config: remove set_authorization_header option

Remove the deprecated set_authorization_header option entirely. Add an
entry to the removedConfigFields map with a link to the relevant
Upgrading page section.

authorize/evaluator/headers_evaluator.go

@@ -15,7 +15,6 @@ import (
 	"github.com/pomerium/pomerium/authorize/internal/store"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
-	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
 )
 
 // HeadersRequest is the input to the headers.rego script.
@@ -27,8 +26,6 @@ type HeadersRequest struct {
 	ToAudience                                string                `json:"to_audience"`
 	Session                                   RequestSession        `json:"session"`
 	ClientCertificate                         ClientCertificateInfo `json:"client_certificate"`
-	PassAccessToken                           bool                  `json:"pass_access_token"`
-	PassIDToken                               bool                  `json:"pass_id_token"`
 	SetRequestHeaders                         map[string]string     `json:"set_request_headers"`
 }
 
@@ -44,8 +41,6 @@ func NewHeadersRequestFromPolicy(policy *config.Policy, http RequestHTTP) *Heade
 		for _, wu := range policy.To {
 			input.ToAudience = "https://" + wu.URL.Hostname()
 		}
-		input.PassAccessToken = policy.GetSetAuthorizationHeader() == configpb.Route_ACCESS_TOKEN
-		input.PassIDToken = policy.GetSetAuthorizationHeader() == configpb.Route_ID_TOKEN
 		input.ClientCertificate = http.ClientCertificate
 		input.SetRequestHeaders = policy.SetRequestHeaders
 	}

authorize/evaluator/headers_evaluator_test.go

@@ -142,42 +142,6 @@ func TestHeadersEvaluator(t *testing.T) {
 		assert.Equal(t, "n1", claims["name"], "should set name")
 	})
 
-	t.Run("access token", func(t *testing.T) {
-		output, err := eval(t,
-			[]proto.Message{
-				&session.Session{Id: "s1", OauthToken: &session.OAuthToken{
-					AccessToken: "ACCESS_TOKEN",
-				}},
-			},
-			&HeadersRequest{
-				Issuer:          "from.example.com",
-				ToAudience:      "to.example.com",
-				Session:         RequestSession{ID: "s1"},
-				PassAccessToken: true,
-			})
-		require.NoError(t, err)
-
-		assert.Equal(t, "Bearer ACCESS_TOKEN", output.Headers.Get("Authorization"))
-	})
-
-	t.Run("id token", func(t *testing.T) {
-		output, err := eval(t,
-			[]proto.Message{
-				&session.Session{Id: "s1", IdToken: &session.IDToken{
-					Raw: "ID_TOKEN",
-				}},
-			},
-			&HeadersRequest{
-				Issuer:      "from.example.com",
-				ToAudience:  "to.example.com",
-				Session:     RequestSession{ID: "s1"},
-				PassIDToken: true,
-			})
-		require.NoError(t, err)
-
-		assert.Equal(t, "Bearer ID_TOKEN", output.Headers.Get("Authorization"))
-	})
-
 	t.Run("set_request_headers", func(t *testing.T) {
 		output, err := eval(t,
 			[]proto.Message{

authorize/evaluator/opa/policy/headers.rego

@@ -10,8 +10,6 @@ package pomerium.headers
 #   session:
 #     id: string
 #   to_audience: string
-#   pass_access_token: boolean
-#   pass_id_token: boolean
 #   set_request_headers: map[string]string
 #
 # data:
@@ -195,16 +193,6 @@ routing_key_headers = h {
 	h := [["x-pomerium-routing-key", crypto.sha256(input.session.id)]]
 } else = []
 
-pass_access_token_headers = h {
-	input.pass_access_token
-	h := [["Authorization", concat(" ", ["Bearer", session.oauth_token.access_token])]]
-} else = []
-
-pass_id_token_headers = h {
-	input.pass_id_token
-	h := [["Authorization", concat(" ", ["Bearer", session.id_token.raw])]]
-} else = []
-
 session_id_token = v {
 	v := session.id_token.raw
 } else = ""
@@ -250,11 +238,9 @@ identity_headers := {key: values |
 	h3 := kubernetes_headers
 	h4 := [[k, v] | v := google_cloud_serverless_headers[k]]
 	h5 := routing_key_headers
-	h6 := pass_access_token_headers
+	h6 := set_request_headers
-	h7 := pass_id_token_headers
-	h8 := set_request_headers
 
-	h := array.concat(array.concat(array.concat(array.concat(array.concat(array.concat(array.concat(h1, h2), h3), h4), h5), h6), h7), h8)
+	h := array.concat(array.concat(array.concat(array.concat(array.concat(h1, h2), h3), h4), h5), h6)
 
 	some i
 	[key, v1] := h[i]

config/options_check.go

@@ -28,11 +28,12 @@ var reKeyPath = regexp.MustCompile(`\[\d+\]`)
 var (
 	// options that were deprecated in the config
 	removedConfigFields = map[string]string{
-		"idp_service_account":            "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync",
+		"idp_service_account":             "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync",
-		"idp_refresh_directory_timeout":  "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync",
+		"idp_refresh_directory_timeout":   "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync",
-		"idp_refresh_directory_interval": "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync",
+		"idp_refresh_directory_interval":  "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync",
-		"idp_qps":                        "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync",
+		"idp_qps":                         "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync",
-		"routes.allowed_groups":          "https://docs.pomerium.com/docs/overview/upgrading#idp-groups-policy",
+		"routes.allowed_groups":           "https://docs.pomerium.com/docs/overview/upgrading#idp-groups-policy",
+		"routes.set_authorization_header": "https://www.pomerium.com/docs/deploy/core/upgrading#set-authorization-header",
 	}
 
 	// mapstructure has issues with embedded protobuf structs that we should ignore

config/policy.go

@@ -119,10 +119,6 @@ type Policy struct {
 	// TLSUpstreamAllowRenegotiation allows server-initiated TLS renegotiation.
 	TLSUpstreamAllowRenegotiation bool `mapstructure:"tls_upstream_allow_renegotiation" yaml:"allow_renegotiation,omitempty"`
 
-	// SetAuthorizationHeader sets the authorization request header based on the user's identity. Supported modes are
-	// `pass_through`, `access_token` and `id_token`.
-	SetAuthorizationHeader string `mapstructure:"set_authorization_header" yaml:"set_authorization_header,omitempty"`
-
 	// SetRequestHeaders adds a collection of headers to the upstream request
 	// in the form of key value pairs. Note bene, this will overwrite the
 	// value of any existing value of a given header key.
@@ -256,7 +252,6 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
 		TLSClientKeyFile:                 pb.GetTlsClientKeyFile(),
 		TLSDownstreamClientCA:            pb.GetTlsDownstreamClientCa(),
 		TLSDownstreamClientCAFile:        pb.GetTlsDownstreamClientCaFile(),
-		SetAuthorizationHeader:           pb.GetSetAuthorizationHeader().String(),
 		SetRequestHeaders:                pb.GetSetRequestHeaders(),
 		RemoveRequestHeaders:             pb.GetRemoveRequestHeaders(),
 		PreserveHostHeader:               pb.GetPreserveHostHeader(),
@@ -384,7 +379,6 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
 		RemoveRequestHeaders:             p.RemoveRequestHeaders,
 		PreserveHostHeader:               p.PreserveHostHeader,
 		PassIdentityHeaders:              p.PassIdentityHeaders,
-		SetAuthorizationHeader:           p.GetSetAuthorizationHeader(),
 		KubernetesServiceAccountToken:    p.KubernetesServiceAccountToken,
 		Policies:                         sps,
 		SetResponseHeaders:               p.SetResponseHeaders,
@@ -543,15 +537,6 @@ func (p *Policy) Validate() error {
 		p.compiledRegex, _ = regexp.Compile(rawRE)
 	}
 
-	if _, ok := configpb.Route_AuthorizationHeaderModeFromString(p.SetAuthorizationHeader); !ok && p.SetAuthorizationHeader != "" {
-		return fmt.Errorf("config: invalid policy set_authorization_header: %v", p.SetAuthorizationHeader)
-	}
-
-	if p.SetAuthorizationHeader != "" {
-		log.Warn(context.Background()).Msg("config: set_authorization_header is deprecated, " +
-			"use ${pomerium.id_token} or ${pomerium.access_token} in set_request_headers instead")
-	}
-
 	return nil
 }
 
@@ -674,12 +659,6 @@ func (p *Policy) AllAllowedUsers() []string {
 	return aus
 }
 
-// GetSetAuthorizationHeader gets the set authorization header mode.
-func (p *Policy) GetSetAuthorizationHeader() configpb.Route_AuthorizationHeaderMode {
-	mode, _ := configpb.Route_AuthorizationHeaderModeFromString(p.SetAuthorizationHeader)
-	return mode
-}
-
 type routeID struct {
 	From     string
 	To       []string

pkg/grpc/config/config.go

@@ -1,8 +1,6 @@
 // Package config contains protobuf definitions for config.
 package config
 
-import "strings"
-
 // IsSet returns true if one of the route redirect options has been chosen.
 func (rr *RouteRedirect) IsSet() bool {
 	if rr == nil {
@@ -18,9 +16,3 @@ func (rr *RouteRedirect) IsSet() bool {
 		rr.SchemeRedirect != nil ||
 		rr.HttpsRedirect != nil
 }
-
-// Route_AuthorizationHeaderModeFromString returns the Route_AuthorizationHeaderMode from a string.
-func Route_AuthorizationHeaderModeFromString(raw string) (Route_AuthorizationHeaderMode, bool) { //nolint
-	mode, ok := Route_AuthorizationHeaderMode_value[strings.ToUpper(raw)]
-	return Route_AuthorizationHeaderMode(mode), ok
-}

pkg/grpc/config/config.proto

@@ -34,12 +34,6 @@ message RouteRedirect {
 }
 
 message Route {
-  enum AuthorizationHeaderMode {
-    PASS_THROUGH = 0;
-    ACCESS_TOKEN = 1;
-    ID_TOKEN = 2;
-  }
-
   string name = 1;
 
   string from = 2;
@@ -96,7 +90,7 @@ message Route {
   repeated string remove_request_headers = 23;
   map<string, string> set_response_headers = 41;
   repeated RouteRewriteHeader rewrite_response_headers = 40;
-  AuthorizationHeaderMode set_authorization_header = 54;
+  // AuthorizationHeaderMode set_authorization_header = 54;
 
   bool preserve_host_header = 24;
   bool pass_identity_headers = 25;