Modify the token type towards argo-workflow

Support
,
1

What happened?

I’m trying to use Pomerium in order to redirect the token once I authenticate through my issuer, towards to argo-workflow UI which supports Token authentication and SSO login. Unfortunately doesn’t work because I’m getting an error on the argo-workflow UI saying that the Token is not recognized.
What I see in the Inspector panel on Chrome is that the token generated by the Login of the argo-workflow UI is starting with Token Bearer v2 and is not the same as the one from Pomerium. I tried to decode it but without success.
The only info that I have from this token via argo-workflow UI is that the algorithm & token type are :

“alg”: “RSA-OAEP-256”,
“enc”: “A256GCM”,
“zip”: “DEF”

This is how I “pass” the headers towards the argo-workflow UI:

annotations:
  ingress.pomerium.io/allow_any_authenticated_user: "true"
  ingress.pomerium.io/pass_identity_headers: "true"
ingressClassName: "pomerium"

Here is the token value from the argo-workflow how is setting it up:

Starting with "Bearer v2:eyJhbG … " < 602 characters with the double quotes

while the pomerium token that is given:

eyJhb … < 555 characters

My question, is there any way to force pomerium to “pass” the headers as argo-workflow UI would like it? Behind there is a javascript that is handling the login page as I saw. This might part of the issue (I’m guessing)

Many thanks in advance for your feedback and let me know if I can provide more details in order to solve this mystery :slight_smile:

2

Hi Daniel,

It is not possible in Pomerium to change the format of the assertion header set by pass_identity_headers.

I am not familiar with Argo’s token format. v2:... does not appear to be a valid JWT.

It is possible to set a request header with Headers Settings | Pomerium. This option supports some dynamic values which may work for your needs: Headers Settings | Pomerium. Maybe v2:${pomerium.access_token}?

3

Hello there,

Sorry for the late reply. Thank you for the option provided. I’ve tried on my side but unfortunately doesn’t work. What I saw is that, once I have the token from the issuer, argo-workflow requires to re-login or provide a token bearer authorization which is therefore generated and won’t use the same token.
I’m not sure if it’s possible to do something about it, but thanks for the help. Appreciated!

4

My understanding of Access Token - Argo Workflows - The workflow engine for Kubernetes is those Argo tokens are static, meaning they are generated once and we just need provide them in the Authorization: Bearer xxxxx header for each request.

As you seem to be using pomerium ingress controller, you can add the following annotation:

annotations:
 ingress.pomerium.io/set_request_headers: |
  Authorization: Bearer xxxxxxxx

P.S. we also support referencing a secret via ingress.pomerium.io/set_request_headers_secret but you may test first with just the regular set headers.