Hi folks, I'd like to know the feature status about ErrorHandler (https://www.ory.sh/docs/oathkeeper/pipeline/error) in CRD side. There's no

errors

field in https://github.com/ory/oathkeeper-maester/blob/master/api/v1alpha1/rule_types.go#L47 and I wonder there is any workaround or ongoing work for it.

hello all, how to add the header field containing kratos user_id to the request forwarded by oathkeeper? I am aware of the mutators, but still cannot figure it out. Thank you!

type AuthenticationSession struct {
  Subject      string
  Extra        map[string]interface{}
  Header       http.Header
  MatchContext MatchContext
}

In particular, how to discover the contents of

Extra

?

Hi all - can oathkeeper verify JWTs signed with a symmetric algorithm? I couldn’t see it in the config, but I wasn’t sure.

Hello all, I cannot find and example how to configure oathkeeper to authenticate kratos session token (https://www.ory.sh/docs/kratos/session-management/overview#using-ory-session-token). I will be grateful for any hints, thank you!

Hello Team, How to extract value from mutator jwt token in backend ? How to use this "http://oathkeeper:4456/.well-known/jwks.json" ? Thank

Hello everyone 👋 Just sharing a CLI that generates Oathkeeper rules from existing OpenAPI contracts (available on this Github). The use case was to deploy Oathkeeper for an organization running several existing microservices in a distributed architecture and make JWT (issued by Hydra) authentication for each of them. This CLI has been developed in order to save time for each team writing rules and avoid, as much as possible, differences between the microservices changes and the Oathkeeper rules leading to potential security issues (forgot a new scope authorization for example). The next step is to automate all the flow from the OpenAPI contracts generation to the rules deployment. Hope this CLI can help you as well 🙂

@dry-evening-28464 will take a look at this. @icy-stone-85106 thank you for this thoughtful contribution

Hey everyone <!here> 👋 In case you are running Oathkeeper in production, there is a small vulnerability up until yesterdays release. In most cases it should actually not be exploitable, or not have high impact, but please review https://github.com/ory/oathkeeper/security/advisories/GHSA-w9mr-28mw-j8hg for details.

Has anyone worked on a tool to validate the rules in a config yet? As in something that prints

$? > 0

and can be used in CI?

Hello all, I experiencing unnatural oathkeeper behavior with regard to CORS headers. The issue is described here: https://github.com/ory/oathkeeper/issues/1100

Hello, what are the use cases / pros and cons of using

id_token

vs.

cookie

mutator

Hello Team, Any way to send Mutators token to frontend ?

Hi team, is tracing using datadog supported for oathkeeper?

Hello people, is there any support in oathkeeper to verify the json body of a request? I guess I could move the body to a header in the api gateway but it is not exactly an ideal solution.

Hi We are trying to integrate JWT with Oathkeeper and when doing docker compose, I am facing the below error. Can someone help please?

2023-05-10 11:20:53 time=2023-05-10T05:50:53Z level=error msg=The provided configuration is invalid and could not be loaded. Check the output below to understand why. audience=application config_file=/etc/oathkeeper/config.yaml service_name=oathkeeper service_version=
2023-05-10 11:20:53 
2023-05-10 11:20:53 authorizers.allow: map[enabled:true handler:map[name:allow]]
2023-05-10 11:20:53                    ^-- additionalProperties "handler" not allowed
2023-05-10 11:20:53 
2023-05-10 11:20:53 serve: map[api:map[cors:map[allow_credentials:false allowed_headers:[Authorization Content-Type] allowed_methods:[GET POST PUT PATCH DELETE] allowed_origins:[] debug:false enabled:false exposed_headers:[Content-Type] max_age:0] host: port:4456 timeout:map[idle:120s read:5s write:120s]] listen:map[address::4455] prometheus:map[collapse_request_paths:true host: metrics_path:/metrics port:9000] proxy:map[cors:map[allow_credentials:false allowed_headers:[Authorization Content-Type] allowed_methods:[GET POST PUT PATCH DELETE] allowed_origins:[] debug:false enabled:false exposed_headers:[Content-Type] max_age:0] host: port:4455 timeout:map[idle:120s read:5s write:120s]]]
2023-05-10 11:20:53        ^-- additionalProperties "listen" not allowed
2023-05-10 11:20:53 
2023-05-10 11:20:53 authenticators.jwt: map[] enabled:true jwks_cache_duration:3600 jwks_urls:[] leeway:60]
2023-05-10 11:20:53                     ^-- oneOf failed
2023-05-10 11:20:53 
2023-05-10 11:20:53 authenticators.jwt.config: map[scope_strategy:none]
2023-05-10 11:20:53                            ^-- doesn't validate with "#/definitions/configAuthenticatorsJwt"
2023-05-10 11:20:53 
2023-05-10 11:20:53 authenticators.jwt.config.jwks_urls: <nil>
2023-05-10 11:20:53                                      ^-- one or more required properties are missing
2023-05-10 11:20:53 
2023-05-10 11:20:53 authenticators.jwt.enabled: true
2023-05-10 11:20:53                             ^-- value must be false
2023-05-10 11:20:53 
2023-05-10 11:20:53 access_rules: map[interval:5s matching_strategy:regexp path:file:///etc/oathkeeper/rules.yml]
2023-05-10 11:20:53               ^-- additionalProperties "path", "interval" not allowed
2023-05-10 11:20:53 
2023-05-10 11:20:53 (root)
2023-05-10 11:20:53 ^-- additionalProperties "upstream", "config", "rules" not allowed
2023-05-10 11:20:53 
2023-05-10 11:20:53 time=2023-05-10T05:50:53Z level=fatal msg=The services failed to start because the configuration is invalid. Check the output above for more details. audience=application service_name=oathkeeper service_version=

Hi. We are trying to migrate from cookie + oauth2_introspection + id_token mutator to JWT Is there a way to configure oathkeeper to accept both strategies on the same endpoints. I was looking at adding multiple authenticators, both a introspect and a noop. But the mutator for generating the id_token is apparently always executed, and fails in the plain JWT case

Hi all - what’s a good way to run oathkeeper locally in Docker so it can talk to local upstream services? E.g. the following doesn’t seem to expose its ports on the host:

docker build -t ory-oathkeeper-demo . && docker run --rm --name ory-oathkeeper-demo --network host ory-oathkeeper-demo --config /config.yaml serve

(Config looks like this:)

% cat config.yaml                                                                                                                                                
serve:
  proxy:
    port: 4455 # run the proxy at port 4455
  api:
    port: 4456 # run the api at port 4456

access_rules:
  repositories:
    - file:///rules.json

errors:
  fallback:
    - json
  handlers:
    json:
      enabled: true
      config:
        verbose: true
    redirect:
      enabled: true
      config:
        to: <https://www.ory.sh/docs>

mutators:
  header:
    enabled: true
    config:
      headers:
        X-User: "{{ print .Subject }}"
        # You could add some other headers, for example with data from the
        # session.
        # X-Some-Arbitrary-Data: "{{ print .Extra.some.arbitrary.data }}"
  noop:
    enabled: true
  id_token:
    enabled: true
    config:
      issuer_url: <http://localhost:4455/>
      jwks_url: file:///jwks.json

authorizers:
  allow:
    enabled: true
  deny:
    enabled: true

authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest

And the logs show it registering on 4455:

<snip>
time=2023-05-12T09:56:35Z level=info msg=No tracer configured - skipping tracing setup audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Detected access rule repository change, processing updates. audience=application repos=[file:///rules.json] service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Detected file change for access rules. Triggering a reload. audience=application event=fsnotify file=/rules.json service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Software quality assurance features are enabled. Learn more at: <https://www.ory.sh/docs/ecosystem/sqa> audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Listening on http://:9000 audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=TLS has not been configured for api, skipping audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=TLS has not been configured for proxy, skipping audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Listening on http://:4455 audience=application service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-05-12T09:56:35Z level=info msg=Listening on http://:4456 audience=application service_name=ORY Oathkeeper service_version=v0.40.3

And yet:

is there any way to disable caching with the id token mutator? i'm seeing some strange behavior that so far i can't explain and i was hoping to eliminate caching as the source of the problem.

Hi.. to enable ory in prod with Https , can someone please share us a sample

oathkeeper.yml

and

access-rules.yml

. We are getting few issues when are trying to host it. This would really help us 🙏

Hello, I had a few questions for oathkeeper docker security • Is it possible to add the

read_only

flag for the oathkeeper service without affecting functionality? • Is it advisable to drop all capabilities by default for oathkeeper? • What are the recommended settings for

mem_limit

,

cpus

,

pids_limit

cgroup options for oathkeeper?

HI, I want to implement authenticated API calls through the oauthkeeper. And with my current setup I get "Bad gateway" response. I'm using the quickstart Docker setup. The authentication is done by Kratos.

When pulling JWKs and routing rules from cloud object storage, is there a way of specifying the cloud credentials in the Oathkeeper config or does Oathkeeper expect the files to be accessible without auth?

Is there any way to configure oathkeeper to use https?

Hey everyone! I can't figure out how to do an HTTP redirect on error:unauthorized only when header Accept:text/html is present, otherwise return json. My oathkeeper config is in the thread below 👇

Hi All, is it possible to deploy Oathkeeper without exposing the reverse proxy port (4455) if I intend to plug it to traefik?

in that scenario, you only need to make the REST API available (4456)

hmm but i don't know if you can tell Oathkeeper to not even open it 😕

Hi all, I asked a question along these lines a long time ago, but I know things move on (for example, I don’t think there was the

remote_json

authoriser when I last asked. Does anyone have an example config for how to use

remote_json

with Casbin Server? Or at least any advice on how to integrate the two? I find Casbin a lot easier to understand than Keto and would at least like to experiment before we have to get any real work done 🙂