docs(bearer-tokens): machine-to-machine access with bearer tokens & JWTs#2279
Draft
wasaga wants to merge 3 commits into
Draft
docs(bearer-tokens): machine-to-machine access with bearer tokens & JWTs#2279wasaga wants to merge 3 commits into
wasaga wants to merge 3 commits into
Conversation
…okens & JWTs Add a cohesive capabilities page introducing how clients present an Authorization: Bearer token to Pomerium to reach upstreams without an interactive sign-in, covering all four bearer_token_format modes (default, idp_access_token, idp_identity_token, jwt) as a single feature. - New capabilities page with Kubernetes service account example - New reference pages for jwt_allowed_issuers and jwt_allowed_audiences - Document the new jwt option on the bearer-token-format reference - Register the capabilities page in the sidebar
✅ Deploy Preview for pomerium-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Reduce emphasis to structural labels, thin em-dashes, de-bold inline HTTP status codes, and recast the two parallel no-X-no-Y-no-Z fragments. Prose-only; no content or link changes.
The JWT bearer-token feature shipped with a consolidated identity_providers
map rather than the flat jwt_allowed_issuers + jwt_allowed_audiences settings
these pages originally documented. Rewrite the pages to match:
- identity_providers is a map keyed by provider name; audiences are
per-provider (required, non-empty, fail-closed). Drop the old 'name' field.
- Routes select providers via an optional per-route identity_providers
allowlist; bearer_token_format: jwt remains the gate.
- Document the identity model: session idp_id = provider name, user id =
<provider-name>/<sub>, sub required, session TTL capped to
min(token exp, cookie_expire), raw JWT not persisted.
- supported_algs rejects none/HS*; JWKS TLS reuses the global
certificate_authority_file.
Replace reference/jwt-allowed-issuers with reference/identity-providers
("JWT Identity Providers"), delete reference/jwt-allowed-audiences, and add
reference/routes/identity-providers for the per-route allowlist.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Authorization: Bearertoken to Pomerium to reach upstreams without an interactive sign-in. It presents all fourbearer_token_formatmodes (default,idp_access_token,idp_identity_token,jwt) as one feature, with Kubernetes service accounts as the headline example.jwt_allowed_issuersandjwt_allowed_audiences, and adds the newjwtoption to thebearer-token-formatreference.All technical claims were verified against the
core-accept-k8s-tokenbranch source, and the documented behaviors are backed by passing integration tests (authorize/jwt_bearer_int_test.go,authorize/jwt_bearer_k3s_int_test.go).yarn build(withonBrokenLinks: throw),format-check, andcspellall pass.Related
wasaga/poc-accept-k8s-token(JWT bearer / Kubernetes service account upstream access)AI disclosure
Claude Code (Opus 4.8) — researched the core branch, drafted all pages, and verified examples against source and integration tests. Reviewed by me.
Checklist