Pomerium Verify service

This example service uses the Pomerium Go SDK to parse and display the contents of the X-Pomerium-Jwt-Assertion header. This can help to validate that a Pomerium deployment is working as expected.

This service is hosted at https://verify.pomerium.com, or you can deploy an instance in your own Pomerium setup.

Configuration options

The service can be configured with the following environment variables:

• ADDR

  Listen address for the service. If neither ADDR nor PORT is set, the service will listen at :8000.

• PORT

  Listen address port for the service. If neither ADDR nor PORT is set, the service will listen at :8000.

• JWKS_ENDPOINT

  Allows setting a static URL to use for fetching the public key(s) for verifying the Pomerium JWT. If unset, keys will be fetched from the domain specified in the JWT iss claim (using the internal Pomerium endpoint at /.well-known/pomerium/jwks.json). Note: in order for this to work correctly, you must define signing_key or signing_key_file in the Pomerium configuration.

• EXPECTED_JWT_ISSUER

  When set, JWT verification will additionally validate that the issuer claim (iss) matches the given value.

• EXPECTED_JWT_AUDIENCE

  When set, JWT verification will additionally validate that the audience claim (aud) matches the given value.

• EXTRA_CA_CERTS

  Comma-separated list of file paths to CA certs. These certs will be used in addition to the system defaults.

• GCLOUD_PROJECT

  When set to a Firebase project ID, the service will use Cloud Firestore as a storage backend for WebAuthn-related storage. (By default, the service will store this data in memory instead.)