I configured a ServiceAccount in Pomerium with an expiration date in the past. In the Pomerium Console, the token is reported as expired since X days ago.
I used this token to perform a call to an API on a route secured with Pomerium and the call was successful, Pomerium did not reject the expired token.
When accessing a SOAP API on a route secured with Pomerium without an authentication token, Pomerium answers with HTTP code “302 Found” and the location header set to the login page “https://pomerium.external/.pomerium/sign_in?pomerium_expiry=1660304994&pomerium_idp_id=&pomerium_issued=1660304694&pomerium_redirect_uri=&pomerium_signature=”
I noticed that for a GRAPHQL API, in the same situation, we get HTTP code “401Unauthorized” and no redirection. This is the best answer for an API call. It seems to be related to the request header “Accept”, for GRAPHQL it is set to “application/json” and for SOAP it is set to “application/soap+xml” or “application/xml”.
I expect Pomerium to deny access with an expired token.
I expect to get response “401Unauthorized” for my SOAP API endpoint. How can I get this behavior ?
We have a Kubernetes cluster using Traefik as Ingress Controller and Pomerium for forward auth. We have configured Pomerium to use Keycloak as idp.
- Pomerium version: 0.18.0
- Kubernetes version: 1.20.11
- Traefik version: 2.8.0
- Keycloak version: 15.0.1
address: :80 authenticate_service_url: https://pomerium-authenticate.external authorize_service_url: http://pomerium-authorize.internal databroker_service_url: http://pomerium-databroker.internal dns_lookup_family: V4_ONLY forward_auth_url: http://pomerium-proxy.internal idp_client_id: <hidden> idp_client_secret: <hidden> idp_provider: oidc idp_provider_url: https://keycloak.external insecure_server: true routes: - from: https://api.external pass_identity_headers: true policy: - allow: or: - domain: is: mydomain.com prefix: /services/api to: http://api.internal