Bearer Token Format | Pomerium
Skip to main content

Bearer Token Format

Summary

Bearer Token Format controls how HTTP bearer token authentication is handled. There are 3 possible options: default, idp_access_token and idp_identity_token.

HTTP bearer tokens are tokens stored in the Authorization header prefixed by Bearer :

GET / HTTP/1.1
Authorization: Bearer Token

Pomerium's default behavior is to pass bearer tokens to upstream applications without interpreting them. Pomerium also supports creating sessions from tokens issued by an identity provider without needing to initiate an interactive login. If the idp_access_token option is used, then the bearer token will be interpreted as an IdP-issued access token. If the idp_identity_token option is used, then the bearer token will be interpreted as an IdP-issued identity token.

Currently only Microsoft Entra is supported with this option.

This option can also be configured at the route-level.

How to Configure

Config file keysEnvironment variablesTypeDefault
bearer_token_formatBEARER_TOKEN_FORMATstringdefault

Examples

bearer_token_format: idp_access_token
BEARER_TOKEN_FORMAT=idp_access_token

Microsoft Entra

The az CLI can be used to get an access-token:

curl -H "Authorization: $(az account get-access-token --query accessToken --output tsv)" https://example.localhost.pomerium.io

Options

  • default: Pass bearer tokens to upstream applications without interpreting them.
  • idp_access_token: The bearer token will be interpreted as an IdP-issued access token.
  • idp_identity_token: The bearer token will be interpreted as an IdP-issued identity token.
Feedback