Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

arbitrary claims are not being returned from assertion header #11

Open
desimone opened this issue May 7, 2021 · 0 comments
Open

arbitrary claims are not being returned from assertion header #11

desimone opened this issue May 7, 2021 · 0 comments
Labels
enhancement New feature or request

Comments

@desimone
Copy link
Contributor

desimone commented May 7, 2021

What happened?

Non-standard ("arbitrary") identity claims are not being added to the jwt-assertion header, although they are being added as custom headers.

What did you expect to happen?

Arbitrary / non-standard identity claims to be added to the assertion payload.

How'd it happen?

See config.

What's your environment like?

  • Pomerium version (retrieve with pomerium --version): pomerium/pomerium@264cf38
  • Server Operating System/Architecture/Cloud: Gsuite

What's your config.yaml?

jwt_claims_headers:
  X-Pomerium-Claim-Photo: picture

policy:
  - from: https://verify.localhost.pomerium.io
    to: http://localhost
    allowed_domains:
      - pomerium.com
      - gmail.com
    pass_identity_headers: true

What did you see in the logs?

https://verify.localhost.pomerium.io/json

Note: the custom header is working but not the jwt.

{
  "PomeriumHeaders": {
    "X-Pomerium-Claim-Photo": [
      "https://lh3.googleusercontent.com/a-/AOh14Gii_LGprpis2aE66KbBWWts7Sn6aJieLUvne_hK=s96-c"
    ]
  },
  "PomeriumInfo": {
    "iss": "authenticate.localhost.pomerium.io",
    "sub": "snip",
    "aud": [
      "verify.localhost.pomerium.io"
    ],
    "exp": 1620360056,
    "iat": 1620357554,
    "jti": "72734065-c0fa-40b1-ab15-b4830c741432",
    "groups": [
      "[email protected]",
    ],
    "user": "snip",
    "email": "[email protected]",
  },
  "PomeriumInfoErr": null,
  "Request": {
    "Host": "verify.localhost.pomerium.io",
    "Hostname": "bdds-MacBook-Air.local",
    "Method": "GET",
    "Origin": "192.168.1.63",
    "URL": "/json",
    "UUID": "8afcb51d-b5d2-93c1-44a5-8e83ef45b35d"
  }
}

Where as I would expect....

{
  "aud": "verify.localhost.pomerium.io",
  "email": "[email protected]",
  "exp": snip,
  "groups": [  ],
  "iat": 1620357554,
  "iss": "authenticate.localhost.pomerium.io",
  "jti": "72734065-c0fa-40b1-ab15-b4830c741432",
+  "picture": "https://lh3.googleusercontent.com/a-/AOh14Gii_LGprpis2aE66KbBWWts7Sn6aJieLUvne_hK=s96-c",
  "sub": "111432655977273150308",
  "user": "111432655977273150308"
}

Additional context

Add any other context about the problem here.
@desimone desimone transferred this issue from pomerium/pomerium May 7, 2021
@travisgroth travisgroth added the enhancement New feature or request label Dec 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@desimone @travisgroth