Skip to content

docs(bearer-tokens): machine-to-machine access with bearer tokens & JWTs#2279

Draft
wasaga wants to merge 3 commits into
mainfrom
wasaga/docs-jwt-access
Draft

docs(bearer-tokens): machine-to-machine access with bearer tokens & JWTs#2279
wasaga wants to merge 3 commits into
mainfrom
wasaga/docs-jwt-access

Conversation

@wasaga

@wasaga wasaga commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds a cohesive Machine-to-Machine Access with Bearer Tokens capabilities page introducing how non-interactive clients (services, CI jobs, Kubernetes workloads) present an Authorization: Bearer token to Pomerium to reach upstreams without an interactive sign-in. It presents all four bearer_token_format modes (default, idp_access_token, idp_identity_token, jwt) as one feature, with Kubernetes service accounts as the headline example.
  • Documents the previously-undocumented options: new reference pages for jwt_allowed_issuers and jwt_allowed_audiences, and adds the new jwt option to the bearer-token-format reference.
  • Registers the new capabilities page in the sidebar (after "Continuous Identity Verification").

All technical claims were verified against the core-accept-k8s-token branch source, and the documented behaviors are backed by passing integration tests (authorize/jwt_bearer_int_test.go, authorize/jwt_bearer_k3s_int_test.go). yarn build (with onBrokenLinks: throw), format-check, and cspell all pass.

Related

  • Docs for core branch wasaga/poc-accept-k8s-token (JWT bearer / Kubernetes service account upstream access)

AI disclosure

Claude Code (Opus 4.8) — researched the core branch, drafted all pages, and verified examples against source and integration tests. Reviewed by me.

Checklist

  • reference any related issues
  • updated docs
  • updated UPGRADING.md
  • updated CHANGELOG.md
  • disclosed AI usage (or wrote "none") per AI_POLICY.md

…okens & JWTs

Add a cohesive capabilities page introducing how clients present an
Authorization: Bearer token to Pomerium to reach upstreams without an
interactive sign-in, covering all four bearer_token_format modes
(default, idp_access_token, idp_identity_token, jwt) as a single feature.

- New capabilities page with Kubernetes service account example
- New reference pages for jwt_allowed_issuers and jwt_allowed_audiences
- Document the new jwt option on the bearer-token-format reference
- Register the capabilities page in the sidebar
@netlify

netlify Bot commented Jun 26, 2026

Copy link
Copy Markdown

Deploy Preview for pomerium-docs ready!

Name Link
🔨 Latest commit e072353
🔍 Latest deploy log https://app.netlify.com/projects/pomerium-docs/deploys/6a4e4ab4a814fe0008a88d36
😎 Deploy Preview https://deploy-preview-2279--pomerium-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

wasaga added 2 commits June 26, 2026 12:35
Reduce emphasis to structural labels, thin em-dashes, de-bold inline
HTTP status codes, and recast the two parallel no-X-no-Y-no-Z fragments.
Prose-only; no content or link changes.
The JWT bearer-token feature shipped with a consolidated identity_providers
map rather than the flat jwt_allowed_issuers + jwt_allowed_audiences settings
these pages originally documented. Rewrite the pages to match:

- identity_providers is a map keyed by provider name; audiences are
  per-provider (required, non-empty, fail-closed). Drop the old 'name' field.
- Routes select providers via an optional per-route identity_providers
  allowlist; bearer_token_format: jwt remains the gate.
- Document the identity model: session idp_id = provider name, user id =
  <provider-name>/<sub>, sub required, session TTL capped to
  min(token exp, cookie_expire), raw JWT not persisted.
- supported_algs rejects none/HS*; JWKS TLS reuses the global
  certificate_authority_file.

Replace reference/jwt-allowed-issuers with reference/identity-providers
("JWT Identity Providers"), delete reference/jwt-allowed-audiences, and add
reference/routes/identity-providers for the per-route allowlist.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant