New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use ‘has’ operator with claim subpath in PPL #2851
Comments
@robertgates55 IDP claims are always a map of string keys to lists of values: {
"family_name": ["Doe"],
"given_name": ["John"]
} So the allow:
and:
- domain:
is: du.co
- claim/groups: mygroup The criterion should return true if any of the values in the list match the value. (in this case if any of the groups are Have you tried this? |
Aha! I had not, but that works perfectly - thanks. Fwiw - I'd read the docs, and "if a token claim matches the supplied value exactly" had led me to think I'd need to string-match the whole array... I now see that that's not what it says. Might be worth clarifying though for future people, or maybe supporting the has matcher as well for consistency and policy readability? |
Hi @robertgates55 do you have a suggestion on where/how we could clarify? We'd be glad for some input there. |
@travisgroth I think he is just saying that we should support has/is as well as just : for consistency |
Closing per @desimone |
We're using dex as our IDP, which pulls user groups from google and passes these back as a user claim - the groups are not direct pomerium groups.
Is it possible to use the claim field with a subpath and the 'has' operator? I'd like to do something like this:
I've seen that I can combine with existing annotations, eg:
But this seems to apply the
allowed_idp_claims
policy as anOR
with thepolicy
... which isn't what I'm after.Any options here?
The text was updated successfully, but these errors were encountered: