Using groups claim in PPL to use group-based access

Support
1

What happened?

I’m not able to use “has” matcher with “claim” criteria

What did you expect to happen?

I was thinking of restricting access to my resources on group membership basis…
After reading documentation it appeared that it is no longer possible to use “group” criteria. So I hoped that it is possible to use “claim” criteria but that didn’t work.

I have integration with generic OIDC provider and I have “groups” claim in the token which is a list of strings.

How’d it happen?

Just tried to use “has” for “claim” criteria
While email criteria works well, claim/groups - doesn’t

What’s your environment like?

  • Pomerium version (retrieve with pomerium --version):
    pomerium: v0.20.0-20-gfa0ba60a-dirty+fa0ba60a
    envoy: 1.24.0+05e1343657086268edaa16a1e8a1429d9c8f6e50a44f492cf629fdc71da2ecdc
  • Server Operating System/Architecture/Cloud:
    |Distributor ID:|Ubuntu|
    |—|—|
    |Description:|Ubuntu 22.04.1 LTS|
    |Release:|22.04|
    |Codename:|jammy|

What’s your config.yaml?

authenticate_service_url: https://my_sso_provider.internal.corp

####################################################################################
# Certificate settings:  https://www.pomerium.com/docs/reference/certificates.html #
# The example below assumes a certificate and key file will be mounted to a volume #
# available to the  Docker image.                                                  #
####################################################################################
certificate_file: /opt/pomerium/cert.pem
certificate_key_file: /opt/pomerium/privkey.pem

##################################################################################
# Identity provider settings : https://www.pomerium.com/docs/identity-providers/ #
# The keys required in this section vary depending on your IdP. See the          #
# appropriate docs for your IdP to configure Pomerium accordingly.               #
##################################################################################
idp_provider: "oidc"
idp_client_id: "id"
idp_client_secret: "secret"
idp_provider_url: "url"
idp_scopes: ["openid", "groups", "profile", "roles", "email"]

signing_key: key

# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
cookie_secret: secret

# https://pomerium.com/reference/#routes
routes:
  - from: https://my_app.internal.corp
    to: https://internal_address
    host_rewrite: my_app.internal.corp
    tls_skip_verify: true
    policy:
      - allow:
          or:
          - email:
              is: my_colleague_email@internal.corp
          - claim/groups:
              has: my_super_group
    pass_identity_headers: false

What did you see in the logs?

{"level":"info","service":"authorize","request-id":"af077dd3-5378-4591-949d-d5e47ea5b87f","check-request-id":"af077dd3-5378-4591-949d-d5e47ea5b87f","method":"GET","path":"/","host":"my_app.internal.corp","query":"","ip":"my_ip","session-id":"c3bec8ea-f1a2-4c34-9981-5bb5c8f84735","allow":false,"allow-why-false":["claim-unauthorized","email-unauthorized","non-pomerium-route"],"deny":false,"deny-why-false":["valid-client-certificate-or-none-required"],"user":"4de1b235-f82e-4212-abfb-8ad86022cb95","email":"my_email@internal.corp","time":"2022-11-29T10:31:14Z","message":"authorize check"}

Anything else…

Probably someone had already faced with this problem or found any feasible workaround?
I’ve read here:

Than claims do not support “has” matcher
Can somebody suggest any workaround?

Thank you!

2

Hi there…

Seems like the solution is obvious and was presented in the link I’ve shared…

so, despite the fact that groups claim is a list of strings you can use following sytax:

policy:
      - allow:
          or:
          - email:
              is: my_colleague_email@internal.corp
          - claim/groups: my_super_group

and if your list of groups contains my_super_group - it will wok like a charm!

1 Like
3

i am using version “0.28.0+3e51b4f9” with azure idp.

i have followed the documentation:

i can authenticate with azure, the groups are listed under Roles
Screenshot 2025-03-24 at 10.45.35

this is a section from my config yaml

- from: https://poc.domain.com
  to: http://172.17.0.1:8086
  prefix: /test
  policy:
    - allow:
        and:
          - claim/groups: f1a992e7-28f8-4661-9d1b-598e3df1dcaa
          - claim/groups: 12834c54-c13a-4d39-a1cf-33d591677403

i cant access the /test, i get 403, what am i doing wrong?

Best Regards,
Kristijan

4

Hi Kristijan, Thanks for using Pomerium!

To debug this issue more effectively, I recommend following our quickstart guide to set up a route to Pomerium’s verify app.

Using the verify app, you can better inspect the claim value(s) to ensure that fields are being passed through in the format expected, and validate their accuracy.

Assuming the data is formatted and included as you expect, you may need to adjust the logical operator your policy is using from and to or. I’m not certain what groups the policy you’ve supplied represent, but as it’s currently written, only users who are in BOTH will be allowed through.

Please reach out if you’re still having issues!