What happened?
I’m not able to use “has” matcher with “claim” criteria
What did you expect to happen?
I was thinking of restricting access to my resources on group membership basis…
After reading documentation it appeared that it is no longer possible to use “group” criteria. So I hoped that it is possible to use “claim” criteria but that didn’t work.
I have integration with generic OIDC provider and I have “groups” claim in the token which is a list of strings.
How’d it happen?
Just tried to use “has” for “claim” criteria
While email criteria works well, claim/groups - doesn’t
What’s your environment like?
- Pomerium version (retrieve with
pomerium --version):
pomerium: v0.20.0-20-gfa0ba60a-dirty+fa0ba60a
envoy: 1.24.0+05e1343657086268edaa16a1e8a1429d9c8f6e50a44f492cf629fdc71da2ecdc - Server Operating System/Architecture/Cloud:
|Distributor ID:|Ubuntu|
|—|—|
|Description:|Ubuntu 22.04.1 LTS|
|Release:|22.04|
|Codename:|jammy|
What’s your config.yaml?
authenticate_service_url: https://my_sso_provider.internal.corp
####################################################################################
# Certificate settings: https://www.pomerium.com/docs/reference/certificates.html #
# The example below assumes a certificate and key file will be mounted to a volume #
# available to the Docker image. #
####################################################################################
certificate_file: /opt/pomerium/cert.pem
certificate_key_file: /opt/pomerium/privkey.pem
##################################################################################
# Identity provider settings : https://www.pomerium.com/docs/identity-providers/ #
# The keys required in this section vary depending on your IdP. See the #
# appropriate docs for your IdP to configure Pomerium accordingly. #
##################################################################################
idp_provider: "oidc"
idp_client_id: "id"
idp_client_secret: "secret"
idp_provider_url: "url"
idp_scopes: ["openid", "groups", "profile", "roles", "email"]
signing_key: key
# Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64`
cookie_secret: secret
# https://pomerium.com/reference/#routes
routes:
- from: https://my_app.internal.corp
to: https://internal_address
host_rewrite: my_app.internal.corp
tls_skip_verify: true
policy:
- allow:
or:
- email:
is: my_colleague_email@internal.corp
- claim/groups:
has: my_super_group
pass_identity_headers: false
What did you see in the logs?
{"level":"info","service":"authorize","request-id":"af077dd3-5378-4591-949d-d5e47ea5b87f","check-request-id":"af077dd3-5378-4591-949d-d5e47ea5b87f","method":"GET","path":"/","host":"my_app.internal.corp","query":"","ip":"my_ip","session-id":"c3bec8ea-f1a2-4c34-9981-5bb5c8f84735","allow":false,"allow-why-false":["claim-unauthorized","email-unauthorized","non-pomerium-route"],"deny":false,"deny-why-false":["valid-client-certificate-or-none-required"],"user":"4de1b235-f82e-4212-abfb-8ad86022cb95","email":"my_email@internal.corp","time":"2022-11-29T10:31:14Z","message":"authorize check"}
Anything else…
Probably someone had already faced with this problem or found any feasible workaround?
I’ve read here:
Than claims do not support “has” matcher
Can somebody suggest any workaround?
Thank you!
