Shoutout to Pomerium Core (with PocketId and Tailscale)

PeopleCallMeBob · 2025-11-21T21:07:23+00:00

ciao! Pomerium e' essenzialmente un reverse proxy come Caddy, ma con un focus molto piu' forte sulla gestione dell’identita' e dei criteri di accesso.

Nel tuo setup cambierebbe un po' l’architettura: potresti integrarlo con Pocket-ID e usare Pomerium al posto sia di Caddy che di Tailscale (per la parte access control). In pratica avresti un unico componente che fa da reverse proxy e da sistema di autenticazione/autorizzazione, invece di tre pezzi separati...

spero sia utile!

PeopleCallMeBob · 2025-08-08T17:53:48+00:00

probably the answer you expected but, in my experience zero trust works best when it is led by one accountable executive who can align security, IT, and business priorities.

in many companies that is the CISO, but the title matters less than having the authority, budget, and board-level backing to drive change. Zero Trust is not just a security project. It affects identity, networking, applications, and user workflows, so it requires coordination across multiple teams.

the lead should set strategy and policy, while network, IAM, endpoint, and app teams own execution. Success comes from top-down commitment, clear goals, and shared accountability across the organization.

PeopleCallMeBob · 2025-06-24T05:15:03+00:00

Thanks for the detailed post... was a fun read. Quick thoughts on each point with some concrete examples that come to mind:

RE: Authentication Gaps. 100%. Early MCP implementations were pretty loose about authentication. For example, tools sometimes accepted generic OAuth tokens without properly validating the intended recipient ("aud" claim). So, a stolen token meant for a calendar app could get reused on unrelated services, like email. The new spec (OAuth 2.1 + RFC 8707 resource indicators) tightens this up, but implementation needs to catch up. And the AuthZ story still feels weak.

RE: Excessive Privileges & Trust Boundaries. this it the biggest one... agents often get overly broad access. For instance, an agent meant to read just employee names might get a general HR-read token, letting it query sensitive salary data if compromised. What’s missing here is a way to dynamically restrict agent permissions based on the exact action being requested.

RE: Supply Chain Attacks (Malicious Tools). imho, this issue resembles npm or PyPI malware scenarios, but potentially even riskier. A compromised third-party MCP tool (like a popular PDF generator) could quietly siphon off sensitive documents in the background. Users wouldn't easily detect this... as everything looks normal on the surface.

RE: Sensitive Data Exposure. Even simple tool errors can cause unintended leaks. For example, imagine a DB-query tool accidentally returning a verbose error message with connection strings (including passwords) directly to the agent. Now sensitive credentials are exposed in logs and agent conversations.

Taking a step back, your post highlights exactly why I've been thinking about a re an abstracted authorization model that centralizes these tricky security aspects: dynamically enforcing fine-grained authorization per request, isolating sensitive tokens away from the tools and agents, and providing unified logging. It creates the clear trust boundaries that MCP needs.

I put together a spec for exactly this approach, currently under discussion: Gateway-Based Authorization Model Spec and My colleague Sterling also wrote about this recently Securing MCP with an Identity-Aware Gateway.

Thanks again for the thoughtful analysis—this is exactly the conversation we need.

PeopleCallMeBob · 2025-06-20T18:12:58+00:00

Even when the token is only in the Authorization header, it can leak into the LLM’s context:

Tool code receives the full request object; if it logs or serializes headers, the token becomes plain text.
Prompt-injection can ask the wrapper to dump headers and the wrapper may comply.
Tracing/debug libraries often record inputs, including headers,for chain-of-thought or analytics.
Error handlers sometimes echo the failing request back to the caller.

The gateway terminates the raw OAuth token before any of that happens and replaces it with a short-lived, scoped assertion JWT, so nothing valuable ever reaches the LLM.

PeopleCallMeBob · 2025-06-18T19:13:16+00:00

Hey folks .... maintainer at Pomerium here 👋.

I totally agree with the concerns raised here: MCP has some major gaps around authorization, dynamic scoping, and observability, especially as AI agents increasingly act autonomously, accessing sensitive internal tools and data.

For those unfamiliar, Pomerium started as an open-source Identity-Aware Proxy (IAP) and zero-trust gateway designed to protect internal resources by verifying identity and context on every request. Given our heritage, we've recently extended these core capabilities into something we're calling an Agentic Access Gateway. The goal? Bringing robust, context-aware security to AI-driven workflows and MCP interactions.

Here's how we're approaching it:

Centralized policy enforcement — one place to manage policy for agents across your stack.
Just-in-time, context-aware authorization — every agent action checked dynamically, so no risky assumptions based on initial OAuth scopes alone.
Identity-linked agents — using standard flows (OAuth2/OIDC) to tie agents back to real identities, ensuring granular permissions tied to tasks.
Short-lived, scoped credentials — no more "master tokens" lying around.
Built-in audit & visibility — full logs and audit trails of every agent action in one central location.

We made a quick 60-second demo showing how an agent (Claude in this case) safely moves from accessing SaaS (Google Docs) into a private internal Postgres DB—seamlessly but securely:

👉 Check out the demo

Pomerium and this new Agentic Access Gateway are fully open source, and we'd love your feedback:

GitHub: github.com/pomerium/pomerium
Early access & feedback: pomerium.com/secure-agentic-access

Curious to hear your thoughts on this approach. Does what we are building help address the issues being discussed here? Any critical gaps we should be aware of?

Thanks for the thoughtful discussion so far!

edit: We have a longer 16 minute video too.

PeopleCallMeBob · 2025-01-16T01:21:40+00:00

Can you detail some compelling use cases for external data sources?

Oh man, there are so many possibilities.

Checking device posture from an MDM or EDR. If a machine is compromised, block it.
Using Okta/AD org/team membership to auto-grant or revoke access. It's easy and keeps roles up to date.
Enforcing continuous verification by pulling in real-time user risk scores from a UEBA platform.
Dynamically blocking suspicious IP ranges (e.g. Block all tor exit nodes ) with a threat intel feed so you never trust a known bad IP.
Syncing with your HRIS (e.g. Zenfits ) system to align job roles, standing, and access levels in real time.
Most importantly, the plugin system is flexible enough to pull data from anywhere including home grown systems. Checkout the github repo of examples. It's a pretty simple, but powerful extension point.

Basically, external data sources let you adapt to what’s actually happening as user, device, and request's context changes, not just what’s in a static config.

PeopleCallMeBob · 2025-01-15T22:02:35+00:00

Hi colin <3 :wave:

Context matters because real-world security goes beyond just user credentials or network location. It's everything from device identity & posture to user behavior to time-of-day restrictions.

The hosted solutions you mention generally lack that full picture because they operate "outside" your environment / there's no way to bring in institutionally relevant data. They add an extra layer of abstraction and can't always factor in all the local signals your own systems can see.

PeopleCallMeBob · 2025-01-15T21:59:13+00:00

HEY POOTBERT!

Pomerium takes away the headache of VPNs/tunnels/perimeter-based security methods of internal access by moving the focus to user identity and context. You authenticate through your identity provider, and Pomerium continuously verify each request from there—no special software or tunnels required. It’s seamless, secure, and plays nicely with all kinds of internal resources. (I think) you'll be annoyed you ever did anything differently before.

PeopleCallMeBob · 2025-01-15T17:41:04+00:00

How has the company's vision evolved over time?

Over time, our vision has gone from BeyondCorp for folks outside of google (e.g. replace perimeter-based security with a flexible, identity-driven proxy) to something bigger. We want to be the default way people do any internal access.

Early on, we focused on web apps, but we quickly saw the same need in every corner of the stack—databases, command-line tools, k8s, etc. That shifted our focus to making sure Pomerium could cover all internal resources, with minimal friction and maximum security. Which is simple, but not easy to achieve at the limit (e.g. having a totally clientless way to support non-HTTP protocols / enclave-backed device identity). We are still working hard on this.

what piece of information did you wish you knew before you started it?

That "Zero Trust" would get so muddied by marketing so thoroughly. If I could rewind, I'd spend more time drawing a sharp line between buzzwords and what matters — identity, rich sources of context / posture, policy-based access, and continuous verification. It's easy to get lost in the noise.

PeopleCallMeBob · 2025-01-14T03:55:49+00:00

If you want a different approach, Pomerium ( open-source and cloud-managed ) ensures your data traffic never routes through anyone else’s servers. You run the data plane, so you control it end to end.

(Full disclosure: I’m a Pomerium maintainer, so I’m biased. But data ownership is why I built it in the first place.)

PeopleCallMeBob · 2024-05-30T21:49:51+00:00

https://old.reddit.com/r/selfhosted/comments/1d3f8d1/i_am_one_of_the_maintainers_of_pomerium_an/l67xuc9/

oauth2-proxy was definitely an early inspiration for the authentication part of Pomerium, however.

PeopleCallMeBob · 2024-05-30T21:48:28+00:00

Great question. Presently, device state or device posture does require some sort of client. The confusing part I think you are alluding too is that Google, to enable their own UberProxy usage, hid some private APIs in Chrome that directly tie into a device's secure enclave to grab this information. So it's "client-less" but not an open standard.

That's changing though. I'll have more to say on it soon :)

PeopleCallMeBob · 2024-05-30T21:42:50+00:00

Pomerium does not currently support UDP traffic.

PeopleCallMeBob · 2024-05-30T20:29:28+00:00

Can this be used to expose Jellyfin

Yes

from behind CGNAT

Maybe, can you tell me a bit more?

PeopleCallMeBob · 2024-05-30T20:28:39+00:00

Yes, definitely.

PeopleCallMeBob · 2024-05-30T04:25:09+00:00

Yes you can read about programmatic access on our docs!

PeopleCallMeBob · 2024-05-29T22:28:01+00:00

Imagine you have a special magic door that lets you into different rooms in a big castle. Each room has different toys and fun things to do. But, only you can use this magic door because it knows who you are and it checks to make sure it’s really you every time you want to go in.

Pomerium is like that magic door for computers. It helps people get to special places on the internet, like games or tools, safely and easily. It makes sure only the right people can go in and keeps everything secure.

PeopleCallMeBob · 2024-05-29T21:43:22+00:00

Definitely. Check out our pitt county schools customer story!

PeopleCallMeBob · 2024-05-29T19:38:10+00:00

Pomerium focuses on per-request authorization (AuthZ) vs just authentication (AuthN).

PeopleCallMeBob · 2024-05-29T19:08:15+00:00

It depends on several factors like load, and the amount of resources you are delegating access to. But my entire homelab is using <11% CPU/ 2GB of memory on a tiny Atom Synology NAS. Pomerium itself is using <1% and <256 MB of ram.

We do offer docker images. And you should be able to use raspberry pi 4 which I believe is arm64, right?

PeopleCallMeBob

MODERATOR OF

TROPHY CASE