Need 'scope' claim in JWT

Support
1

What happened?

I’m using the pomerium JWT as a bearer token and configured snowflake to validate the JWT against the JWKS endpoint. Unfortunately snowflake requires a scope claim, and I can’t see a way to include that in the pomerium JWT.

What did you expect to happen?

I expected to be able to add a custom claim to the pomerium JWT

How’d it happen?

Can’t find any docs, forum posts or materials to support a custom clain

What’s your environment like?

  • Pomerium version (retrieve with pomerium --version): v0.32.5
  • Server Operating System/Architecture/Cloud: GKE

What’s your config.yaml?

    apiVersion: networking.k8s.io/v1                                                                                                                     
    kind: Ingress                                                                                                                                        
    metadata:                                                                                                                                            
      name: backstage                                                                                                                                    
      namespace: backstage                                                                                                                               
      annotations:                                                                                                                                       
        ingress.pomerium.io/policy: |                                                                                                                    
          allow:                                                                                                                                         
            and:                                                                                                                                         
              - domain:                                                                                                                                  
                  is: domain.com                                                                                                                        
        ingress.pomerium.io/pass_identity_headers: "true"                                                                                                
        ingress.pomerium.io/allow_websockets: "true"                                                                                                     
    ...                                                                                                                                                  
    spec:                                                                                                                                                
      ingressClassName: pomerium                                                                                                                         
      rules:                                                                                                                                             
        - host: portal.idp.domain.com

What did you see in the logs?

NA

Additional context

NA

2

Hi @dwatrous,

I’m unfamiliar with Snowflake — is there any public Snowflake documentation that would help me understand the requirement for a ‘scope’ claim?

I believe Pomerium currently has only limited support for customizing the Pomerium JWT. Specifically, any claims included in the JWT Claim Headers option will additionally be copied from the IdP user info into the Pomerium JWT. So, if you’re able to configure your IdP to populate a ‘scope’ claim with the value you need, that might be an option. As for setting a completely custom claim directly in Pomerium, I believe this is not currently supported.

Thanks,
Ken