config: remove set_authorization_header option (#4489)

Remove the deprecated set_authorization_header option entirely. Add an entry to the removedConfigFields map with a link to the relevant Upgrading page section.
2025-08-04 01:09:36 +02:00 · 2023-08-29 09:02:08 -07:00 · 2023-08-29 09:02:08 -07:00 · fd84075af1
commit fd84075af1
parent 5a4acc5cd3
8 changed files with 658 additions and 818 deletions
--- a/authorize/evaluator/headers_evaluator.go
+++ b/authorize/evaluator/headers_evaluator.go
@ -15,7 +15,6 @@ import (
 	"github.com/pomerium/pomerium/authorize/internal/store"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
-	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
 )

 // HeadersRequest is the input to the headers.rego script.
@ -27,8 +26,6 @@ type HeadersRequest struct {
 	ToAudience                                string                `json:"to_audience"`
 	Session                                   RequestSession        `json:"session"`
 	ClientCertificate                         ClientCertificateInfo `json:"client_certificate"`
-	PassAccessToken                           bool                  `json:"pass_access_token"`
-	PassIDToken                               bool                  `json:"pass_id_token"`
 	SetRequestHeaders                         map[string]string     `json:"set_request_headers"`
 }

@ -44,8 +41,6 @@ func NewHeadersRequestFromPolicy(policy *config.Policy, http RequestHTTP) *Heade
 		for _, wu := range policy.To {
 			input.ToAudience = "https://" + wu.URL.Hostname()
 		}
-		input.PassAccessToken = policy.GetSetAuthorizationHeader() == configpb.Route_ACCESS_TOKEN
-		input.PassIDToken = policy.GetSetAuthorizationHeader() == configpb.Route_ID_TOKEN
 		input.ClientCertificate = http.ClientCertificate
 		input.SetRequestHeaders = policy.SetRequestHeaders
 	}
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@ -142,42 +142,6 @@ func TestHeadersEvaluator(t *testing.T) {
 		assert.Equal(t, "n1", claims["name"], "should set name")
 	})

-	t.Run("access token", func(t *testing.T) {
-		output, err := eval(t,
-			[]proto.Message{
-				&session.Session{Id: "s1", OauthToken: &session.OAuthToken{
-					AccessToken: "ACCESS_TOKEN",
-				}},
-			},
-			&HeadersRequest{
-				Issuer:          "from.example.com",
-				ToAudience:      "to.example.com",
-				Session:         RequestSession{ID: "s1"},
-				PassAccessToken: true,
-			})
-		require.NoError(t, err)
-
-		assert.Equal(t, "Bearer ACCESS_TOKEN", output.Headers.Get("Authorization"))
-	})
-
-	t.Run("id token", func(t *testing.T) {
-		output, err := eval(t,
-			[]proto.Message{
-				&session.Session{Id: "s1", IdToken: &session.IDToken{
-					Raw: "ID_TOKEN",
-				}},
-			},
-			&HeadersRequest{
-				Issuer:      "from.example.com",
-				ToAudience:  "to.example.com",
-				Session:     RequestSession{ID: "s1"},
-				PassIDToken: true,
-			})
-		require.NoError(t, err)
-
-		assert.Equal(t, "Bearer ID_TOKEN", output.Headers.Get("Authorization"))
-	})
-
 	t.Run("set_request_headers", func(t *testing.T) {
 		output, err := eval(t,
 			[]proto.Message{
--- a/authorize/evaluator/opa/policy/headers.rego
+++ b/authorize/evaluator/opa/policy/headers.rego
@ -10,8 +10,6 @@ package pomerium.headers
 #   session:
 #     id: string
 #   to_audience: string
-#   pass_access_token: boolean
-#   pass_id_token: boolean
 #   set_request_headers: map[string]string
 #
 # data:
@ -195,16 +193,6 @@ routing_key_headers = h {
 	h := [["x-pomerium-routing-key", crypto.sha256(input.session.id)]]
 } else = []

-pass_access_token_headers = h {
-	input.pass_access_token
-	h := [["Authorization", concat(" ", ["Bearer", session.oauth_token.access_token])]]
-} else = []
-
-pass_id_token_headers = h {
-	input.pass_id_token
-	h := [["Authorization", concat(" ", ["Bearer", session.id_token.raw])]]
-} else = []
-
 session_id_token = v {
 	v := session.id_token.raw
 } else = ""
@ -250,11 +238,9 @@ identity_headers := {key: values |
 	h3 := kubernetes_headers
 	h4 := [[k, v] | v := google_cloud_serverless_headers[k]]
 	h5 := routing_key_headers
-	h6 := pass_access_token_headers
-	h7 := pass_id_token_headers
-	h8 := set_request_headers
+	h6 := set_request_headers

-	h := array.concat(array.concat(array.concat(array.concat(array.concat(array.concat(array.concat(h1, h2), h3), h4), h5), h6), h7), h8)
+	h := array.concat(array.concat(array.concat(array.concat(array.concat(h1, h2), h3), h4), h5), h6)

 	some i
 	[key, v1] := h[i]