Hi everyone, I have a question related to the Error Handler with the

redirect

mode. Oathkeeper is behind Kong Gateway.

# oathkeeper.yaml
# ...
errors:
  handlers:
    redirect:
      enabled: true
      config:
        to: <http://app.lc/login>
        return_to_query_param: continue
        when:
          - error:
              - unauthorized
              - forbidden

• Navigate http://whoami.lc:8000/pages/private • Unauthenticated request. Redirect to http://app.lc/login?continue=... • But the query param

continue

is wrong URL. ◦ Expect: http://app.lc/login?continue=http://whoami.lc:8000/pages/private ◦ Actually: http://app.lc/login?continue=http://oathkeeper:4455/pages/private How do I fix this issue? There is my access-rules:

# access-rules.yaml
- id: whoami:page-private
  version: v0.40.6
  upstream:
    url: <http://whoami>
    preserve_host: false
  match:
    url: <http://oathkeeper:4455/pages/private><(/.*)?>
    methods:
      - GET
      - POST
      - PUT
      - DELETE
      - PATCH
      - OPTIONS
  authenticators:
    - handler: cookie_session
  authorizer:
    handler: allow
  mutators:
    - handler: header
  errors:
    - handler: redirect

Debug logs:

{"http_request":{"headers":{"accept":"application/json","accept-encoding":"gzip, deflate, br","connection":"keep-alive","user-agent":"got (<https://github.com/sindresorhus/got>)","x-forwarded-for":"172.19.0.1","x-forwarded-host":"<http://whoami.lc|whoami.lc>","x-forwarded-path":"/pages/private","x-forwarded-port":"8000","x-forwarded-proto":"http","x-kong-request-id":"facbf508e60b1d6411826d0cbafc0e00","x-real-ip":"172.19.0.1"},"host":"oathkeeper:4455","method":"GET","path":"/pages/private","query":null,"remote":"172.19.0.11:60092","scheme":"http"},"level":"info","msg":"started handling request","time":"2023-12-04T01:12:48.105434044Z"}
{"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","stack_trace":"\<http://ngithub.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest|ngithub.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest>\n\t/project/proxy/request_handler.go:236\ngithub.com/ory/oathkeeper/proxy.(*Proxy).Rewrite\n\t/project/proxy/proxy.go:133\nnet/http/httputil.(*ReverseProxy).ServeHTTP\n\t/usr/local/go/src/net/http/httputil/reverseproxy.go:433\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/corsx.ContextualizedMiddleware.func1\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/corsx/middleware.go:26\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/reqlog.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/reqlog/middleware.go:142\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP\n\t/project/metrics/middleware.go:103\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/metricsx/middleware.go:272\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*Handler).ServeHTTP\n\t/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.36.4/handler.go:204\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2936\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1995\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1598","status":"Unauthorized","status_code":401},"granted":false,"http_host":"oathkeeper:4455","http_method":"GET","http_url":"<http://oathkeeper:4455/pages/private>","http_user_agent":"got (<https://github.com/sindresorhus/got>)","level":"warning","msg":"No authentication handler was responsible for handling the authentication request","reason_id":"authentication_handler_no_match","rule_id":"whoami:page-private","service_name":"ORY Oathkeeper","service_version":"v0.40.6","time":"2023-12-04T01:12:48.105826497Z"}
{"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","stack_trace":"\<http://ngithub.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest|ngithub.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest>\n\t/project/proxy/request_handler.go:236\ngithub.com/ory/oathkeeper/proxy.(*Proxy).Rewrite\n\t/project/proxy/proxy.go:133\nnet/http/httputil.(*ReverseProxy).ServeHTTP\n\t/usr/local/go/src/net/http/httputil/reverseproxy.go:433\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/corsx.ContextualizedMiddleware.func1\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/corsx/middleware.go:26\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/reqlog.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/reqlog/middleware.go:142\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP\n\t/project/metrics/middleware.go:103\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/metricsx/middleware.go:272\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*Handler).ServeHTTP\n\t/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.36.4/handler.go:204\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2936\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1995\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1598","status":"Unauthorized","status_code":401},"granted":false,"http_host":"oathkeeper:4455","http_method":"GET","http_url":"<http://oathkeeper:4455/pages/private>","http_user_agent":"got (<https://github.com/sindresorhus/got>)","level":"warning","msg":"Access request denied","service_name":"ORY Oathkeeper","service_version":"v0.40.6","time":"2023-12-04T01:12:48.105944474Z"}
{"http_request":{"headers":{"accept":"application/json","accept-encoding":"gzip, deflate, br","connection":"keep-alive","user-agent":"got (<https://github.com/sindresorhus/got>)","x-forwarded-for":"172.19.0.1","x-forwarded-host":"<http://whoami.lc|whoami.lc>","x-forwarded-path":"/pages/private","x-forwarded-port":"8000","x-forwarded-proto":"http","x-kong-request-id":"facbf508e60b1d6411826d0cbafc0e00","x-real-ip":"172.19.0.1"},"host":"oathkeeper:4455","method":"GET","path":"/pages/private","query":null,"remote":"172.19.0.11:60092","scheme":"http"},"http_response":{"headers":{"content-type":"text/html; charset=utf-8","location":"<http://app.lc/login?continue=http%3A%2F%2Foathkeeper%3A4455%2Fpages%2Fprivate>"},"size":114,"status":302,"text_status":"Found","took":801890},"level":"info","msg":"completed handling request","time":"2023-12-04T01:12:48.106218184Z"}

Hi everyone, do you know if RegexpCaptureGroups can be used in authenticator config in the access rules? I have a rule that look like this aiming to enforce JWT’s audience to match the requested domain. However the RegexpCaptureGroups reference didn’t render (cause of the error) and get printed out literally in the log.

{
    "id": "protected_resources",
    "version": "v0.40.6",
    "match": {
      "url": "<http|https>://<.*>/<playground|query|anything/header>",
      "methods": [
        "GET",
        "POST"
      ]
    },
    "authenticators": [
      {
        "handler": "jwt",
        "config": {
          "target_audience": [
            "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}://{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}"
          ]
        }
      }
    ],

Error in log:

"reason": "id=\nrid=\nerror=The request could not be authorized\nreason=Token audience [<https://my.domain.com>] is not intended for target audience {{ printIndex .MatchContext.RegexpCaptureGroups 0 }}://{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}

Hello 👋, While using Ory Network, I needed to also use Oathkeeper. Now, the upstream I use, Adds its mandatory CORS headers to response it sends. Also, Oathkeeper also add its CORS headers while returning response. So, I am consistently getting multiple "Access-Control-Allow-Origin" and that results in error showing it expected one 'Access-Control-Allow-Origin' but got multiple "Access-Control-Allow-Origin" . What can be way to remove the upstream response headers or Oathkeeper CORS headers so that this problem can be solved? Any suggestion will be helpful. @magnificent-energy-493

Hey all. Is keto_engine_acp_ory authorizer in oathkeeper v0.40.6 supposed to perform checks against

/engines/acp/ory/exact/allowed

?

Hi, I have a question related to the id_token mutator . The documentation says > This mutator takes the authentication information (such as subject) and transforms it to a signed JSON Web Token, and more specifically to an OpenID Connect ID Token. In the example, it show a Basic Authorization request, with the session information converted into a JWT and propagated in the

authorization

header. Is there a reason this is specifically an OpenId Connect ID token, or does it just match that convention? The example isn't really using an OIDC flow. From usage, it seems like it's an internal token intended as something like a session token, to propagate authentication information to a downstream service. If I remember correctly, the

id_token

is intended for use by the client rather than being propagated downstream. Sorry if this is a philosophical point, I'm just trying to understand the intend usage to I don't use this for the wrong reasons 😅 The idea of swapping an external authentication (the session info) for an internal represenation (a JWT) is what I'm looking for, so the way it works seems to fit, but the mention of OIDC has confused me a little bit.

I need help with the remote_json authorizer. I need to extract the role of the user from the metadata_admin column of the identity but there seems to no way doing that without a custom endpoint to trigger a request to the admin api. Any Idea how I can manage this? I know moving the role to the metadata_public would work but I was told that saving role information in the traits is not secure enough.

authorizers:
  allow:
    enabled: true
  remote_json:
    enabled: true
    config:
      remote: <http://keto:4466/relation-tuples/check|http://keto:4466/relation-tuples/check>
      payload: |
        {
          "namespace": "api_access",
          "object": "endpoints",
          "relation": "access",
          "subject_id": "{{ print .Extra.identity.metadata_admin.role }}"
        }

Hello folks! Is it possible to have an authenticator configured as bearer_token in oathkeeper.yml , and then specify another one for specific rules? From what I gather from the docs it is but I haven’t tested it

Second question: When using Oathkeeper as a reverse proxy, is there a way to prevent certain headers from being forwarded to upstream (eg. X-User)? Is the only way to enable the header mutator and specify the X-User header be set to something else?

Curious if there is an advantage to the JWT being signed when forwarding oathkeeper requests using the id token mutator? If the target service is internal (and only available behind oathkeeper), validating the signature isn't so important right? I guess it's important if the service is also available via other paths that don't go through oathkeeper?

Hey everyone. Why do we need to specify a required_action and required_resource in the config for keto_engine_acp_ory? Isn't this information primarily specified on a access rule level? Why the need for a global config for this?

Hello, how do I authenticate to Ory Permissions (Ory Network hosted Keto) from a remote_json authorizer at OathKeeper?

Hello, I wonder if I can use Ory Permissions (Ory Network) as an

keto_engine_acp_ory

authorizer in OathKeeper? If so, do I just set the

keto_engine_acp_ory

handler’s base_url to the Ory Network project slug URL?

I am trying to get oathkeeper running for our development environment. oathkeeper runs in docker, the services are running locally. this is one of the rules: { "id": "access-my-service", "version": "v0.40.6", "upstream": { "url": "http://host.docker.internal:8082/v1/employees" }, "match": { "url": "http://127.0.0.1:4455/v1/employees", "methods": ["GET", "POST", "PUT", "DELETE"] }, "authenticators": [ { "handler": "cookie_session", "config": { "check_session_url": "http://host.docker.internal:3000/api/.ory/sessions/whoami" } } ], "authorizer": { "handler": "allow" }, "mutators": [{ "handler": "noop" }] } if I do docker exec -it oathkeeper2-oathkeeper-1 ping http://host.docker.internal:8082/v1/employees ping: bad address 'http://host.docker.internal:8082/v1/employees' I am not sure why that is. If I do curl http://127.0.0.1:4455/v1/employees I get: oathkeeper2-oathkeeper-1 | time=2023-11-10T234357Z level=warning msg=Access request denied audience=application error=map[debug: message:Access credentials are invalid reason: status:Unauthorized status_code:401] granted=false http_host=127.0.0.1:4455 http_method=GET http_url=http://127.0.0.1:4455/v1/employees http_user_agent=curl/8.1.2 service_name=ORY Oathkeeper service_version=v0.40.6 and this response in postman { "error": { "code": 401, "status": "Unauthorized", "message": "Access credentials are invalid" } } while the session and csrf cookies are set. Any Idea, what I am missing here?

Hello 👋 I’m using oathkeeper as an api-gateway in front of my microservices. I am now integrating with some webhooks so I added a new access rule. I would like to restrict the calling IP addresses for this new rule. Is there a way to do this ? Currently my access rule looks like this and is very permissive. I’d like to whitelist 3 IP addresses for it

- id: 'my-webhook'
  upstream:
    preserve_host: false
    url: <http://my-service>
  match:
    url: <https://my-api.com/my-webhook>
    methods:
      - POST
  authenticators:
    - handler: noop
  authorizer:
    handler: allow
  mutators:
    - handler: noop

I try to configure oathkeeper logging, but for some reason it’s always ignored. My config.yaml contains

log:

leak_sensitive_values: true

format: json_pretty

level: warn

But I get logs in text format without sensitive information on level info. 😕 I’m editing the right config file, because when I write “logs” instead of “log”, oathkeeper shows me a parse error. Any ideas why this is happening?

Hello guys! Using Oathkeeper, is it possible to show a 404 html error page (instead a json) when request has text/html http header? I can’t find this information in documentation. Thanks!

can anyone please help me on the above rules issue?

- id: "orykratos admin ui nodeprotected" upstream: preserve_host: true url: "http://mydomain.xyz:80" match: url: "http://mydomain/{static,iframe,dashboard,graph,skeleton,composer,presentation,**.css,**.js,**.json,**.png,**.ico}{/,}{**}" methods: - GET authenticators: - handler: cookie_session authorizer: handler: remote_json config: remote: http://keto-api:4456/check payload: | { "namespace": "access", "object": "administration", "relation": "access", "subject_id": "{{print .Extra.identity.traits.role }}" } mutators: - handler: id_token errors: - handler: redirect config: to: http://obsidian-edtech-qa.47billion.com/panel/login - id: "orykratos selfservice ui nodeanonymous" upstream: preserve_host: true url: "http://selfservice:4455" strip_path: /panel match: url: "http://mydomain/panel/{welcome,verification,recovery,registration,assets,login,**.css,**.js,**.png}{/,}" methods: - GET authenticators: - handler: anonymous authorizer: handler: allow mutators: - handler: noop i have this two rules defined in my oathkeeper . i want to allow mydomain/dashboard ,currently it is only allowing mydomain/dashboard/ i want to eliminate trailing slash

Hi guys, can you help me with this issue. Please check the config and accessrules file. When I try to hit the endpoint

<http://127.0.0.1:8080/todos>

. I get unauthorized response

{
  "error": {
    "code": 401,
    "status": "Unauthorized",
    "message": "Access credentials are invalid"
  }
}

and but this

check_session_url

endpoint is not getting hit. bcz there are no logs from that api. I have also posted logs from oathkeeper Can you guys help me with this issue like is there anything wrong in the config or anything else I am missing.

Hi everyone, I'm reaching out as a representative of Imhotep-SynApp, and we have recently encountered an issue with Oathkeeper, which we believe may be a bug. One of our engineers has already documented the problem on GitHub at the following link: GitHub Issue #1081. The issue we've come across pertains to Oathkeeper's handling of sensitive values in logs. By default, Oathkeeper redacts sensitive information from the logs, such as the Authorization HTTP header and cookie values. However, when we define a custom bearer token in the bearer_token authenticator, the value of this token is not being redacted. We believe this is a bug, as we have explicitly identified the custom HTTP header in the bearer_token authenticator as containing sensitive data, and it should, therefore, be redacted. We understand that your team may have limited resources and that addressing this issue may take some time. In such a case, we are more than willing to contribute to Oathkeeper as developers, starting with this particular bug. We believe in the spirit of open source and would like to collaborate to resolve this issue. Thank you for your attention to this matter, and we look forward to your response. If you require any further information or assistance from our end, please don't hesitate to let us know.

if using Kubernetes deployment and oathkeeer maester, it'll be two CRD with non-overlapping matching rules on the HTTP path (edited)

@alert-advantage-94977 is it possible without using maester? nice to know it's possible using maester!

@tall-easter-67692 one oathkeeper is enough if using Kubernetes deployment and oathkeeer maester, it'll be two CRD with non-overlapping matching rules on the HTTP path

How do I proxy the same url path from 2 different microservices? Do I have to have 1 oathkeeper instance for each? For example i have api1.example.com/health and api2.example.com/health, how can I rewrite either of the URLs in oathkeeper?

I have this for configuration for my authenticator I want to generate now a bearer token where can I generate this and where can I find it?

bearer_token:
    enabled: true
    config:
     check_session_url: <https://www.domain.be/sessions/whoami>
    preserve_path: true
    extra_from: "@this"
    subject_from: "identity.id"
    token_from:
      header: X-Session-Token
    forward_http_headers:
      - Authorization
      - X-Session-Token

Hi guys, can someone please do codereview for the bugfix? https://github.com/ory/oathkeeper/pull/1138

When I call the

whoami

endpoint with the

X-Session-Token

set to `ory_st_7ek8qeAbffehkb9dGFoz1dWNZeVQuatd`it tells me

{
  "error": {
    "code": 500,
    "status": "Internal Server Error",
    "message": "securecookie: base64 decode failed - caused by: illegal base64 data at input byte 36"
  }
}

And the official API doc says the format is

MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj

but on the rare occasions the Session Token is mentionned in the doc it says it is prefixed with

ory_st

. I am quite confused and can't understand where to go from there...

Hello, I am self hosting Oathkeeper and Kratos for a Mobile App project. I am using the API endpoints for Kratos and thus get an Ory session token when logging in that looks like this

ory_st_7ek8qeAbffehkb9dGFoz1dWNZeVQuatd

. I am having trouble finding any documentation on how to setup my access rule to verify the session token. I can see bearer_token and cookie_session but it does not seem to be what I need. Which authenticator should I use ?

Hi. I am getting my feet wet with Oathkeeper but have problems running it in Kubernetes with a minimal config and empty access rules. Not sure what I am missing as the error isn't super helpful. The

/health/ready

endpoint returns a 503 *healthx.swaggerNotReadyStatus a few times before getting killed. Full error:

time=2023-10-11T07:52:57Z level=error msg=An error occurred while handling a request audience=application error=map[message:The requested resource could not be found stack_trace:stack trace could not be recovered from error type *healthx.swaggerNotReadyStatus] http_request=map[headers:map[accept:*/* accept-encoding:gzip connection:close user-agent:kube-probe/1.24] host:127.0.0.1 method:GET path:/health/ready query:<nil> remote:127.0.0.6:42323 scheme:http] http_response=map[status_code:503] service_name=ORY Oathkeeper service_version=v0.40.6

So, I see that I can use the

ory_session_...

to make a request to determine who the HTTP request belongs to in my Go backend. I need to get the

identity.id

in my backend. However, is there a way to pass the

identity.id

to the backend from oathkeeper instead of having to make an additional request in my backend?

Under what conditions does Oathkeeper reload access rules from s3:// URLs? In OPA, there's a configuration setting to tell it to poll for etag changes every X minutes and download the bundle if it's changed.