Claim set and allowed in policy, but authentication still fails

What happened?

I am trying to authenticate accesses to privileged.mysite.com using Auth0 roles. I am getting a forbidden error from Pomerium upon navigating to that site. I have configured the roles by following the tutorial at https://www.pomerium.com/docs/identity-providers/auth0#groups. I can verify that these roles are being added using the /.pomerium endpoint. Note that parts of the image have been redacted. In the following picture, we can see that the user correctly gets the gardener claim.

My policy explicitly allows for users with the gardener group to have access to the site in question. However, I still get a forbidden error when trying to access the site. The relevant access log is as follows:

pomerium-pomerium-1  | {"level":"info","service":"authorize","request-id":"75c7725a-f16b-42be-a9d1-c9164d000b7b","check-request-id":"75c7725a-f16b-42be-a9d1-c9164d000b7b","method":"GET","path":"/","host":"privileged.mysite.com","query":"","ip":"<server_ip>","session-id":"d3df0616-fdef-481d-a57c-9e0a3e2c8db7","allow":false,"allow-why-false":["claim-unauthorized","non-pomerium-route"],"deny":false,"deny-why-false":["valid-client-certificate-or-none-required"],"user":"auth0|634b44b808c244ef54eec1b9","email":"<email>","time":"2023-01-10T07:23:36Z","message":"authorize check"}

A seemingly related error:

pomerium-pomerium-1  | {"level":"warn","config_file_source":"/pomerium/config.yaml","bootstrap":true,"service":"identity_manager","error":"auth0: could not list roles: request failed: Get \"https://<auth0 url>/api/v2/roles?include_totals=true&page=0&per_page=50\": oauth2: cannot fetch token: 403 Forbidden\nResponse: {\"error\":\"access_denied\",\"error_description\":\"Client is not authorized to access \\\"https://<auth0 url>/api/v2/\\\". You need to create a \\\"client-grant\\\" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants\"}","time":"2023-01-10T08:34:55Z","message":"failed to refresh directory users and groups"}

What’s your environment like?

  • Pomerium Docker Container – Latest
  • Raspberry Pi 3

What’s your config.yaml?

# See detailed configuration settings : https://www.pomerium.com/docs/reference/


# this is the domain the identity provider will callback after a user authenticates
authenticate_service_url: https://authenticate.gk.aadhithya.cloud

####################################################################################
# Certificate settings:  https://www.pomerium.com/docs/reference/certificates.html #
# The example below assumes a certificate and key file will be mounted to a volume #
# available to the  Docker image.                                                  #
####################################################################################
certificate_file: /pomerium/cert.pem
certificate_key_file: /pomerium/privkey.pem

##################################################################################
# Identity provider settings : https://www.pomerium.com/docs/identity-providers/ #
# The keys required in this section vary depending on your IdP. See the          #
# appropriate docs for your IdP to configure Pomerium accordingly.               #
##################################################################################
idp_provider: auth0
idp_provider_url: <auth0 url>
idp_client_id: <redacted>
idp_client_secret: <redacted>

# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
cookie_secret: <redacted>

# Generate keys for JWT verification
signing_key: <redacted>

# https://pomerium.com/reference/#routes
routes:
  - from: https://privileged.mysite.com
    to: https://<server_ip>
    policy:
      - allow:
          and:
            - claim/gk/groups: gardener

Additional context

Auth0 Add Group Code

/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
  if (event.authorization) {
    api.idToken.setCustomClaim("gk/groups", event.authorization.roles);
    api.accessToken.setCustomClaim("gk/groups", event.authorization.roles);
  }
};

Any help would be greatly appreciated. Thank you!

you seem to adjust gk/groups but the policy is written against gk/roles.

Thanks for taking a look. Unfortunately, that was a change I made during debugging. I switched it back to gk/groups and the issue still persists. I verified that gk/groups is being set by auth0 using the /.pomerium endpoint and that is working correctly. I have edited the original question to reflect the updated config file.

It is possible that / is converted into _

Try making a rule for claim/gk_groups

So this is interesting. Changing the rule to claim/gk_groups did not fix the issue, but changing both the pomerium policy to claim/gk_groups and the auth0 custom claim to

api.idToken.setCustomClaim("gk_groups", event.authorization.roles);
api.accessToken.setCustomClaim("gk_groups", event.authorization.roles);

did solve my issue. This solves my problem, but I’m still curious as to how they did it in the Pomerium documentation (linked in this thread) as they use slashes in both auth0 and the pomerium policy.

Alright, I figured it out. It seems that on auth0, there’s a new rule where namespaced claims must begin with http or https (Create Custom Claims). I formatted my new auth0 custom claim as https://gk.io/groups and then was able to use claim/https://gk.io/groups: gardener in my Pomerium policy to get a valid authentication. If this is reproducible, the claim in the auth0 documentation should probably be changed from pomerium.io/groups to https://pomerium.io/groups. Thanks for your help @denis!