add global jwt_issuer_format option (#5508)

Add a corresponding global setting for the existing route-level jwt_issuer_format option. The route-level option will take precedence when set to a non-empty string.
2025-07-19 17:50:17 +02:00 · 2025-03-11 14:11:50 -07:00 · 2025-03-11 14:11:50 -07:00 · ad183873f4
commit ad183873f4
parent b86c9931b1
11 changed files with 902 additions and 781 deletions
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@ -437,34 +437,59 @@ func TestHeadersEvaluator(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, "u1@example.com", output.Headers.Get("X-Pomerium-Claim-Email"))
 	})
+}

-	t.Run("issuer format", func(t *testing.T) {
-		t.Parallel()
+func TestHeadersEvaluator_JWTIssuerFormat(t *testing.T) {
+	privateJWK, _ := newJWK(t)

-		for _, tc := range []struct {
-			format string
-			input  string
-			output string
-		}{
-			{"", "example.com", "example.com"},
-			{"hostOnly", "host-only.example.com", "host-only.example.com"},
-			{"uri", "uri.example.com", "https://uri.example.com/"},
-		} {
+	store := store.New()
+	store.UpdateSigningKey(privateJWK)
+
+	eval := func(_ *testing.T, input *Request) (*HeadersResponse, error) {
+		ctx := context.Background()
+		e := NewHeadersEvaluator(store)
+		return e.Evaluate(ctx, input)
+	}
+
+	hostname := "route.example.com"
+
+	cases := []struct {
+		globalFormat config.JWTIssuerFormat
+		routeFormat  config.JWTIssuerFormat
+		expected     string
+	}{
+		{"", "", "route.example.com"},
+		{"hostOnly", "", "route.example.com"},
+		{"uri", "", "https://route.example.com/"},
+
+		{"", "hostOnly", "route.example.com"},
+		{"hostOnly", "hostOnly", "route.example.com"},
+		{"uri", "hostOnly", "route.example.com"},
+
+		{"", "uri", "https://route.example.com/"},
+		{"hostOnly", "uri", "https://route.example.com/"},
+		{"uri", "uri", "https://route.example.com/"},
+	}
+
+	for _, tc := range cases {
+		t.Run("", func(t *testing.T) {
+			store.UpdateDefaultJWTIssuerFormat(tc.globalFormat)
 			output, err := eval(t,
-				nil,
 				&Request{
 					HTTP: RequestHTTP{
-						Hostname: tc.input,
+						Hostname: hostname,
 					},
 					Policy: &config.Policy{
-						JWTIssuerFormat: tc.format,
+						JWTIssuerFormat: tc.routeFormat,
 					},
 				})
 			require.NoError(t, err)
 			m := decodeJWTAssertion(t, output.Headers)
-			assert.Equal(t, tc.output, m["iss"], "unexpected issuer for format=%s", tc.format)
-		}
-	})
+			assert.Equal(t, tc.expected, m["iss"],
+				"unexpected issuer for global format=%q, route format=%q",
+				tc.globalFormat, tc.routeFormat)
+		})
+	}
 }

 func TestHeadersEvaluator_JWTGroupsFilter(t *testing.T) {