always pass full identity claims for the /.pomerium/jwt endpoint

authorize/evaluator/headers_evaluator.go

@@ -46,6 +46,10 @@ func NewHeadersRequestFromPolicy(options *config.Options, policy *config.Policy,
 		input.SetRequestHeaders = policy.SetRequestHeaders
 		input.PassIdentityHeaders = policy.GetPassIdentityHeaders(options)
 	}
+	// always pass identity headers when requesting the special /.pomerium/jwt endpoint
+	if http.Path == "/.pomerium/jwt" {
+		input.PassIdentityHeaders = true
+	}
 	return input
 }
 

integration/policy_test.go

@@ -559,7 +559,7 @@ func TestPomeriumJWT(t *testing.T) {
 func rawJWTPayload(t *testing.T, jwt string) map[string]any {
 	t.Helper()
 	s := strings.Split(jwt, ".")
-	require.Equal(t, 3, len(s), "unexpected JWT format")
+	require.Equal(t, 3, len(s), "unexpected JWT format: %s", jwt)
 	payload, err := base64.RawURLEncoding.DecodeString(s[1])
 	require.NoError(t, err, "JWT payload could not be decoded")
 	d := json.NewDecoder(bytes.NewReader(payload))

proxy/handlers.go

@@ -6,7 +6,6 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/gorilla/mux"
 
 	"github.com/pomerium/pomerium/internal/handlers"
@@ -143,18 +142,6 @@ func (p *Proxy) jwtAssertion(w http.ResponseWriter, r *http.Request) error {
 		return httputil.NewError(http.StatusNotFound, errors.New("jwt not found"))
 	}
 
-	assertionJWT, err := jwt.ParseSigned(rawAssertionJWT)
-	if err != nil {
-		return httputil.NewError(http.StatusNotFound, errors.New("jwt not found"))
-	}
-
-	var dst struct {
-		Subject string `json:"sub"`
-	}
-	if assertionJWT.UnsafeClaimsWithoutVerification(&dst) != nil || dst.Subject == "" {
-		return httputil.NewError(http.StatusUnauthorized, errors.New("jwt not found"))
-	}
-
 	w.Header().Set("Content-Type", "application/jwt")
 	w.WriteHeader(http.StatusOK)
 	_, _ = io.WriteString(w, rawAssertionJWT)