Assertion Headers Through Traefik

View in #support on Slack

Romain_Guichard @Romain_Guichard: Hi folks ! Once authenticated with my IDP and redirected to my application, I can’t see any X-Pomerium-Jwt-Assertion in my headers. Is there something that need to be done ?

Caleb_Doxsey @Caleb_Doxsey: Do you have pass_identity_headers on?

Settings | Pomerium

Romain_Guichard @Romain_Guichard: I do
In my policy block right ?

Bobby @Bobby: @Romain_Guichard – What’s your (redacted) configuration look like? Do you have any other proxies involved.

Romain_Guichard @Romain_Guichard: Just my ingress controller (traefik)

        X-Corp-email: email
        X-Corp-groups: groups
        X-Corp-user: user
    sharedSecret: <path:oi-secrets/data/kube-shared-nonprod/pomerium-auth-external#sharedSecret>
    cookieSecret: <path:oi-secrets/data/kube-shared-nonprod/pomerium-auth-external#cookieSecret>
    rootDomain: <|>
      - from: <>
        to: <http://app.svc.cluster.local>
          - <|>
        pass_identity_headers: true
        preserve_host_header: true

(this is the helm chart value used)

Bobby @Bobby: Is pomerium being run in forward auth mode?

Romain_Guichard @Romain_Guichard: yes it is

Bobby @Bobby: Any pomerium headers you want to add to the request headers would also need to be added to your Traefik config using forwardauth.authResponseHeaders
. You may also need to set forwardedheaders.insecure .
@Romain_Guichard – LMK if that does the trick! :slightly_smiling_face:

Romain_Guichard @Romain_Guichard: Hi @Bobby, just tested it, it doesn’t do the trick :disappointed:

apiVersion: <|>
kind: Middleware
  name: internal-auth
  namespace: pomerium-external
    address: <https://pomerium-proxy.pomerium-external>
    - X-Pomerium-Authenticated-User-Email
    - x-pomerium-authenticated-user-id
    - x-pomerium-authenticated-user-groups
    - x-pomerium-jwt-assertion
      insecureSkipVerify: true
    trustForwardHeader: true

Discussion on this issue continued in slack and on Github. The issue turned out to be with our docs having an outdated section, which we’ll fix shortly.

The outdated section shows example JWT claim headers in the form x-pomerium-authenticated-user-{email|user-id|groups}, but the format is actually x-pomerium-claim-{email|user-id|groups}.