Impact
Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims as part of policy. If using allowed_idp_claims and a user's claims are changed, Pomerium can make incorrect authorization decisions.
Patches
v0.15.6
Workarounds
- Clear data on
databroker service by clearing redis or restarting the in-memory databroker to force claims to be updated
References
#2724
For more information
If you have any questions or comments about this advisory:
Impact
Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using
allowed_idp_claimsas part of policy. If usingallowed_idp_claimsand a user's claims are changed, Pomerium can make incorrect authorization decisions.Patches
v0.15.6
Workarounds
databrokerservice by clearing redis or restarting the in-memory databroker to force claims to be updatedReferences
#2724
For more information
If you have any questions or comments about this advisory: