Limiting access to specific urls

cbrassel · July 18, 2023, 9:04am

Hi,
I’m using pomerium with keycloak to restrict access to some apps, as of today every account in keycloack had the right to access any app behind pomerium so I use the routes like this :

from: https://drawio.xxx
to: http://docker:3402
allow_any_authenticated_user: true

But now I need to filter the access to a list of apps for a restricted list of users, and I’m not able to use the domain part because every account use it’s own mail domain.
Any idea how I can archive this ? can somebody provide me a full example ? I’m new to pomerium and keycloack …
Regard’s
Claude

denis · July 18, 2023, 3:47pm

hello,

You may use PPL to just enumerate the email addresses of persons who should have access to each individual route.

from: https://drawio.xx
to: http://docker:3402
policy:
  allow:
    or: 
      - user: 
           is: user1@domain1.com
      - user:
           is: user2@domain2.com

cbrassel · July 20, 2023, 8:54am

that seem’s to be a nice solution, but I need it in the other way:
by default every authenticated user and for email1, email2 restrict the access.

If I can do that via keycloak group or roles it will be even better.

denis · July 20, 2023, 1:31pm

You probably may achieve that by combination of allow and deny PPL rules.

a user will have access to a route if at least one allow rule matches and no deny rules match.

if Keycloack propagates groups to the identity token, then you should be able to build rules using claim/ criteria in PPL.

Topic		Replies	Views
Using Claims in PPL Support idp	5	452	October 20, 2021
Azure AD multitenant - what goes in allowed_domains? Support	2	236	June 22, 2022
Using groups claim in PPL to use group-based access Support	1	250	November 29, 2022
No healthy upstream with all in one container Support docker	3	671	October 5, 2022
PPL with AWS Cognito Groups Support idp	0	289	January 5, 2022

Limiting access to specific urls

Related Topics