-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authorize: add support for logging id token #4392
Conversation
@@ -16,6 +16,7 @@ const ( | |||
AuthorizeLogFieldEmail AuthorizeLogField = "email" | |||
AuthorizeLogFieldHeaders = AuthorizeLogField(headersFieldName) | |||
AuthorizeLogFieldHost AuthorizeLogField = "host" | |||
AuthorizeLogFieldIDToken AuthorizeLogField = "id-token" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(optional)
I wonder if it would make sense to allow the user to choose between just the raw ID token or just the decoded claims. Should we add an explicit AuthorizeLogFieldIDTokenClaims
as well here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The requirements stated that both should be logged
We should pass the user's most recent encoded AND base64 decoded id_token as part of the request.
Though maybe I misunderstood what was being asked for.
if t, err := jwt.ParseSigned(s.GetIdToken().GetRaw()); err == nil { | ||
var m map[string]any | ||
_ = t.UnsafeClaimsWithoutVerification(&m) | ||
evt = evt.Interface("id-token-claims", m) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(no changes required)
Do we already verify the ID token signature somewhere else, and that's why it's fine to fine to call UnsafeClaimsWithoutVerification() here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know about the security ramifications of this. Verifying the signature of the ID token against the configured identity provider would be difficult to implement here (and also likely very slow)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like there's some verification related to ID tokens here:
pomerium/internal/identity/oidc/oidc.go
Line 225 in baf8918
return v.Verify(ctx, rawIDToken) |
Do you know if all ID tokens come from that getIDToken()
method?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ID token comes from the identity provider and is saved to the session.
Summary
Add support for logging the id token. When this field is included in the logs the raw id token will be logged to
id-token
and the decoded claims toid-token-claims
.Related issues
id_token
to the authorization log #4376Checklist
improvement
/bug
/ etc)