add global jwt_issuer_format option (#5508)

Add a corresponding global setting for the existing route-level jwt_issuer_format option. The route-level option will take precedence when set to a non-empty string.
2025-06-06 12:52:53 +02:00 · 2025-03-11 14:11:50 -07:00 · 2025-03-11 14:11:50 -07:00 · ad183873f4
commit ad183873f4
parent b86c9931b1
11 changed files with 902 additions and 781 deletions
--- a/config/custom.go
+++ b/config/custom.go
@ -23,6 +23,7 @@ import (
 	"github.com/pomerium/pomerium/internal/hashutil"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
 	"github.com/pomerium/pomerium/pkg/policy/parser"
 )

@ -617,3 +618,50 @@ func (f JWTGroupsFilter) Equal(other JWTGroupsFilter) bool {
 	}
 	return f.set.Equal(other.set)
 }
+
+type JWTIssuerFormat string
+
+const (
+	JWTIssuerFormatUnset    JWTIssuerFormat = ""
+	JWTIssuerFormatHostOnly JWTIssuerFormat = "hostOnly"
+	JWTIssuerFormatURI      JWTIssuerFormat = "uri"
+)
+
+var knownJWTIssuerFormats = map[JWTIssuerFormat]struct{}{
+	JWTIssuerFormatUnset:    {},
+	JWTIssuerFormatHostOnly: {},
+	JWTIssuerFormatURI:      {},
+}
+
+func JWTIssuerFormatFromPB(format *configpb.IssuerFormat) JWTIssuerFormat {
+	if format == nil {
+		return JWTIssuerFormatUnset
+	}
+
+	switch *format {
+	case configpb.IssuerFormat_IssuerHostOnly:
+		return JWTIssuerFormatHostOnly
+	case configpb.IssuerFormat_IssuerURI:
+		return JWTIssuerFormatURI
+	default:
+		return JWTIssuerFormatUnset
+	}
+}
+
+func (f JWTIssuerFormat) ToPB() *configpb.IssuerFormat {
+	switch f {
+	case JWTIssuerFormatUnset:
+		return nil
+	case JWTIssuerFormatHostOnly:
+		return configpb.IssuerFormat_IssuerHostOnly.Enum()
+	case JWTIssuerFormatURI:
+		return configpb.IssuerFormat_IssuerURI.Enum()
+	default:
+		return nil
+	}
+}
+
+func (f JWTIssuerFormat) Valid() bool {
+	_, ok := knownJWTIssuerFormats[f]
+	return ok
+}