Using Claims in PPL

Additional info from the thread:

Alex 18 minutes ago

Hi @Ronnie Vink . Have you tried using is instead of has for claim/email ?And as an aside, I’m curious why you want to use claim/email over just email ; do you have a situation where they’d be different?

Ronnie Vink 15 minutes ago

yup used the is as well. it’s not about claim/email specifically. it’s about using idp claims like the claim/family_name example (or claim/groups ) in policies which seems to be not working at all. (edited)

Ronnie Vink 14 minutes ago

FYI, I’m using Keycloak as OIDC provider. I added the groups claim in a separate scope, so any policies based on groups could be done with claim/groups

Currently the claim criterion does not support the string matchers. It is rather used directly and only supports exact matches:

    - claim/family_name: Smith

Works like a charm. Thanks so much! I can confirm below works:

  - from: https://verify.localhost
    to: http://verify
    pass_identity_headers: true
      - allow:
            # - email: 
            #     is: john.doe@acme.local
            - claim/family_name: Doe
            - claim/groups: DevOps

Claim example on should be updated accordingly:

Thanks, I’ve staged a fix for the docs.