Modify the token type towards argo-workflow


What happened?

I’m trying to use Pomerium in order to redirect the token once I authenticate through my issuer, towards to argo-workflow UI which supports Token authentication and SSO login. Unfortunately doesn’t work because I’m getting an error on the argo-workflow UI saying that the Token is not recognized.
What I see in the Inspector panel on Chrome is that the token generated by the Login of the argo-workflow UI is starting with Token Bearer v2 and is not the same as the one from Pomerium. I tried to decode it but without success.
The only info that I have from this token via argo-workflow UI is that the algorithm & token type are :

“alg”: “RSA-OAEP-256”,
“enc”: “A256GCM”,
“zip”: “DEF”

This is how I “pass” the headers towards the argo-workflow UI:

annotations: "true" "true"
ingressClassName: "pomerium"

Here is the token value from the argo-workflow how is setting it up:

Starting with "Bearer v2:eyJhbG … " < 602 characters with the double quotes

while the pomerium token that is given:

eyJhb … < 555 characters

My question, is there any way to force pomerium to “pass” the headers as argo-workflow UI would like it? Behind there is a javascript that is handling the login page as I saw. This might part of the issue (I’m guessing)

Many thanks in advance for your feedback and let me know if I can provide more details in order to solve this mystery :slight_smile:

Hi Daniel,

It is not possible in Pomerium to change the format of the assertion header set by pass_identity_headers.

I am not familiar with Argo’s token format. v2:... does not appear to be a valid JWT.

It is possible to set a request header with Headers Settings | Pomerium. This option supports some dynamic values which may work for your needs: Headers Settings | Pomerium. Maybe v2:${pomerium.access_token}?

Hello there,

Sorry for the late reply. Thank you for the option provided. I’ve tried on my side but unfortunately doesn’t work. What I saw is that, once I have the token from the issuer, argo-workflow requires to re-login or provide a token bearer authorization which is therefore generated and won’t use the same token.
I’m not sure if it’s possible to do something about it, but thanks for the help. Appreciated!

My understanding of Access Token - Argo Workflows - The workflow engine for Kubernetes is those Argo tokens are static, meaning they are generated once and we just need provide them in the Authorization: Bearer xxxxx header for each request.

As you seem to be using pomerium ingress controller, you can add the following annotation:

annotations: |
  Authorization: Bearer xxxxxxxx

P.S. we also support referencing a secret via but you may test first with just the regular set headers.

Yep. I tried this and indeed, is working, but is not what I want to achieve because, we have our clients that each has it’s own Authorization Bearer token, generated, once it logins with SSO on argo-workflow UI.

By using this method of static Bearer token would be like a “global” admin where everyone has access to everything.
What I wanted to do with Pomerium is, once I login to our issuers, is to pass the token to argo (which based on the logs on the browser developer mode, it does), but it’s not possible to also generate the token bearer with it. argo wants to re-login to the issuer in order to generate the Bearer Token.

Sorry for the late reply and thank you again for your support !