JWT Claim Headers
- Environmental Variable:
JWT_CLAIMS_HEADERS
- Config File Key:
jwt_claims_headers
- Kubernetes: see
jwtClaimHeaders
- Type: slice of
string
- Example:
email
,groups
,user
,given_name
- Optional
The JWT Claim Headers setting allows you to pass specific user session data to upstream applications as HTTP request headers. Note, unlike the header x-pomerium-jwt-assertion
these values are not signed by the authorization service.
Additionally, this will add the claim to the X-Pomerium-Jwt-Assertion
header provided by pass_identity_headers
, if not already present.
Any claim in the pomerium session JWT can be placed into a corresponding header and the JWT payload for upstream consumption. This claim information is sourced from your Identity Provider (IdP) and Pomerium's own session metadata. The header will have the following format:
X-Pomerium-Claim-{Name}
where {Name}
is the name of the claim requested. Underscores will be replaced with dashes; e.g. X-Pomerium-Claim-Given-Name
.
This option also supports a nested object to customize the header name. For example:
jwt_claims_headers:
X-Email: email
Will add an X-Email
header with a value of the email
claim.
Use this option if you previously relied on x-pomerium-authenticated-user-{email|user-id|groups}
.
To pass static values as request headers to the upstream service, see Set Request Headers.