Zitadel role in Pomerium policy


I’m trying to use https://zitadel.com/ as IDP, which works, but they don’t support Groups of users, just Roles. If you want to include Roles in the ID token, you can ask for urn:zitadel:iam:org:project:roles scope, and you should receive something like

"urn:zitadel:iam:org:project:roles": {
    "cfo": {
      "223281939119866113": "corporate.user-authorizations-io8epz.zitadel.cloud"
    "corporate member": {
      "223279178798072065": "org-a.user-authorizations-io8epz.zitadel.cloud",
      "223279223391912193": "org-b.user-authorizations-io8epz.zitadel.cloud"

There’s more information available here: Retrieve user roles | ZITADEL Docs

My question is, do you have any ideas how to use this in Pomerium’s policy? ie to match users based on cfo role from above.

Thank you.

This solves it: Configuring Custom Claims in ZITADEL

And modifying the last line of that script to api.v1.claims.setClaim('groups', grants) fills roles as groups in the token.

1 Like