authenticate: add verify endpoints

authenticate/handlers.go

@@ -43,6 +43,16 @@ func (a *Authenticate) Handler() http.Handler {
 func (a *Authenticate) Mount(r *mux.Router) {
 	r.StrictSlash(true)
 	r.Use(middleware.SetHeaders(httputil.HeadersContentSecurityPolicy))
+	// disable csrf checking for these endpoints
+	r.Use(func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == "/.pomerium/verify-access-token" ||
+				r.URL.Path == "/.pomerium/verify-identity-token" {
+				r = csrf.UnsafeSkipCheck(r)
+			}
+			h.ServeHTTP(w, r)
+		})
+	})
 	r.Use(func(h http.Handler) http.Handler {
 		options := a.options.Load()
 		state := a.state.Load()
@@ -95,6 +105,8 @@ func (a *Authenticate) mountDashboard(r *mux.Router) {
 	// routes that don't need a session:
 	sr.Path("/sign_out").Handler(httputil.HandlerFunc(a.SignOut))
 	sr.Path("/signed_out").Handler(httputil.HandlerFunc(a.signedOut)).Methods(http.MethodGet)
+	sr.Path("/verify-access-token").Handler(httputil.HandlerFunc(a.verifyAccessToken)).Methods(http.MethodPost)
+	sr.Path("/verify-identity-token").Handler(httputil.HandlerFunc(a.verifyIdentityToken)).Methods(http.MethodPost)
 
 	// routes that need a session:
 	sr = sr.NewRoute().Subrouter()

authenticate/handlers_verify.go

@@ -0,0 +1,90 @@
+package authenticate
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/log"
+)
+
+type VerifyAccessTokenRequest struct {
+	AccessToken        string `json:"accessToken"`
+	IdentityProviderID string `json:"identityProviderId,omitempty"`
+}
+
+type VerifyIdentityTokenRequest struct {
+	IdentityToken      string `json:"identityToken"`
+	IdentityProviderID string `json:"identityProviderId,omitempty"`
+}
+
+type VerifyTokenResponse struct {
+	Valid  bool           `json:"valid"`
+	Claims map[string]any `json:"claims,omitempty"`
+}
+
+func (a *Authenticate) verifyAccessToken(w http.ResponseWriter, r *http.Request) error {
+	var req VerifyAccessTokenRequest
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		return httputil.NewError(http.StatusBadRequest, err)
+	}
+
+	authenticator, err := a.cfg.getIdentityProvider(r.Context(), a.tracerProvider, a.options.Load(), req.IdentityProviderID)
+	if err != nil {
+		return err
+	}
+
+	var res VerifyTokenResponse
+	claims, err := authenticator.VerifyAccessToken(r.Context(), req.AccessToken)
+	if err == nil {
+		res.Valid = true
+		res.Claims = claims
+	} else {
+		res.Valid = false
+		log.Ctx(r.Context()).Info().
+			Err(err).
+			Str("idp", authenticator.Name()).
+			Msg("access token failed verification")
+	}
+
+	err = json.NewEncoder(w).Encode(&res)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (a *Authenticate) verifyIdentityToken(w http.ResponseWriter, r *http.Request) error {
+	var req VerifyIdentityTokenRequest
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		return httputil.NewError(http.StatusBadRequest, err)
+	}
+
+	authenticator, err := a.cfg.getIdentityProvider(r.Context(), a.tracerProvider, a.options.Load(), req.IdentityProviderID)
+	if err != nil {
+		return err
+	}
+
+	var res VerifyTokenResponse
+	claims, err := authenticator.VerifyIdentityToken(r.Context(), req.IdentityToken)
+	if err == nil {
+		res.Valid = true
+		res.Claims = claims
+	} else {
+		res.Valid = false
+		log.Ctx(r.Context()).Info().
+			Err(err).
+			Str("idp", authenticator.Name()).
+			Msg("identity token failed verification")
+	}
+
+	err = json.NewEncoder(w).Encode(&res)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}