Merge remote-tracking branch 'origin/main' into wasaga/terraform

Author: wasaga

content/docs/admonitions/_upgrade-versions.mdx

@@ -10,7 +10,6 @@ Below are upgrade notes for both **Pomerium Core** (the open-source edition) and
 
 import Tabs from '@theme/Tabs';
 import TabItem from '@theme/TabItem';
-import UpgradeNotice from '@site/content/docs/admonitions/_upgrade-versions.mdx';
 
 <Tabs>
 
@@ -278,13 +277,30 @@ No changes required.
 
 ## Upgrading Pomerium Enterprise
 
-Please review these deprecations and important changes for Pomerium Enterprise before upgrading.
+:::info
 
-:::caution
+Your Pomerium Enterprise version should always match the same **minor version number** as your Pomerium Core version. For example:  
+✅ Core **v0.27.0** with Enterprise **v0.27.3** is a supported configuration.  
+❌ Core **v0.27.0** with Enterprise **v0.28.0** is not supported.
 
-<UpgradeNotice />
 :::
 
+To **upgrade** a Pomerium Enterprise deployment, we recommend that you:
+
+1. Reach out to your account manager to let us know you are planning an upgrade, especially if upgrading across multiple minor versions at once.
+1. First review the version-specific upgrade notes on this page for **both** Pomerium Core and Pomerium Enterprise for any changes that might pertain to your deployment. (If you're not sure, please don't hesitate to reach out and ask for clarification.)
+1. Take a database backup of the Pomerium Enterprise database.
+1. Upgrade Pomerium Core to the new version. For a replicated deployment, instances can be updated one at a time to avoid downtime.
+1. Upgrade Pomerium Enterprise to the new version.
+1. Verify that your deployment continues to behave as expected.
+
+In case of trouble during the upgrade process, follow these steps to **roll back** to the previous version:
+
+1. Stop Pomerium Enterprise.
+1. Restore the Pomerium Enterprise database from a backup taken before the upgrade.
+1. Downgrade Pomerium Core to the previous version.
+1. Start the previous version of Pomerium Enterprise.
+
 ### v0.28.0
 
 No breaking changes in v0.28.

content/docs/deploy/upgrading.mdx

@@ -0,0 +1,89 @@
+---
+id: bearer-token-format
+title: Bearer Token Format
+description: |
+  Bearer token format controls how HTTP bearer token authentication is handled.
+keywords:
+  - reference
+  - Bearer Token Format
+pagination_prev: null
+pagination_next: null
+toc_max_heading_level: 2
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# Bearer Token Format
+
+## Summary
+
+**Bearer Token Format** controls how HTTP bearer token authentication is handled. There are 3 possible options: `default`, `idp_access_token` and `idp_identity_token`.
+
+HTTP bearer tokens are tokens stored in the `Authorization` header prefixed by `Bearer `:
+
+```text
+GET / HTTP/1.1
+Authorization: Bearer Token
+```
+
+Pomerium's `default` behavior is to pass bearer tokens to upstream applications without interpreting them. Pomerium also supports creating sessions from tokens issued by an identity provider without needing to initiate an interactive login. If the `idp_access_token` option is used, then the bearer token will be interpreted as an IdP-issued access token. If the `idp_identity_token` option is used, then the bearer token will be interpreted as an IdP-issued identity token.
+
+Currently only [Microsoft Entra](../integrations/user-identity/azure) is supported with this option.
+
+This option can also be configured at the route-level.
+
+## Additional Headers
+
+Pomerium also always supports passing IdP access and identity tokens via the following headers (replacing `<TOKEN>` with the issued token):
+
+- `X-Pomerium-IDP-Access-Token: <TOKEN>`
+- `Authorization: Pomerium-IDP-Access-Token <TOKEN>`
+- `Authorization: Bearer Pomerium-IDP-Access-Token-<TOKEN>`
+- `X-Pomerium-IDP-Identity-Token: <TOKEN>`
+- `Authorization: Pomerium-IDP-Identity-Token <TOKEN>`
+- `Authorization: Bearer Pomerium-IDP-Identity-Token-<TOKEN>`
+
+## How to Configure
+
+<Tabs>
+<TabItem value="Core" label="Core">
+
+| **Config file keys**  | **Environment variables** | **Type** | **Default** |
+| :-------------------- | :------------------------ | :------- | :---------- |
+| `bearer_token_format` | `BEARER_TOKEN_FORMAT`     | `string` | `default`   |
+
+### Examples
+
+```yaml
+bearer_token_format: idp_access_token
+```
+
+```bash
+BEARER_TOKEN_FORMAT=idp_access_token
+```
+
+### Options
+
+- `default`
+- `idp_access_token`
+- `idp_identity_token`
+
+</TabItem>
+<TabItem value="Enterprise" label="Enterprise">
+
+Set **Bearer Token Format** under **Proxy** settings in the Console:
+
+![Set bearer token format in the Console](./img/global-settings/bearer-token-format.png)
+
+</TabItem>
+<TabItem value="Kubernetes" label="Kubernetes">
+
+```yaml
+bearerTokenFormat: idp_access_token
+```
+
+See [Kubernetes - Global Configuration](/docs/deploy/k8s/configure) for more information.
+
+</TabItem>
+</Tabs>

content/docs/reference/bearer-token-format.mdx

@@ -0,0 +1,63 @@
+---
+id: idp-access-token-allowed-audiences
+title: IdP Access Token Allowed Audiences
+description: |
+  IdP access token allowed audiences controls how the audience claim of an incoming IdP-issued access token is validated.
+keywords:
+  - reference
+  - IdP Access Token Allowed Audiences
+pagination_prev: null
+pagination_next: null
+toc_max_heading_level: 2
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# IdP Access Token Allowed Audiences
+
+## Summary
+
+**IdP Access Token Allowed Audiences** controls how the audience claim of an incoming IdP-issued access token is validated.
+
+For [Microsoft Entra](../integrations/user-identity/azure) an access-token is a JWT with an audience claim. When the IdP Access Token Allowed Audiences option is set, the `aud` claim of the access token JWT must match one of the entries.
+
+This option can also be configured at the route-level.
+
+## How to Configure
+
+<Tabs>
+<TabItem value="Core" label="Core">
+
+| **Config file keys** | **Environment variables** | **Type** |
+| :-- | :-- | :-- |
+| `idp_access_token_allowed_audiences` | `IDP_ACCESS_TOKEN_ALLOWED_AUDIENCES` | Array of strings |
+
+### Examples
+
+```yaml
+idp_access_token_allowed_audiences:
+  - https://sts.windows.net/f42bce3b-671c-4162-b24c-00ecc7641897/
+  - https://login.microsoftonline.com/f42bce3b-671c-4162-b24c-00ecc7641897/
+```
+
+</TabItem>
+<TabItem value="Enterprise" label="Enterprise">
+
+Set **IdP Access Token Allowed Audiences** under **Authenticate** settings in the Console:
+
+![Set **IdP Access Token Allowed Audiences** in the Console](./img/global-settings/idp-access-token-allowed-audiences.png)
+
+</TabItem>
+<TabItem value="Kubernetes" label="Kubernetes">
+
+```yaml
+idpAccessTokenAllowedAudiences:
+  - https://sts.windows.net/f42bce3b-671c-4162-b24c-00ecc7641897/
+  - https://login.microsoftonline.com/f42bce3b-671c-4162-b24c-00ecc7641897/
+```
+
+See [Kubernetes - Global Configuration](/docs/deploy/k8s/configure) for more information.
+
+</TabItem>
+</Tabs>

content/docs/reference/idp-access-token-allowed-audiences.mdx

@@ -114,6 +114,15 @@
     "type": "string",
     "short_description": ""
   },
+  "bearer-token-format": {
+    "id": "bearer-token-format",
+    "title": "Bearer Token Format",
+    "path": "/bearer-token-format",
+    "services": ["authorize", "proxy"],
+    "type": "string",
+    "description": "Bearer Token Format controls how HTTP bearer token authentication is handled.",
+    "short_description": "Bearer Token Format controls how HTTP bearer token authentication is handled."
+  },
   "branding-settings": {
     "id": "branding",
     "title": "Branding Settings",
@@ -404,6 +413,15 @@
     "services": [],
     "type": ""
   },
+  "idp-access-token-allowed-audiences": {
+    "id": "idp-access-token-allowed-audiences",
+    "title": "IDP Access Token Allowed Audiences",
+    "path": "/idp-access-token-allowed-audiences",
+    "description": "IdP Access Token Allowed Audiences controls how the audience claim of an incoming IdP-issued access token is validated.",
+    "short_description": "IdP Access Token Allowed Audiences controls how the audience claim of an incoming IdP-issued access token is validated.",
+    "services": ["authenticate"],
+    "type": "string[]"
+  },
   "grpc-settings": {
     "id": "grpc-settings",
     "title": "gRPC Settings",

content/docs/reference/img/global-settings/bearer-token-format.png

@@ -160,14 +160,24 @@ https://docs.pomerium.io/* https://docs.pomerium.com/:splat 301!
 /docs/capabilities/rego /docs/internals/ppl#rego
 /docs/capabilities/self-hosted-authenticate-service /docs/capabilities/authentication#self-hosted-authenticate-service
 /docs/capabilities/single-sign-out /docs/capabilities/authentication#single-sign-out-sso
+/docs/capabilities/tcp /docs/capabilities/non-http/tcp
 /docs/capabilities/tcp/client /docs/capabilities/non-http/client
 /docs/capabilities/tcp/examples/git /docs/capabilities/non-http/examples/git
 /docs/capabilities/tcp/examples/mysql /docs/capabilities/non-http/examples/mysql
+/docs/capabilities/tcp/examples/rdp /docs/capabilities/non-http/examples/rdp
 /docs/capabilities/tcp/examples/ssh /docs/capabilities/non-http/examples/ssh
+/docs/capabilities/tcp/reference /docs/deploy/clients#connecting-via-pomerium-cli
 /docs/clients/pomerium-desktop /docs/deploy/clients
+/docs/community /docs#community
+/docs/community/ /docs#community
 /docs/community/security /docs/internals/security
+/docs/concepts/clusters /docs/internals/clusters
+/docs/concepts/device-identity /docs/integrations/device-context/device-identity
+/docs/concepts/mutual-auth /docs/internals/mutual-auth
+/docs/concepts/mutual-auth.html /docs/internals/mutual-auth
 /docs/concepts/policies /docs/capabilities/authorization
 /docs/concepts/zero-trust /docs/internals/zero-trust
+/docs/core/binary /docs/deploy/core#pre-built-binaries
 /docs/core/from-source /docs/deploy/core
 /docs/core/upgrading /docs/deploy/upgrading
 /docs/courses/fundamentals/jwt-verification /docs/get-started/fundamentals/core/jwt-verification
@@ -181,6 +191,7 @@ https://docs.pomerium.io/* https://docs.pomerium.com/:splat 301!
 /docs/enterprise/configure /docs/deploy/enterprise/configure
 /docs/enterprise/external-data/geoip /docs/integrations/request-context/geoip
 /docs/enterprise/external-data/ip-ranges /docs/integrations/request-context/ip-ranges
+/docs/enterprise/quickstart /docs/deploy/enterprise/quickstart
 /docs/get-started/fundamentals/advanced-policies /docs/get-started/fundamentals/core/advanced-policies
 /docs/get-started/fundamentals/advanced-policies.html /docs/get-started/fundamentals/core/advanced-policies
 /docs/get-started/fundamentals/advanced-routes /docs/get-started/fundamentals/core/advanced-routes
@@ -215,18 +226,23 @@ https://docs.pomerium.io/* https://docs.pomerium.com/:splat 301!
 /docs/get-started/fundamentals/zero-single-sign-on.html /docs/get-started/fundamentals/zero/zero-single-sign-on
 /docs/get-started/fundamentals/zero-tcp-routes /docs/get-started/fundamentals/zero/zero-tcp-routes
 /docs/get-started/fundamentals/zero-tcp-routes.html /docs/get-started/fundamentals/zero/zero-tcp-routes
+/docs/guides/cors /docs/internals/troubleshooting#cross-origin-configuration
 /docs/guides/jwt-verification-with-envoy /docs/capabilities/getting-users-identity
 /docs/guides/kubernetes.html /docs/deploy/k8s/quickstart
 /docs/guides/nginx https://0-20-0.docs.pomerium.com/docs/guides/nginx 301!
 /docs/guides/nginx.html https://0-20-0.docs.pomerium.com/docs/guides/nginx 301!
+/docs/guides/securing-tcp /docs/capabilities/non-http/tcp
 /docs/guides/upstream-mtls.html /docs/capabilities/mtls-services
 /docs/identity-providers /docs/integrations/user-identity/identity-providers
 /docs/identity-providers/apple /docs/integrations/user-identity/apple
 /docs/identity-providers/auth0 /docs/integrations/user-identity/auth0
 /docs/identity-providers/azure /docs/integrations/user-identity/azure
+/docs/identity-providers/github /docs/integrations/user-identity/github
 /docs/identity-providers/gitlab /docs/integrations/user-identity/gitlab
 /docs/identity-providers/gitlab.html /docs/integrations/user-identity/gitlab
 /docs/identity-providers/google /docs/integrations/user-identity/google
+/docs/identity-providers/okta /docs/integrations/user-identity/okta
+/docs/identity-providers/ping /docs/integrations/user-identity/ping
 /docs/integrations/apple /docs/integrations/user-identity/apple
 /docs/integrations/apple.html /docs/integrations/user-identity/apple
 /docs/integrations/auth0 /docs/integrations/user-identity/auth0
@@ -265,9 +281,13 @@ https://docs.pomerium.io/* https://docs.pomerium.com/:splat 301!
 /docs/integrations/vpn-providers.html /docs/integrations/request-context/vpn-providers
 /docs/integrations/zenefits /docs/integrations/user-standing/zenefits
 /docs/integrations/zenefits.html /docs/integrations/user-standing/zenefits
+/docs/internals/cryptography /docs/internals/security#cryptography
+/docs/k8s/configure /docs/deploy/k8s/configure
 /docs/k8s/helm.html /docs/deploy/k8s/install
 /docs/k8s/ingress.html /docs/deploy/k8s/ingress
+/docs/k8s/install /docs/deploy/k8s/install
 /docs/k8s/quickstart /docs/deploy/k8s/quickstart
+/docs/k8s/reference /docs/deploy/k8s/reference
 /docs/manage/clusters /docs/internals/clusters
 /docs/manage/clusters.html /docs/internals/clusters
 /docs/manage/custom-domains /docs/capabilities/custom-domains
@@ -276,20 +296,31 @@ https://docs.pomerium.io/* https://docs.pomerium.com/:splat 301!
 /docs/manage/mutual-auth.html /docs/internals/mutual-auth
 /docs/manage/troubleshooting /docs/internals/troubleshooting
 /docs/manage/troubleshooting.html /docs/internals/troubleshooting
+/docs/overview/upgrading /docs/deploy/upgrading
 /docs/reference/authenticate-internal-service-url /docs/reference/service-urls
+/docs/reference/authenticate-service-url /docs/reference/service-urls#authenticate-service-url
+/docs/reference/authorize-internal-service-url /docs/reference/service-urls#authenticate-internal-service-url
 /docs/reference/autocert/autocert-must-staple /docs/reference/autocert#autocert-must-staple
 /docs/reference/branding/logo-url /docs/reference/branding#logo-url
 /docs/reference/cookie-secure /docs/reference/cookies#cookie-secure
+/docs/reference/downstream-mtls /docs/reference/downstream-mtls-settings
 /docs/reference/forward-auth https://0-20-0.docs.pomerium.com/docs/reference/forward-auth 301!
+/docs/reference/grpc-address /docs/reference/grpc#grpc-address
+/docs/reference/grpc-insecure /docs/reference/grpc#grpc-insecure
 /docs/reference/metrics-basic-authentication /docs/deploy/enterprise/configure-metrics
 /docs/reference/reference.html /docs/reference
+/docs/reference/routes/kubernetes-service-account-token-file /docs/reference/routes/kubernetes-service-account-token
 /docs/releases/pomerium-cli /docs/deploy/clients
 /docs/topics/device-identity.html /docs/integrations/device-context/device-identity
+/docs/topics/kubernetes-auth.html /docs/capabilities/kubernetes-access
+/docs/topics/mutual-auth /docs/internals/mutual-auth
 /docs/topics/mutual-auth.html /docs/internals/mutual-auth
 /docs/topics/original-request-context /docs/capabilities/original-request-context
 /docs/topics/ppl /docs/internals/ppl
 /docs/topics/production-deployment.html /docs/deploy/upgrading
 /docs/topics/programmatic-access.html /docs/internals/programmatic-access
 /docs/zero/billing /docs/deploy/cloud/billing
+/docs/zero/billing /docs/deploy/cloud/billing
+/docs/zero/import /docs/deploy/cloud/import
 /docs/zero/import /docs/deploy/cloud/import
 /recipes/ad-guard /docs/guides/ad-guard

content/docs/reference/img/global-settings/idp-access-token-allowed-audiences.png

@@ -5242,9 +5242,9 @@ domhandler@^5.0.2, domhandler@^5.0.3:
     domelementtype "^2.3.0"
 
 dompurify@^3.0.6, dompurify@^3.2.1:
-  version "3.2.3"
-  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.2.3.tgz#05dd2175225324daabfca6603055a09b2382a4cd"
-  integrity sha512-U1U5Hzc2MO0oW3DF+G9qYN0aT7atAou4AgI0XjWz061nyBPbdxkfdhfy5uMgGn6+oLFCfn44ZGbdDqCzVmlOWA==
+  version "3.2.4"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.2.4.tgz#af5a5a11407524431456cf18836c55d13441cd8e"
+  integrity sha512-ysFSFEDVduQpyhzAob/kkuJjf5zWkZD8/A9ywSp1byueyuCfHamrCBa14/Oc2iiB0e51B+NpxSl5gmzn+Ms/mg==
   optionalDependencies:
     "@types/trusted-types" "^2.0.7"