pomerium: G Suite Service Account Group Membership Validation Fails
What happened?
- Running on Kubernetes with the helm chart along with nginx ingress
- We use G Suite Service account for group membership validation.
- We have two users A and B
- user A is part of roughly 20 something groups
- user B is part of roughly 60 something groups (including owner of some groups)
What did you expect to happen?
- Group membership works for user A and user A can access everything downstream fine
- For user B they get an error
ERR_CONNECTION_CLOSEDon Chrome and a blank page on Firefox - When tried on Safari user got
kCFErrorDomainCFNetwork error 303 - Also when user A who is an Pomerium admin tried to log in they got an 403 (creating separate issue for that)
How’d it happen?
- User B tried to log in
What’s your environment like?
- Pomerium version (retrieve with
pomerium --versionor/pingendpoint):
pomerium/v0.6.3 (+github.com/pomerium/pomerium; 1c7d30b; go1.14)
- Server Operating System/Architecture/Cloud:
What’s your config.yaml?
- from: https://EXT
to: http://INT
allowed_groups:
- admins@user.com
What did you see in the logs?
[
{
"level": "debug",
"X-Forwarded-For": [
"XXXXX"
],
"X-Forwarded-Host": [
"INTERNAL"
],
"X-Forwarded-Port": [
"443"
],
"X-Forwarded-Proto": [
"https"
],
"X-Real-Ip": [
"XXXXX"
],
"ip": "XXXXX",
"user_agent": "REMOVED",
"req_id": "f9ec84a4-14d9-ecc1-4632-aee4d192bd76",
"error": "Forbidden: user@user.com is not authorized for INTERNAL",
"time": "2020-03-26T19:18:33Z",
"message": "proxy: AuthorizeSession"
},
{
"level": "info",
"X-Forwarded-For": [
"INTERNAL"
],
"X-Forwarded-Host": [
"INTERNAL"
],
"X-Forwarded-Port": [
"443"
],
"X-Forwarded-Proto": [
"https"
],
"X-Real-Ip": [
"INTERNAL"
],
"ip": "XXXXX",
"user_agent": "REMOVED",
"req_id": "f9ec84a4-14d9-ecc1-4632-aee4d192bd76",
"error": "Forbidden: user@user.com is not authorized for INTERNAL",
"time": "2020-03-26T19:18:33Z",
"message": "httputil: ErrorResponse"
}
]
Additional context
Add any other context about the problem here.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 35 (14 by maintainers)
Commits related to this issue
- internal/directory: improve google user groups list Skip group without members, so it saves us time to handle group members, and reduce the size of groups. While at it, also querying API with the fi... — committed to pomerium/pomerium by cuonglm 4 years ago
- internal/directory: improve google user groups list Skip group without members, so it saves us time to handle group members, and reduce the size of groups. While at it, also querying API with the fi... — committed to pomerium/pomerium by cuonglm 4 years ago
- internal/directory: improve google user groups list (#1092) Skip group without members, so it saves us time to handle group members, and reduce the size of groups. While at it, also querying API ... — committed to pomerium/pomerium by cuonglm 4 years ago
- config: allow setting directory sync interval and timeout Updates #567 — committed to pomerium/pomerium by cuonglm 4 years ago
- config: allow setting directory sync interval and timeout (#1098) Updates #567 — committed to pomerium/pomerium by cuonglm 4 years ago
oh. woops. i figured it out. i had to move
pass_identity_headersinto the policy. not sure how i missed that in the documentation.