Using Claims in PPL

alex · October 20, 2021, 4:51pm

View in #support on Slack

@Ronnie_Vink: Hi,
Im currently using Pomerium in Docker:
pomerium: 0.15.4-1634234692+20e21964
envoy: 1.19.1+645d37bf7aa1e2eebfb217fc1b8ba2791463325513d508691599cc23da89bcdc

Quick question regarding PPL and the use of IDP claims for route policies:
routes:
  - from: <https://verify.localhost>
    to: <http://verify>
    policy:
      - allow:
          or:
            # - email:
            #     is: john.doe@acme.local
            - claim/email:
                has: john.doe@acme.local
            - claim/family_name:
                is: Doe           
    pass_identity_headers: true
The above example results in a DENY, while the family_name claim is Doe and the email claim is john.doe@acme.local. I double checked the user claims in https://authenticate.localhost/.pomerium

The policy results in ALLOW when only using the email criteria type. When I only use claim/email instead it results in DENY again.

Is there something I’m missing regarding the use of IDP claims in PPL?

alex · October 20, 2021, 4:52pm

Additional info from the thread:

Alex 18 minutes ago

Hi @Ronnie Vink . Have you tried using is instead of has for claim/email ?And as an aside, I’m curious why you want to use claim/email over just email ; do you have a situation where they’d be different?

Ronnie Vink 15 minutes ago

yup used the is as well. it’s not about claim/email specifically. it’s about using idp claims like the claim/family_name example (or claim/groups ) in policies which seems to be not working at all. (edited)

Ronnie Vink 14 minutes ago

FYI, I’m using Keycloak as OIDC provider. I added the groups claim in a separate scope, so any policies based on groups could be done with claim/groups

calebdoxsey · October 20, 2021, 6:47pm

Currently the claim criterion does not support the string matchers. It is rather used directly and only supports exact matches:

allow:
  and:
    - claim/family_name: Smith

RonnieV · October 20, 2021, 7:41pm

Works like a charm. Thanks so much! I can confirm below works:

routes:
  - from: https://verify.localhost
    to: http://verify
    pass_identity_headers: true
    policy:
      - allow:
          and:
            # - email: 
            #     is: john.doe@acme.local
            - claim/family_name: Doe
            - claim/groups: DevOps

RonnieV · October 20, 2021, 7:46pm

Claim example on https://www.pomerium.com/enterprise/reference/manage.html#pomerium-policy-language should be updated accordingly:

alex · October 20, 2021, 9:08pm

Thanks, I’ve staged a fix for the docs.

Topic		Replies	Views
Using groups claim in PPL to use group-based access Support	3	381	March 24, 2025
PPL with AWS Cognito Groups Support idp	0	349	January 5, 2022
Claim set and allowed in policy, but authentication still fails Support	5	562	January 11, 2023
Limiting access to specific urls Integrations	3	443	July 20, 2023
Using Keycloak as an identity provider with Pomerium Support idp	0	488	December 27, 2021

Using Claims in PPL

Related topics