Direct Identity Provider Token Authentication

Building on Pomerium’s authentication capabilities, v0.29.0 introduces the ability to forward downstream Identity Provider (Entra, OIDC, etc)  tokens directly to upstream services. In short, you can now optionally have Pomerium authenticate your APIs and applications using the original IdP-issued token (such as an OAuth access token or OpenID Connect ID token) instead of Pomerium’s JWT. Why is this useful?

• Seamless backend integration – If your upstream service or API expects an IdP’s bearer token, Pomerium can provide it. Your apps can verify the token as if the user logged in directly, enabling out-of-the-box compatibility with systems that already know how to handle your IdP tokens.

• Configurable per route – You can toggle this behavior on routes that need it. For example, for an API service that performs its own token introspection with the IdP, simply enable “IdP token pass-through” and Pomerium will pass along the user’s access token in the Authorization header.

• No custom glue code – This eliminates the need for awkward workarounds or custom middleware. Pomerium handles the secure exchange with the IdP, then transparently forwards the token upstream.

• Keeps zero-trust principles – Pomerium still gatekeeps the initial authentication and authorization. The IdP token is only forwarded after Pomerium has verified and allowed the request. You get the convenience of direct IdP token use without exposing unsecured endpoints.

This feature is perfect for service-to-service scenarios and integrations where Pomerium acts as an authentication broker, simplifying access to APIs.