What happened?
I am trying to authenticate accesses to privileged.mysite.com
using Auth0 roles. I am getting a forbidden error from Pomerium upon navigating to that site. I have configured the roles by following the tutorial at https://www.pomerium.com/docs/identity-providers/auth0#groups
. I can verify that these roles are being added using the /.pomerium endpoint. Note that parts of the image have been redacted. In the following picture, we can see that the user correctly gets the gardener claim.
My policy explicitly allows for users with the gardener group to have access to the site in question. However, I still get a forbidden error when trying to access the site. The relevant access log is as follows:
pomerium-pomerium-1 | {"level":"info","service":"authorize","request-id":"75c7725a-f16b-42be-a9d1-c9164d000b7b","check-request-id":"75c7725a-f16b-42be-a9d1-c9164d000b7b","method":"GET","path":"/","host":"privileged.mysite.com","query":"","ip":"<server_ip>","session-id":"d3df0616-fdef-481d-a57c-9e0a3e2c8db7","allow":false,"allow-why-false":["claim-unauthorized","non-pomerium-route"],"deny":false,"deny-why-false":["valid-client-certificate-or-none-required"],"user":"auth0|634b44b808c244ef54eec1b9","email":"<email>","time":"2023-01-10T07:23:36Z","message":"authorize check"}
A seemingly related error:
pomerium-pomerium-1 | {"level":"warn","config_file_source":"/pomerium/config.yaml","bootstrap":true,"service":"identity_manager","error":"auth0: could not list roles: request failed: Get \"https://<auth0 url>/api/v2/roles?include_totals=true&page=0&per_page=50\": oauth2: cannot fetch token: 403 Forbidden\nResponse: {\"error\":\"access_denied\",\"error_description\":\"Client is not authorized to access \\\"https://<auth0 url>/api/v2/\\\". You need to create a \\\"client-grant\\\" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants\"}","time":"2023-01-10T08:34:55Z","message":"failed to refresh directory users and groups"}
What’s your environment like?
- Pomerium Docker Container – Latest
- Raspberry Pi 3
What’s your config.yaml?
# See detailed configuration settings : https://www.pomerium.com/docs/reference/
# this is the domain the identity provider will callback after a user authenticates
authenticate_service_url: https://authenticate.gk.aadhithya.cloud
####################################################################################
# Certificate settings: https://www.pomerium.com/docs/reference/certificates.html #
# The example below assumes a certificate and key file will be mounted to a volume #
# available to the Docker image. #
####################################################################################
certificate_file: /pomerium/cert.pem
certificate_key_file: /pomerium/privkey.pem
##################################################################################
# Identity provider settings : https://www.pomerium.com/docs/identity-providers/ #
# The keys required in this section vary depending on your IdP. See the #
# appropriate docs for your IdP to configure Pomerium accordingly. #
##################################################################################
idp_provider: auth0
idp_provider_url: <auth0 url>
idp_client_id: <redacted>
idp_client_secret: <redacted>
# Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64`
cookie_secret: <redacted>
# Generate keys for JWT verification
signing_key: <redacted>
# https://pomerium.com/reference/#routes
routes:
- from: https://privileged.mysite.com
to: https://<server_ip>
policy:
- allow:
and:
- claim/gk/groups: gardener
Additional context
Auth0 Add Group Code
/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
if (event.authorization) {
api.idToken.setCustomClaim("gk/groups", event.authorization.roles);
api.accessToken.setCustomClaim("gk/groups", event.authorization.roles);
}
};
Any help would be greatly appreciated. Thank you!