Idp filter with special character (https://)

I was trying to configure auth0 OIDC and IDP using Manage OIDC IdP Groups | Boundary - HashiCorp Learn. But I’m facing a problem. my user claim response are following

    "http://bounday": {
        "groups": "boundary_devops",
        "permissions": [],
        "roles": []
    "sub": "google-oauth2|1165826141341003826"

and I’m using following terrafrom code

resource "boundary_managed_group" "devops" {
  name           = "DevOps"
  description    = "OIDC managed group for DevOps"
  auth_method_id =
  filter         = "\"boundary_devops\" in \"/userinfo/http://boundary/groups\""

but It’s throwing error │ Error: error updating managed group: {"kind":"InvalidArgument", "message":"Error in provided request.", "details":{"request_fields":[{"name":"attributes.filter", "description":"Error evaluating submitted filter expression: 1:22 (21): rule \"match\": Invalid selector."}]}}

with Auth0 I can’t create a custom claim without namespaced and the namespace name must start with http:// or https://.

Any work around?


  1. Create Namespaced Custom Claims
  2. Custom claim without namespace - Auth0 Community
  3. Sample Use Cases: Scopes and Claims

I think probably you just need to try variations on escaping and quoting. Most of my filter rules have single quotes on the outside, around the entire rule, and double quotes around the selector and the expression, like so:

'"/foo/bar" matches "some_expression"'

For example, check out the filter rule used in the Target-Aware Workers Learn guide:

'"/item/name" matches "postgres|redis|mysql"'

My first thought on your specific issue is to try something like this:

'"boundary_devops" in "/userinfo/http://boundary/groups"'

and if that doesn’t work, try adding some escaping:

'"boundary_devops" in "/userinfo/http\:\/\/boundary/groups"'

It looks like filters use JSON Pointer syntax, so you could also try something like:

'"boundary_devops" in "/userinfo/http:~1~1boundary/groups"'

(In JSON pointer syntax, ~1 is an escape code for a forward slash.)

  filter         = "\"boundary_devops\" in \"/userinfo/http:~1~1boundary/authorization/groups\""

above filter works. Thanks mate.
BTW a single quote does not work with terraform.

1 Like