The 0.7 release of Pomerium lays the groundwork to support rich, dynamic access policies capable of making authorization decisions based on external data-sources from outside your identity provider.
This release includes the following features:
- Open Policy Agent: Pomerium now leverages Cloud Native Computing Foundation’s Open Policy Agent (OPA) as the default policy engine. OPA support in this version unlocks future capabilities for writing authorization policy in the rego policy language. This will promote safe, performant, fine-grained controls to incorporate data from external records of account. Access policies will continue to work as before, but will now be backed by an even faster evaluation engine.
- Service Account Generator: Pomerium now includes a command line interface for generating arbitrary route-based service account sessions. Generated service accounts can be used to impersonate users, perform service-to-service communication, and facilitate end-to-end testing for applications managed by Pomerium.
- JWT-based sessions: Pomerium now uses standard JSON Web Tokens (RFC 7519) across all routes and associated user sessions. Cryptographically signed JWT sessions are also made available to downstream applications so that internal app developers can spend less time reinventing SSO, and more time on their apps.
This release includes 62 commits from 11 authors across 7 organizations and includes additional new features, secure workflow enhancements, general improvements, and bug fixes! A complete list of the changes in this release can be found in Pomerium’s 0.7 changelog.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Pomerium GitHub issue tracker.