Assertion Headers Through Traefik

Support
1

[quote]
View in #support on Slack

Romain_Guichard @Romain_Guichard: Hi folks ! Once authenticated with my IDP and redirected to my application, I can’t see any X-Pomerium-Jwt-Assertion in my headers. Is there something that need to be done ?

Caleb_Doxsey @Caleb_Doxsey: Do you have pass_identity_headers on? https://www.pomerium.io/reference/#pass-identity-headers

Settings | Pomerium

Romain_Guichard @Romain_Guichard: I do
In my policy block right ?

Bobby @Bobby: @Romain_Guichard – What’s your (redacted) configuration look like? Do you have any other proxies involved.

Romain_Guichard @Romain_Guichard: Just my ingress controller (traefik)

pomerium:
  config:
    extraOpts:
      jwt_claims_headers:
        X-Corp-email: email
        X-Corp-groups: groups
        X-Corp-user: user
    sharedSecret: <path:oi-secrets/data/kube-shared-nonprod/pomerium-auth-external#sharedSecret>
    cookieSecret: <path:oi-secrets/data/kube-shared-nonprod/pomerium-auth-external#cookieSecret>
    rootDomain: <http://tld.com|tld.com>
    policy:
      - from: <https://app.tld.com>
        to: <http://app.svc.cluster.local>
        allowed_domains:
          - <http://tld.com|tld.com>
        pass_identity_headers: true
        preserve_host_header: true

(this is the helm chart value used)

Bobby @Bobby: Is pomerium being run in forward auth mode?

Romain_Guichard @Romain_Guichard: yes it is

Bobby @Bobby: Any pomerium headers you want to add to the request headers would also need to be added to your Traefik config using forwardauth.authResponseHeaders
. You may also need to set forwardedheaders.insecure .

https://doc.traefik.io/traefik/v2.0/middlewares/forwardauth/#authresponseheaders
https://www.pomerium.io/reference/#traefik-docker-compose
@Romain_Guichard – LMK if that does the trick! :slightly_smiling_face:

Romain_Guichard @Romain_Guichard: Hi @Bobby, just tested it, it doesn’t do the trick :disappointed:

apiVersion: <http://traefik.containo.us/v1alpha1|traefik.containo.us/v1alpha1>
kind: Middleware
metadata:
  name: internal-auth
  namespace: pomerium-external
spec:
  forwardAuth:
    address: <https://pomerium-proxy.pomerium-external>
    authResponseHeaders:
    - X-Pomerium-Authenticated-User-Email
    - x-pomerium-authenticated-user-id
    - x-pomerium-authenticated-user-groups
    - x-pomerium-jwt-assertion
    tls:
      insecureSkipVerify: true
    trustForwardHeader: true
2

Discussion on this issue continued in slack and on Github. The issue turned out to be with our docs having an outdated section, which we’ll fix shortly.

The outdated section shows example JWT claim headers in the form x-pomerium-authenticated-user-{email|user-id|groups}, but the format is actually x-pomerium-claim-{email|user-id|groups}.