From e646afac0c0856065081e6674bc55762b75ea65d Mon Sep 17 00:00:00 2001 From: RJ Beers Date: Wed, 22 Jan 2025 09:43:50 -0500 Subject: [PATCH 1/4] Fix sidebar capitalization and typo --- content/docs/capabilities/getting-users-identity.mdx | 12 ++++++------ content/docs/deploy/cloud/_category_.json | 3 +++ 2 files changed, 9 insertions(+), 6 deletions(-) create mode 100644 content/docs/deploy/cloud/_category_.json diff --git a/content/docs/capabilities/getting-users-identity.mdx b/content/docs/capabilities/getting-users-identity.mdx index af50d3428..7bdaed668 100644 --- a/content/docs/capabilities/getting-users-identity.mdx +++ b/content/docs/capabilities/getting-users-identity.mdx @@ -1,9 +1,9 @@ --- # cSpell:ignore ecparam genkey noout pubout secp256r1 QCN7adG2AmIK3UdHJvVJkldsUc6XeBRz83Z4rXX8Va4 ary66nrvA55TpaiWADq8b3O1CYIbvjqIHpXCY envoyproxy Jklds Tpai Ibvjq Lamda -title: Continious Identity Verification at the Application Layer +title: Continuous Identity Verification at the Application Layer description: Learn how Pomerium uses JWTs for identity and context verification, how it fits into a zero trust environment, and four ways to validate the JWT in your upstream service. -sidebar_label: Continious Identity Verification +sidebar_label: Continuous Identity Verification keywords: - jwt - jwt authentication @@ -54,13 +54,13 @@ This article explains **why** identity & context verification at the application ![A diagram that shows how Pomerium forwards JWTs to an upstream application](./img/jwt-authn/jwt-authentication.svg) -1. **User authenticates** +1. **User authenticates** Pomerium redirects the user to your OIDC-compliant identity provider (IdP). -2. **Pomerium issues a signed JWT** +2. **Pomerium issues a signed JWT** After the user is authenticated, Pomerium mints a **new** JWT. -3. **JWT assertion header** +3. **JWT assertion header** The JWT goes in the `X-Pomerium-Jwt-Assertion` header, following [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519) encoding. -4. **Upstream service verifies** +4. **Upstream service verifies** Your application (or a helper process) confirms the JWT's signature, audience, issuer, and timestamps. If everything checks out, your service can trust the identity data in the token for additional authorization or logging. diff --git a/content/docs/deploy/cloud/_category_.json b/content/docs/deploy/cloud/_category_.json new file mode 100644 index 000000000..1678dab9d --- /dev/null +++ b/content/docs/deploy/cloud/_category_.json @@ -0,0 +1,3 @@ +{ + "label": "Cloud" +} From 84805decab9befee7aa5fc9154c0d16d028b6d18 Mon Sep 17 00:00:00 2001 From: RJ Beers Date: Wed, 22 Jan 2025 09:49:04 -0500 Subject: [PATCH 2/4] prettier --- content/docs/capabilities/getting-users-identity.mdx | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/content/docs/capabilities/getting-users-identity.mdx b/content/docs/capabilities/getting-users-identity.mdx index 7bdaed668..74ec40b81 100644 --- a/content/docs/capabilities/getting-users-identity.mdx +++ b/content/docs/capabilities/getting-users-identity.mdx @@ -54,14 +54,10 @@ This article explains **why** identity & context verification at the application ![A diagram that shows how Pomerium forwards JWTs to an upstream application](./img/jwt-authn/jwt-authentication.svg) -1. **User authenticates** - Pomerium redirects the user to your OIDC-compliant identity provider (IdP). -2. **Pomerium issues a signed JWT** - After the user is authenticated, Pomerium mints a **new** JWT. -3. **JWT assertion header** - The JWT goes in the `X-Pomerium-Jwt-Assertion` header, following [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519) encoding. -4. **Upstream service verifies** - Your application (or a helper process) confirms the JWT's signature, audience, issuer, and timestamps. +1. **User authenticates** Pomerium redirects the user to your OIDC-compliant identity provider (IdP). +2. **Pomerium issues a signed JWT** After the user is authenticated, Pomerium mints a **new** JWT. +3. **JWT assertion header** The JWT goes in the `X-Pomerium-Jwt-Assertion` header, following [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519) encoding. +4. **Upstream service verifies** Your application (or a helper process) confirms the JWT's signature, audience, issuer, and timestamps. If everything checks out, your service can trust the identity data in the token for additional authorization or logging. From 8dfc4fe7f8571082019cc715e9b118ddde2c3603 Mon Sep 17 00:00:00 2001 From: RJ Beers Date: Wed, 22 Jan 2025 09:54:40 -0500 Subject: [PATCH 3/4] prettier --- .../docs/capabilities/getting-users-identity.mdx | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/content/docs/capabilities/getting-users-identity.mdx b/content/docs/capabilities/getting-users-identity.mdx index 74ec40b81..af50d3428 100644 --- a/content/docs/capabilities/getting-users-identity.mdx +++ b/content/docs/capabilities/getting-users-identity.mdx @@ -1,9 +1,9 @@ --- # cSpell:ignore ecparam genkey noout pubout secp256r1 QCN7adG2AmIK3UdHJvVJkldsUc6XeBRz83Z4rXX8Va4 ary66nrvA55TpaiWADq8b3O1CYIbvjqIHpXCY envoyproxy Jklds Tpai Ibvjq Lamda -title: Continuous Identity Verification at the Application Layer +title: Continious Identity Verification at the Application Layer description: Learn how Pomerium uses JWTs for identity and context verification, how it fits into a zero trust environment, and four ways to validate the JWT in your upstream service. -sidebar_label: Continuous Identity Verification +sidebar_label: Continious Identity Verification keywords: - jwt - jwt authentication @@ -54,10 +54,14 @@ This article explains **why** identity & context verification at the application ![A diagram that shows how Pomerium forwards JWTs to an upstream application](./img/jwt-authn/jwt-authentication.svg) -1. **User authenticates** Pomerium redirects the user to your OIDC-compliant identity provider (IdP). -2. **Pomerium issues a signed JWT** After the user is authenticated, Pomerium mints a **new** JWT. -3. **JWT assertion header** The JWT goes in the `X-Pomerium-Jwt-Assertion` header, following [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519) encoding. -4. **Upstream service verifies** Your application (or a helper process) confirms the JWT's signature, audience, issuer, and timestamps. +1. **User authenticates** + Pomerium redirects the user to your OIDC-compliant identity provider (IdP). +2. **Pomerium issues a signed JWT** + After the user is authenticated, Pomerium mints a **new** JWT. +3. **JWT assertion header** + The JWT goes in the `X-Pomerium-Jwt-Assertion` header, following [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519) encoding. +4. **Upstream service verifies** + Your application (or a helper process) confirms the JWT's signature, audience, issuer, and timestamps. If everything checks out, your service can trust the identity data in the token for additional authorization or logging. From fa3911efab6c261005f6d971939ea31b57e244c3 Mon Sep 17 00:00:00 2001 From: RJ Beers Date: Wed, 22 Jan 2025 09:58:10 -0500 Subject: [PATCH 4/4] remake the actual change lol --- content/docs/capabilities/getting-users-identity.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/capabilities/getting-users-identity.mdx b/content/docs/capabilities/getting-users-identity.mdx index af50d3428..086f2a942 100644 --- a/content/docs/capabilities/getting-users-identity.mdx +++ b/content/docs/capabilities/getting-users-identity.mdx @@ -1,9 +1,9 @@ --- # cSpell:ignore ecparam genkey noout pubout secp256r1 QCN7adG2AmIK3UdHJvVJkldsUc6XeBRz83Z4rXX8Va4 ary66nrvA55TpaiWADq8b3O1CYIbvjqIHpXCY envoyproxy Jklds Tpai Ibvjq Lamda -title: Continious Identity Verification at the Application Layer +title: Continuous Identity Verification at the Application Layer description: Learn how Pomerium uses JWTs for identity and context verification, how it fits into a zero trust environment, and four ways to validate the JWT in your upstream service. -sidebar_label: Continious Identity Verification +sidebar_label: Continuous Identity Verification keywords: - jwt - jwt authentication