\xb45\xbamv,V\xd7\xa2\x93E\xfb\x15L\xbd\x14\xd5a\xd9#\x8eZ9\xc4\xed\xfb-\xebF\x18\xab\x15wb\x1c\xc3\xa4\xd7\xd0wZ\xd7\xac\xe9\x80\x88\x05\xa2\xd3\x86&\xc2<M\xfa\xb5\".t\xcd\xa5\x1aY\xef\x84\x91\xf7\x9cI\xc5\x82`\xb6\xabcr\xbc\x8a\x01g\xb3\xf0\\\xc5\x13Q\xff'\xc3_H\xee\xff\xf0\xa6\x9f\x8b\xd0\x9a\xca\xee\xbc\xc8\xb5r\xa83\x1an	\xd0y\xda\xab\xcciL\"\xa5\x1d\x9c\x05\xe6E-\x15\xdd\xb3\xed\x87\x93\xb4\xe0\x8fv\xb6E%j\xa1\x1c\x86]I\xebf~Ty\x8cM\xba\xf6\xda\x15 \x9e\xf2\xf5\x84\xf5B\xa8;PZ]x\xa9w\xc3\xc2\xc6\xe8\x1a8\xce\x07\xa9\xb6\xc1\xa5\x90MK\x10\x9f\x19\xc1\xadV+\xff	\xf8\x9f\xb0\x84\xec\x87\xcb\xef\x13\xa0}\x1c\x98\x8b`h\x15\x123\x19\xc9Y1\x1c\x0fa\xc2\xa1\x9f~L\x80J\xf57\xafd\x01y%\x85r\x90\x0b\xe3\xe4\xc6\x8fh\xf4LZ\xb6\xd6\xba\x12\xbc\xef'i\x99\xc7\xb3\x80g\x03|W\xe1/\xe2Bb\x8dp\xadQ\x16\\)\xc2\xd2\x84\x9a\xbb\xbc\xc4\x84\xfaT\x92s6)\xc3%\n\xfd\xd6\x1dl\xe2{\x12\x1d\xc8\x16K\xc8\xf0\xf9\x0f\xf8\xefF\x16\xb7	\x84\xe3\x97\xdd\x13\x8e/`\xdc\xb9/a\xcf\x93\x83\xfe	\x04\xf1*\xbb\xf4\xe3\xf8\x08\x98\x0dq\xf7\xdd\x9cB!\xd3\xeb\x8f\xe8\\\xc3\x8d\x15(\x18\xc4F\xa2\xfd\x04X\xdd\x9a|@\x88\xba\x8f\xa4c0\xeePy{.\x98\xbb\xf2L\xa8\x11[q\x92v\x1c\xfc\xb4\xcbX\xa8\xc1\xe2\x0c\xd2\x04hP\xa2	P\x1a\xfb\xedM\xc9\xc3W\xe7}\xe6y\xa3 ;^\x89n:\x06H<*ZZj\xeb\xaf\x1d\xfb\x0c^|\x98\x87\xc9j\x9c\xf27(M\xe6\xe1\xe9\xbc}\x1e\x1c7\xce\xde\xc8q\x1f\xa4\xd8\x1a=c\x1a4\x8f\xd4y\xa2\x81Nz\xc1]9\x1d\xdb\x938\xbb\xb8z\xc7\xb9+\xd1\xccal\x87\xb1Lu\xf8)\xc3^g2\x9a\xa7\xb2v\xf1\x18\xc1\xfc\xa8\xec\x9b\xd3C\x92#q\xf9\"\xedz\xd9:\x83\xb3\xf2\x1e\xa8\xcdKQ\x0b\xba\x80\xf0#\x01\x8a-K\x17\x80\x8f>\x87\x0b\xf0\x19{@\xcf2\x96<b\x03\xc6\xf0\x1b<\xc6+\x92\xb7\x9fn\xa4*pZ3\xeb\x8cT[f\xdb\xb5\xf7\x92\xa9\x19\x89\xa2\x0f\xb3\xab\xc5\x0c\xa7efWW\xf1b>\x8f\xaff\xd9\xfb\xf9\xea\xdbx\x96\xbd\xbfz\xbe\xfa&\xfe\x90\x90(\xb2\xce$\xf0\"\xc6!\x1a\x85z\x81\xd2\xa6\xe6\x95\xfc\x1c>/\xdf\x10\x9dm\x1f\xde\x91\xe3.N:\xa7\xfe\x8e\xe4\xccc9N\x83\x11\xd5\x81\x9fu`2\xbePu\xd7\xa6\xf0\xe6\x0b\xe6w\x8am*\xe9\xfaC\xfa\x0b\x8d\xfb\x7f\x08n}\x1f|G\xa2\xdb\xec\xc5\n\x7fv75\xa4\x1e-{\xfc\x93\xf8+\x00\xf2\x02\xe0{\xb8\x7f\xa2\x8c<\x90\x7f\x03\x00\x00\xff\xffPK\x07\x08\x9f\xedE\xac,\x04\x00\x00\x9b\x0e\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00\xaan\xd9P\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x00	\x00authz_test.regoUT\x05\x00\x01P\xac\xf4^\xccWAO\xeb8\x10>'\xbf\xc2\xf2iY\xb5\x8d\xb8VB\x0bB\xab\xd5\x1ev\x8b\x80w\xaa\xaa\xc8M\xe65~$q\xb0\x1dQ\xa8\xfa\xdf\x9f\xc6v\xd2\xa6$\x0f\x13\x81\x1e\\Hl\xcf\xcc7\xdf|\x9f	\x15K\x1e\xd8\x06H%\n\x90\xbc.f\xac\xd6\xd9K\x18jP:\x86\x82\xf1<fy.\x9e %\xbb00\x8f\xe4\x89\xeb,\x0c\x82\x94i6\x93\xa2\xd6\x10W\"\xe7	\x07E\x98\"\xcb]\x18\x04\x01U\xa2\x96	\xd09\xa1\xb0eE\x95\xc3,\x11\x05\x9d\x98=\x971\xae\x15HE\xe7dI\xb7\x97\xc7\xa7Va\x10\xecWM\x1d^V\xb5\x9ea\xb5\xb5\x14\x0f c|\xc4J\xae\x10(\xc5EI\xe7d\x17\x92\x93\x1f\x8a\x15b\x9e\"\x0c|<\xa7\x9d#{\x0b\x07wLx\x80o\xa6i\x0c\xe8b\xc2\xcd=\xe2\xea\xc2\xca\xb4\xae\x0c\x16Bki\xc2pe\x1eE\xc7\xb1\xe4$\xc8Avq\x16\x9e[;\xa7d\x1f\xee\x1b\xfem\x0eDV\nM\xbc\xd8G\x9c\xae\x93\xc3\x08z0M\xec\x99\x8a\xe9\x0cOD\xacYi\x86\x93\x8a\x82\xf1\xd2\x8e\xe7t8\x81enL\x9d\xf5i\x9d\x83\x08J!J\xb8l\x95\xd8-\xb6z?\xef\xd1\xfa\x15\xf3X\xacC\xfb9\x9d\x90\xc3\xc8\x7f\x08\xb8\xec\x0e\xee0\x0b\xe3\x85\x14Jn\xad\xe0=\x901vX\x8b\xf5\x9b\x86\xf0a\xe0\x03\xfb\xaf\xeau\xce\x93O\xb8\x0c\xae0\xcd\x8d\xc9\xfe\xad\xc4\xdb\x07J\xcd\x13\xa6!\xbdJ\x12PH\x88\x965\x8cg \xdcw:\x181\xc2^\xad\xf7\x89\\\xc2w\xbe\xb52\x7f\x9e\x9akeP\xec}#\x1e\xb2UO)\x7f\xd6\xcc\xad5\xc4\x9c\xbd\xff\x86\x0d\xe4\xba@\xf2\x0fJp\x06\xfd\x04-\xf8\xd14F\x07\xd1\xac\x81\x1d\x1dK\xa2ie\x84(>\xbd\x9b7fsh\x88\xa5\x05/]\xcdL(}\x8a\xa63\xbdDH\x15\xa3Ps\xbe\xc9\xf4\xef\x99\xa1=x\xbd\xb8\xbd\xb32n\xd0xX\xddD\x16\xa03a\xae\xaf\xc5\xcd\xfd\xbf\x8b\xff\xef\\\xe9a\xb2\x1av\x80\xa5\x16\x95\xf3\xd8B\xf2\x0d/\x0dJ%\n\x10\xf6u\xd5\x98\xccXiz-J-E>\xbd\x85\xc7\x1a\x94\x9e\xfe\xd7\x94_\xd2\x7f\xfe\xbew\xceu$\xf7q\xfce\xc5\xf5\x85yt\xfedRA\\\xcb\x1c\xeb\xe0\xaf\xf9\x05i\xd7\xfe\xe8\x03\x88\xd5#\xfc\xd8\xf8\xebQ\xd13\x134SI\x06\x05\x90\x8b\x0b\xdb\x12\xb5\xab\xe8\x14\xb3\xd6\xb5\nna\xbc\xd9:\xa4\xa3-\xa6\x86x;5;\xa2\xd6>\xcdz\x1f6:!\xbb\x81\x91\xee\xcf\xde\x1f\xdfs`l\x1a5&O\xf4Q\x89\xde\xce\x13\xf9%\xf2@d3\xb56\x1c\xcc&\xe4\xe6\xd7\xe3\xeaW\x83\xfd\x00\xf0W\xc3\xd1\x07\x83g\x8b\xe6\xae7\xb24\xaa<Ib\xff\x12\xf8\xb5\xd8\x83\xa1\x0d\x1f\xe8\x0em\xe1\xdf[\xf3\xc5\xef\xd9YO\x90W\x13\xbd\x94\xb4\xff\xd5\x8c!\xe4Up?\x1d\x126\xf0\x8eY\x9b\xe3\x98w\xf6\xa7'#=\x8d\xb5I\xdc\xa6\xcb\xe5\xdf\\\x9b`\xb9}~Y\xd9\xe6~\x06\x00\x00\xff\xffPK\x07\x08\x1b0\xfc\xd2\x02\x03\x00\x00\x04\x10\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x001\xa8\xe9P\x9f\xedE\xac,\x04\x00\x00\x9b\x0e\x00\x00\n\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\x00\x00\x00\x00authz.regoUT\x05\x00\x01\xaf\x85\x07_PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\xaan\xd9P\x1b0\xfc\xd2\x02\x03\x00\x00\x04\x10\x00\x00\x0f\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81m\x04\x00\x00authz_test.regoUT\x05\x00\x01P\xac\xf4^PK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00\x87\x00\x00\x00\xb5\x07\x00\x00\x00\x00"
 	fs.RegisterWithNamespace("rego", data)
 }
diff --git a/authorize/grpc.go b/authorize/grpc.go
index d1b1be16e..653e3680a 100644
--- a/authorize/grpc.go
+++ b/authorize/grpc.go
@@ -173,7 +173,7 @@ func (a *Authorize) getEnvoyRequestHeaders(signedJWT string) ([]*envoy_api_v2_co
 		return nil, err
 	}
 	for k, v := range hdrs {
-		hvos = append(hvos, mkHeader(k, v))
+		hvos = append(hvos, mkHeader(k, v, false))
 	}
 
 	return hvos, nil
diff --git a/config/policy.go b/config/policy.go
index 3d3ab51a9..2a5dc2fa5 100644
--- a/config/policy.go
+++ b/config/policy.go
@@ -100,6 +100,9 @@ type Policy struct {
 	//  - X-Pomerium-Claim-*
 	//
 	PassIdentityHeaders bool `mapstructure:"pass_identity_headers" yaml:"pass_identity_headers,omitempty"`
+
+	// KubernetesServiceAccountToken is the kubernetes token to use for upstream requests.
+	KubernetesServiceAccountToken string `mapstructure:"kubernetes_service_account_token" yaml:"kubernetes_service_account_token,omitempty"`
 }
 
 // Validate checks the validity of a policy.
diff --git a/go.sum b/go.sum
index a037f8f4e..c5e79df60 100644
--- a/go.sum
+++ b/go.sum
@@ -103,7 +103,6 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/cloudflare-go v0.10.2/go.mod h1:qhVI5MKwBGhdNU89ZRz2plgYutcJ5PCekLxXn56w6SY=
-github.com/cncf/udpa v0.0.0-20200629203442-efcf912fb354 h1:JBAT2dkeyeqzQOaAA8tB21Zfyv/nHfaqjZvWIllABnw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200313221541-5f7e5dd04533 h1:8wZizuKuZVu5COB7EsBYxBQz8nRcXXn5d4Gt91eJLvU=
 github.com/cncf/udpa/go v0.0.0-20200313221541-5f7e5dd04533/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -135,8 +134,6 @@ github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4s
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.9.5 h1:lRJIqDD8yjV1YyPRqecMdytjDLs2fTXq363aCib5xPU=
-github.com/envoyproxy/go-control-plane v0.9.5/go.mod h1:OXl5to++W0ctG+EHWTFUjiypVxC/Y4VLc/KFU+al13s=
 github.com/envoyproxy/go-control-plane v0.9.6 h1:GgblEiDzxf5ajlAZY4aC8xp7DwkrGfauFNMGdB2bBv0=
 github.com/envoyproxy/go-control-plane v0.9.6/go.mod h1:GFqM7v0B62MraO4PWRedIbhThr/Rf7ev6aHOOPXeaDA=
 github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A=
@@ -381,8 +378,6 @@ github.com/onsi/gocleanup v0.0.0-20140331211545-c1a5478700b5/go.mod h1:tHaogb+iP
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.8.1 h1:C5Dqfs/LeauYDX0jJXIe2SWmwCbGzx9yF8C8xy3Lh34=
 github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
-github.com/open-policy-agent/opa v0.21.0 h1:0CVq4EEUP+fJEzjwd9yNLSTWZk4W5rM+QbjdLcT1nY0=
-github.com/open-policy-agent/opa v0.21.0/go.mod h1:cZaTfhxsj7QdIiUI0U9aBtOLLTqVNe+XE60+9kZKLHw=
 github.com/open-policy-agent/opa v0.21.1 h1:c4lUnB0mO2KssiUnyh6Y9IGhggvXI3EgObkmhVTvEqQ=
 github.com/open-policy-agent/opa v0.21.1/go.mod h1:cZaTfhxsj7QdIiUI0U9aBtOLLTqVNe+XE60+9kZKLHw=
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
@@ -616,8 +611,6 @@ golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200625001655-4c5254603344 h1:vGXIOMxbNfDTk/aXCmfdLgkrSV+Z2tcbze+pEc3v5W4=
-golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -772,8 +765,6 @@ google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200707001353-8e8330bf89df h1:HWF6nM8ruGdu1K8IXFR+i2oT3YP+iBfZzCbC9zUfcWo=
-google.golang.org/genproto v0.0.0-20200707001353-8e8330bf89df/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200711021454-869866162049 h1:YFTFpQhgvrLrmxtiIncJxFXeCyq84ixuKWVCaCAi9Oc=
 google.golang.org/genproto v0.0.0-20200711021454-869866162049/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
diff --git a/internal/sessions/header/header_store.go b/internal/sessions/header/header_store.go
index 164311b11..c0a4eda78 100644
--- a/internal/sessions/header/header_store.go
+++ b/internal/sessions/header/header_store.go
@@ -54,9 +54,17 @@ func (as *Store) LoadSession(r *http.Request) (string, error) {
 // request, header key, and authentication type.
 func TokenFromHeader(r *http.Request, authHeader, authType string) string {
 	bearer := r.Header.Get(authHeader)
-	atSize := len(authType)
-	if len(bearer) > atSize && strings.EqualFold(bearer[0:atSize], authType) {
-		return bearer[atSize+1:]
+	// Authorization: Pomerium <JWT>
+	prefix := authType + " "
+	if strings.HasPrefix(bearer, prefix) {
+		return bearer[len(prefix):]
 	}
+
+	// Authorization: Bearer Pomerium-<JWT>
+	prefix = "Bearer " + authType + "-"
+	if strings.HasPrefix(bearer, prefix) {
+		return bearer[len(prefix):]
+	}
+
 	return ""
 }
diff --git a/internal/sessions/header/header_store_test.go b/internal/sessions/header/header_store_test.go
new file mode 100644
index 000000000..4d92f1b8b
--- /dev/null
+++ b/internal/sessions/header/header_store_test.go
@@ -0,0 +1,23 @@
+package header
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestTokenFromHeader(t *testing.T) {
+	t.Run("pomerium type", func(t *testing.T) {
+		r, _ := http.NewRequest("GET", "http://localhost/some/url", nil)
+		r.Header.Set("Authorization", "Pomerium JWT")
+		v := TokenFromHeader(r, "Authorization", "Pomerium")
+		assert.Equal(t, "JWT", v)
+	})
+	t.Run("bearer type", func(t *testing.T) {
+		r, _ := http.NewRequest("GET", "http://localhost/some/url", nil)
+		r.Header.Set("Authorization", "Bearer Pomerium-JWT")
+		v := TokenFromHeader(r, "Authorization", "Pomerium")
+		assert.Equal(t, "JWT", v)
+	})
+}