authorize: add support for logging id token

[calebdoxsey]

Summary

Add support for logging the id token. When this field is included in the logs the raw id token will be logged to id-token and the decoded claims to id-token-claims.

Related issues

• logging: add option to add a user's id_token to the authorization log #4376

Checklist

• reference any related issues
• updated docs
• updated unit tests
• updated UPGRADING.md
• add appropriate tag (improvement / bug / etc)
• ready for review

[coveralls]

coverage: 63.644% (+0.04%) from 63.6% when pulling 2b9dc24 on cdoxsey/log-tokens into baf8918 on main.

[kenjenkins]

(optional)

I wonder if it would make sense to allow the user to choose between just the raw ID token or just the decoded claims. Should we add an explicit AuthorizeLogFieldIDTokenClaims as well here?

[calebdoxsey]

The requirements stated that both should be logged

We should pass the user's most recent encoded AND base64 decoded id_token as part of the request.

Though maybe I misunderstood what was being asked for.

[kenjenkins]

(no changes required)

Do we already verify the ID token signature somewhere else, and that's why it's fine to fine to call UnsafeClaimsWithoutVerification() here?

[calebdoxsey]

I don't know about the security ramifications of this. Verifying the signature of the ID token against the configured identity provider would be difficult to implement here (and also likely very slow)

[kenjenkins]

It looks like there's some verification related to ID tokens here:

pomerium/internal/identity/oidc/oidc.go

Line 225 in baf8918

return v.Verify(ctx, rawIDToken)

Do you know if all ID tokens come from that getIDToken() method?

[calebdoxsey]

The ID token comes from the identity provider and is saved to the session.