only support loading idp tokens via bearer tokens (#5546)

only support loading idp tokens via bearer tokens (#5545) Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
2025-07-19 01:28:51 +02:00 · 2025-03-26 09:52:00 -06:00 · 2025-03-26 09:52:00 -06:00 · c0848eecfe
commit c0848eecfe
parent 618ab8fe3f
5 changed files with 12 additions and 73 deletions
--- a/config/session.go
+++ b/config/session.go
@ -405,22 +405,8 @@ func (cfg *Config) GetIncomingIDPAccessTokenForPolicy(policy *Policy, r *http.Re
 		bearerTokenFormat = *policy.BearerTokenFormat
 	}
 	if token := r.Header.Get(httputil.HeaderPomeriumIDPAccessToken); token != "" {
 		return token, true
 	}
 	if auth := r.Header.Get(httputil.HeaderAuthorization); auth != "" {
-		prefix := httputil.AuthorizationTypePomeriumIDPAccessToken + " "
+		prefix := "Bearer "
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
 			return auth[len(prefix):], true
 		}
 		prefix = "Bearer " + httputil.AuthorizationTypePomeriumIDPAccessToken + "-"
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
 			return auth[len(prefix):], true
 		}
 		prefix = "Bearer "
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) &&
 			bearerTokenFormat == BearerTokenFormatIDPAccessToken {
 			return auth[len(prefix):], true
@ -440,22 +426,8 @@ func (cfg *Config) GetIncomingIDPIdentityTokenForPolicy(policy *Policy, r *http.
 		bearerTokenFormat = *policy.BearerTokenFormat
 	}
 	if token := r.Header.Get(httputil.HeaderPomeriumIDPIdentityToken); token != "" {
 		return token, true
 	}
 	if auth := r.Header.Get(httputil.HeaderAuthorization); auth != "" {
-		prefix := httputil.AuthorizationTypePomeriumIDPIdentityToken + " "
+		prefix := "Bearer "
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
 			return auth[len(prefix):], true
 		}
 		prefix = "Bearer " + httputil.AuthorizationTypePomeriumIDPIdentityToken + "-"
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
 			return auth[len(prefix):], true
 		}
 		prefix = "Bearer "
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) &&
 			bearerTokenFormat == BearerTokenFormatIDPIdentityToken {
 			return auth[len(prefix):], true
--- a/config/session_test.go
+++ b/config/session_test.go
@ -206,24 +206,6 @@ func TestGetIncomingIDPAccessTokenForPolicy(t *testing.T) {
 			name:       "empty headers",
 			expectedOK: false,
 		},
 		{
 			name:          "custom header",
 			headers:       http.Header{"X-Pomerium-Idp-Access-Token": {"access token via custom header"}},
 			expectedOK:    true,
 			expectedToken: "access token via custom header",
 		},
 		{
 			name:          "custom authorization",
 			headers:       http.Header{"Authorization": {"Pomerium-Idp-Access-Token access token via custom authorization"}},
 			expectedOK:    true,
 			expectedToken: "access token via custom authorization",
 		},
 		{
 			name:          "custom bearer",
 			headers:       http.Header{"Authorization": {"Bearer Pomerium-Idp-Access-Token-access token via custom bearer"}},
 			expectedOK:    true,
 			expectedToken: "access token via custom bearer",
 		},
 		{
 			name:       "bearer disabled",
 			headers:    http.Header{"Authorization": {"Bearer access token via bearer"}},
@ -289,24 +271,6 @@ func TestGetIncomingIDPIdentityTokenForPolicy(t *testing.T) {
 			name:       "empty headers",
 			expectedOK: false,
 		},
 		{
 			name:          "custom header",
 			headers:       http.Header{"X-Pomerium-Idp-Identity-Token": {"identity token via custom header"}},
 			expectedOK:    true,
 			expectedToken: "identity token via custom header",
 		},
 		{
 			name:          "custom authorization",
 			headers:       http.Header{"Authorization": {"Pomerium-Idp-Identity-Token identity token via custom authorization"}},
 			expectedOK:    true,
 			expectedToken: "identity token via custom authorization",
 		},
 		{
 			name:          "custom bearer",
 			headers:       http.Header{"Authorization": {"Bearer Pomerium-Idp-Identity-Token-identity token via custom bearer"}},
 			expectedOK:    true,
 			expectedToken: "identity token via custom bearer",
 		},
 		{
 			name:       "bearer disabled",
 			headers:    http.Header{"Authorization": {"Bearer identity token via bearer"}},
@ -496,12 +460,14 @@ func TestIncomingIDPTokenSessionCreator_CreateSession(t *testing.T) {
 		cfg.Options.AuthenticateURLString = srv.URL
 		cfg.Options.ClientSecret = "CLIENT_SECRET_1"
 		cfg.Options.ClientID = "CLIENT_ID_1"
 		bearerTokenFormatIDPAccessToken := BearerTokenFormatIDPAccessToken
 		cfg.Options.BearerTokenFormat = &bearerTokenFormatIDPAccessToken
 		route := &Policy{}
 		route.IDPClientSecret = "CLIENT_SECRET_2"
 		route.IDPClientID = "CLIENT_ID_2"
 		req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://www.example.com", nil)
 		require.NoError(t, err)
-		req.Header.Set(httputil.HeaderPomeriumIDPAccessToken, "ACCESS_TOKEN")
+		req.Header.Set("Authorization", "Bearer ACCESS_TOKEN")
 		c := NewIncomingIDPTokenSessionCreator(
 			func(_ context.Context, _, _ string) (*databroker.Record, error) {
 				return nil, storage.ErrNotFound
@ -537,12 +503,14 @@ func TestIncomingIDPTokenSessionCreator_CreateSession(t *testing.T) {
 		cfg.Options.AuthenticateURLString = srv.URL
 		cfg.Options.ClientSecret = "CLIENT_SECRET_1"
 		cfg.Options.ClientID = "CLIENT_ID_1"
 		bearerTokenFormatIDPIdentityToken := BearerTokenFormatIDPIdentityToken
 		cfg.Options.BearerTokenFormat = &bearerTokenFormatIDPIdentityToken
 		route := &Policy{}
 		route.IDPClientSecret = "CLIENT_SECRET_2"
 		route.IDPClientID = "CLIENT_ID_2"
 		req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://www.example.com", nil)
 		require.NoError(t, err)
-		req.Header.Set(httputil.HeaderPomeriumIDPIdentityToken, "IDENTITY_TOKEN")
+		req.Header.Set("Authorization", "Bearer IDENTITY_TOKEN")
 		c := NewIncomingIDPTokenSessionCreator(
 			func(_ context.Context, _, _ string) (*databroker.Record, error) {
 				return nil, storage.ErrNotFound
--- a/internal/httputil/headers.go
+++ b/internal/httputil/headers.go
@ -22,8 +22,6 @@ const (
 	// can be used in place of the standard authorization header if that header is being
 	// used by upstream applications.
 	HeaderPomeriumAuthorization = "x-pomerium-authorization"
 	HeaderPomeriumIDPAccessToken   = "x-pomerium-idp-access-token"   //nolint: gosec
 	HeaderPomeriumIDPIdentityToken = "x-pomerium-idp-identity-token" //nolint: gosec
 	// HeaderPomeriumResponse is set when pomerium itself creates a response,
 	// as opposed to the upstream application and can be used to distinguish
 	// between an application error, and a pomerium related error when debugging.
--- a/proxy/data_test.go
+++ b/proxy/data_test.go
@ -17,7 +17,6 @@ import (
 	"github.com/pomerium/datasource/pkg/directory"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/databroker"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/testutil"
 	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
@ -47,7 +46,7 @@ func Test_getUserInfoData(t *testing.T) {
 		proxy.state.Load().dataBrokerClient = client
 		r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
-		r.Header.Set(httputil.HeaderPomeriumIDPAccessToken, "ACCESS_TOKEN")
+		r.Header.Set("Authorization", "Bearer ACCESS_TOKEN")
 		data := proxy.getUserInfoData(r)
 		assert.NotNil(t, data.Session)
 		assert.NotNil(t, data.User)
--- a/proxy/proxy_test.go
+++ b/proxy/proxy_test.go
@ -30,6 +30,8 @@ func testOptions(t *testing.T) *config.Options {
 	opts.Services = config.ServiceAll
 	opts.SharedKey = "80ldlrU2d7w+wVpKNfevk6fmb8otEx6CqOfshj2LwhQ="
 	opts.CookieSecret = "OromP1gurwGWjQPYb1nNgSxtbVB5NnLzX6z5WOKr0Yw="
 	bearerTokenFormatIDPAccessToken := config.BearerTokenFormatIDPAccessToken
 	opts.BearerTokenFormat = &bearerTokenFormatIDPAccessToken
 	hpkePrivateKey, err := opts.GetHPKEPrivateKey()
 	require.NoError(t, err)