https://www.ory.sh/ logo
Join Slack
Powered by
  • m
    archived the channel
    0
  • m
    Hello, all 👋 Since it is getting a bit noisy in the different channels we decided to archive some channels. So going forward there will be • #ory-selfhosting for all discussions around self-hosting Ory software (Kratos/Hydra/Oathkeeper/Keto. This is the best place to talk with other developers, help others, and ask questions. • #ory-network for all questions around Ory Network, for those who are on the Developer plan, testing and exploring Ory Network. • #C05PHQCFL1F for Ory Network production support for all Ory Network users. • #contributors as before for Ory open source contributions of any kind • #feedback for general feedback regarding any Ory product. We want to learn from you how to improve Ory and shape the roadmap. • #_newcomer for those very new to Ory This channel will be archived, please feel free to copy over your unanswered questions - if any - from this channel to the fitting channel as described above! The channels are set up now, and will be finalized over the easter weekend. Feel free to use the #feedback channel to let us know what you think.
    0
  • g
    Hi Team, does oathkeeper support Content Security Policy (CSP) and Strict-Transport-Security (HSTS) configuration I want include this header. I am using self hosted ory . Please help
    0
  • p
    Has anyone used oathkeeper with aws custom authorizers as is mentioned is possible in the documentation? Trying to figure out how that works since the docs describe using oathkeeper likeso
    Copy code
    oathkeeper serve
    0
  • c
    Hi all, I got the oathkeeper running and setup an very simple 
    noop
    access-rule successfully. So I'm good on basics, but need some suggestions on production use case. In production I'm self hosting Kratos, Hydra and custom UI for auth and OIDC flows, and would love to add Oathkeeper as well. My use case is following: I want Oathkeeper to automatically redirect to unauthenticated users to my custom build auth page (which implements OAuth2 consent flow as well), after successful authentication I want Oathkeeper to verify that subject is part of the preconfigured group, and if so only then to proxy the request to the upstream service. Is that possible? From my understanding, reading authenticator and authorizers documentation this is not supported out of the box. I'm fine with implementing custom authorizers but want to make sure I'm not missing something. Any suggestions?
    0
  • s
    Hello dear folks ! I was wondering how do you manage oathkeeper cache ? I see no metric endpoints on cache usage (HITS/MISSES), nor number of stored keys and evictions. How do you adjust the available memory for oathkeeper and avoir out of memory issues ?
    0
  • m
    (the bug being that escaped slashes in URLs become unescaped during processes)
    0
  • m
    hello chat! all I'm coming here with is a poke request for a PR review: I opened https://github.com/ory/oathkeeper/pull/1134 a few months ago to fix a rather annoying bug and I was hoping I could get some eyes on it.
    0
  • w
    Hey all 👋🏼 Firs things first: Thanks to all maintainers and contributors for the awesome Ory project and the whole ecosystem around it! This is our go-to toolbox for authentication as well as my personal favorite when it comes to homelab security and preferred answer when someone asks for recommendations. We are currently facing a problem with the 
    return_to
    parameter and the resulting URL encoding. Here's a quick overview of the relevant parts of our setup: • Multiple Kubernetes clusters (most of them at version 
    v1.27.3
    ) • Traefik as ingress controller • Ory Kratos (version 
    1.0.0
    via Helm chart version 
    0.35.0
    ) that interacts with providers like Azure AD (now called _Entra ID_… because they like to confuse everyone) • Ory Oathkeeper (version 
    0.46.6
    via Helm chart version 
    0.35.0
    ) that only interacts with the Ory Kratos workloads. • A _Traefik_[ ](https://doc.traefik.io/traefik/middlewares/http/forwardauth)`ForwardAuth` middleware that basically passed every external request coming into the cluster (e.g. through _Traefik_ ingresses) to Ory Oathkeeper (like described in the Ory official documentation). In the logs we see that the 
    X-Forwarded-URI
    header contains the correct value, which is passed by Traefik through the middleware to Ory Oathkeeper, but the 
    path
    field, for whatever reason, suddenly contains the value where only encoded the 
    ?
    is encoded (
    %3F
    ) while other "encodable" characters like 
    =
    are left untouched    . This behavior is the absolute opposite of what should happen since the 
    ?
    character is safe to be passed, or even more it is required to be non-encoded. The result is that this encoded 
    ?
    is then double encoded (
    %253F
    ) later on     when the full 
    return_to
    parameter value is encoded, so basically the complete URL. The final result is that the browser now redirects to the URL where the 
    ?
    character is encoded (
    %3F
    ) which makes it impossible for applications to parse it, e.g. ones that provide a HTTP REST API but of course no mapping exists for such requests because the 
    %3F
    is interpreted as part of the path, not as URL parameter. Out Ory Oathkeeper configuration does not modify the parameters in any way but only uses basic authentication flows and methods without mutators (at least not for the routes that suffer from this problem). In short the flow is the following, using the 
    <http://example.org|example.org>
    domain as example: 1. An unauthenticated external request is send to a Ory Oathkeeper protected route (assuming the whole 
    <http://example.org|example.org>
    domain only allows authenticated requests): 
    <https://example.org/foo/bar?hello=world>
    2. The _Traefik_ ingress matches the request and applies the 
    ForwardAuth
    middleware that passes it to Ory Oathkeeper. • in the logs of Traefik the 
    RequestPath
    field contains 
    /foo/bar?hello=world
    X-Forwarded-URI
    header is set containing the exact same value and passed to Ory Oathkeeper 3. Ory Oathkeeper logs that the 
    X-Forwarded-URI
    header is 
    /foo/bar?hello=world
    . 4. Ory Oathkeeper logs and error: "Access credentials are invalid", which is expected because the request is not authenticated. • the 
    http_url
    field in this (JSON) log contains the correct value 
    <https://example.org/foo/bar>
    5. In the next Ory Oathkeeper log the 
    X-Forwarded-URI
    header is still 
    /foo/bar?hello=world
    , but the 
    path
    field is suddenly set to 
    /foo/bar%3Fhello=world
    !     This is not expected at all since the 
    ?
    is "safe" and must not be encoded! 1. Some log lines later (the logging for "Access request granted"), after the user authenticated against Azure AD through our own web UI (that communicates with the Ory stack), the 
    http_url
    field is set to 
    <https://example.org/foo/bar%253Fhello%3Dworld>
    so the 
    ?
    character is now encoded twice    ! 2. The final redirect URL for the browser now contains the double encoded 
    ?
    character which, when decoded again, results in the invalid URL 
    <https://example.org/foo/bar%3Fhello%3Dworld>
    . So in short the URL changes from 
    <https://example.org/foo/bar?hello=world>
    <https://example.org/foo/bar%3Fhello=world>
    <https://example.org/foo/bar%253Fhello=world>
    <https://example.org/foo/bar%253Fhello=world>
    <https://example.org/foo/bar%3Fhello%3Dworld>
    . I know that all of this is hard to understand in text form and also hard for me to explain in details, but I still work on a way to create a SSCCE through a local kind Kubernetes cluster (debugging in the actual clusters disturbs the workflow of our teams, even in pure development clusters). The plan was to compile Ory Oathkeeper manually to try to prove that this is a bug in the code. I delved deeply into the Ory GitHub repositories and found issues #1003 which I was very confident that it could be related to our problem. It was resolved in PR #1025, bu as far as I can see only in the 
    api/decision.go
    file (for the 
    /decision
    HTTP endpoint), and it hasn't changed for version `0.46.6` since, but the `pipeline/errors/error_redirect.go` file was not adjusted. I'm not that familiar with the code yet (planned to contribute to the project in the future), but my guess is that this is a bug which causes this problem we are currently facing. I'm not 100% sure yet since this must have been already noticed by other users since it "breaks" all of our redirects and results in error pages because the applications can't handle these requests (not only our products, but even Grafana throws errors), but I haven't found any other reports yet. My hope for this wall-of-text™️ is that maybe someone has an idea how to solve this (feel free to shout at me how stupid I am when you know where we did something wrong 😁) or maybe find others who also faced, also still facing, the same problem.
    0
  • e
    It seems you cannot enable headers mutator without config? Why is that? Maybe I am missing something, but I basically want to have different header config for different rules, and I just want to enable the mutator like such
    Copy code
    mutators:
  noop:
    enabled: true
  header:
    enabled: true
    Which fails
    Copy code
    oathkeeper-1  | The configuration contains values or keys which are invalid:
oathkeeper-1  | mutators.header: map[enabled:true]
oathkeeper-1  |                  ^-- oneOf failed
oathkeeper-1  |
oathkeeper-1  | The configuration contains values or keys which are invalid:
oathkeeper-1  | mutators.header.config: <nil>
oathkeeper-1  |                         ^-- one or more required properties are missing
oathkeeper-1  |
oathkeeper-1  | The configuration contains values or keys which are invalid:
oathkeeper-1  | mutators.header.enabled: true
oathkeeper-1  |                          ^-- value must be false
oathkeeper-1  |
    Why must I provide config if I'll provide it when I use the mutator in my rules?
    0
    n
    • 2
    • 1
  • b
    We are self-hosting Oathkeeper in our cluster and are using Ory Network for everything else. I am trying to point Oathkeeper at Ory Network for a remote_json authorizer to test whether the user has permission to use a specific service. But the users don't have permission to hit 
    /check/relation-tuples
    , they get a 401. Is there a different endpoint I should be hitting for the authorizer or something different I should be doing?
    0
    r
    • 2
    • 9
  • d
    having some issues trying to run the quickstart for kratos and oathkeeper. seems that the 
    Requested url does not match any rules
    error keeps showing up when i try to hit 
    <http://locahost:4455/welcome>
    0
    w
    • 2
    • 15
  • o
    Hii , How are u doing is there any way of customizing the error messagesfrom the template and the in for the kratos error handling part and email template customization
    0
  • m
    Hey everyone, I’m evaluating oathkeeper for my latest project and I’m pretty new to ory in general. So please excuse the stupid questions. I’m aiming to use oathkeeper as a proxy and pass the request to whichever service on the backend that is the most appropriate, but I’m running into some issues with the rules engine. It’s likely me doing something odd, but I figured I’d ask here to see how other have solved this. I have a very simple setup with kratos, a golang web server and oathkeeper. I’d like to have a catchall allow rule for 
    hostname:port/<**>
    and then have more specific rules for things that a user needs to be authenticated for, e.g. 
    hostname:port/admin/<**>
    When trying a very simple test ruleset I end up with a 
    Expected exactly one rule but found multiple rules
    error test rule set
    Copy code
    ---
- id: "test-rule"
  version: v0.40.6
  upstream:
    preserve_host: false
    url: "<http://localhost:8081>"
  match:
    url: "<http://localhost:9100/><**>"
    methods:
      - GET
  authenticators:
    - handler: noop
  mutators:
    - handler: noop
  authorizer:
    handler: allow
  # errors:
  #   - handler: redirect
  #     config:
  #       to: <http://localhost:4455/login>

- id: "test-rule2"
  version: v0.40.6
  upstream:
    preserve_host: false
    url: "<http://localhost:8081/ping>"
  match:
    url: "<http://localhost:9100/ping>"
    methods:
      - GET
  authenticators:
    - handler: noop
  mutators:
    - handler: noop
  authorizer:
    handler: deny
  errors:
    - handler: redirect
      config:
        to: <http://localhost:9100/login>
    Has anyone been able to solve this?
    0
    w
    • 2
    • 2
  • d
    Hello there ! Just a quick question as I have no idea on the subject, in our infrastructure we use the Kratos link to Hydra to perform the login challenge and get tokens(that why i work so hard to get a working functionnal selfhosted-ui and kratos-hydra integration example), with these tokens we can authenticate our users from our mobile app with our API gateway and Oathkeeper rules. But for our new requirement, we need to reverse the process, so that the Hydra tokens go back into the Kratos cookie to perform some interactions with the Kratos settings / oidc flows, do you know if this is possible and if there's a way like the Oathkeeper cookie mutator to do this? Any ideas Ory team or anyone ? @bland-eye-99092 @steep-lamp-91158 Slack Conversation
    0
  • w
    Lastly (for today), I have another use case that is now possible to implement because of the enhancements I've listed above; regexp named groups specifically. I have a rule that captures a named group that I want to make available to the 
    MatchContext
    via a new field: 
    RegexpNamedCaptureGroups
    . Currently, 
    MatchContext
    has a field: 
    RegexpCaptureGroups
    but this field only (naively?) sets capture groups to a 
    []string
    with no reference to the regexp group the capture is associated. My enhancement adds 
    RegexpNamedCaptureGroups map[string]string
    to 
    MatchContext
    and populates the map based on the groups captured and their values. The groups include all numbered and named groups; similar to 
    FindStringSubmatch
    , group "0" is skipped. The result map can be used to look up "named" as well as numerical e.g., "1" capture groups. These can then be accessed within 
    text {{ print "templates" }}
    within config files. I feel this can be carried over into use within jsonnet. As an example, a config can contain a regexp url match rule such as: 
    <https://example.com/><<(?<id>[-0-9a-fA-F]+)>>
    and within that same rule, any text templates can refer to 
    .MatchContext.RegexpNamedCaptureGroups.id
    or 
    index .MatchContext.RegexpNamedCaptureGroups "id"
    . My changes enable this construct.
    0
  • w
    I have another use case where I need to send an authz request to a legacy system. Unfortunately, this legacy system is set up in such a way that all web handlers are publicly accessible; this includes the handler I am creating modifying for this authz request. In my fork, I've added a config option to 
    remote
    , and 
    remote_json
    (to start). The config option I've named: 
    signed_payload
    and would include an enhancement to the config schema along these lines:
    Copy code
    "signed_payload": {
  "title": "Sign payload and set the signature to a named header",
  "default": null,
  "properties": {
    "header": {
      "title": "Header to contain the payload signature (base64)",
      "type": "string",
      "description": "The name of the request header that will be populated with the signature of the payload that will be sent to the authorizer",
      "examples": ["X-Request-Signature", "X-Jwks-Signature"]
    },
    "shared_key": {
      "title": "Shared key to use to sign the payload. (Cannot be set along with 'jwks_url')",
      "type": "string",
      "description": "The shared key to use to sign the payload to generate an HMAC signature of the payload",
      "examples": ["47ac7a07-b504-458d-a081-c80da1cfe6cd"]
    },
    "jwks_url": {
      "type": "string",
      "format": "uri",
      "title": "JSON Web Key URL (Cannot be set along with 'shared_key')",
      "description": "Sets the URL where keys should be fetched from. Supports remote locations (http, https) as well as local filesystem paths.\n.",
      "examples": [
        "<https://fetch-keys/from/this/location.json>",
        "file:///from/this/absolute/location.json",
        "file://../from/this/relative/location.json"
      ]
    }
  }
}
    Initially, my thought is to support shared-key (HMAC256) and jwks (RS256, etc) signing. The default headers for each of these would be 
    X-Request-Signature
    and 
    X-Jwks-Signature
    respectively with jwks signing including an additional header matching the 
    X-Jwks-Signature
    (or user-specified header) with 
    -Kid
    appended which would represent the keyId used from the key set (jwks). Internally to support jwks signing I made enhancements to 
    credentials/Signer.go
    and 
    credentials/SignerDefault.go
    to support signing a simple 
    string
    payload (in addition to what it currently can handle: 
    jwt.Claims
    . The signature of the additional interface function looks like this:
    Copy code
    SignPayload(ctx context.Context, location *url.URL, payload string) (string, string, error)
    The strings that this function returns are: 
    Signature
    and 
    KeyId
    . These are then used in the 
    authz/remote_json.go
    and 
    authz/remote.go
    to populat the associated header fields. I took an additional step to calculate the signature of the raw request body in 
    authz/remote.go
    but since oathkeeper is intercepting (piping) an http request, the raw payload as it looked originally on the client (when the client would have generated a request signature) I feel there could be concerns upstream regarding whether the signature verification should calculate the payload signature on the raw payload or on the payload after any http transforms have been un applied e,g,: gzip compression. For this reason, I use the 
    remote_json
    authz handler but included the 
    remote
    handler anyway. Why? My concern isn't so much a concern over who is sending the request, my concern is more about what is being sent. I need to ensure that the endpoint processing the authz request knows that the request has not been forged by a bad actor. Simply put, I want the endpoint to be able to reasonably conclude that the message came from oathkeeper. Note, I can probably accomplish this by using 
    remote
    and sending custom headers. But I feel like that would be a workaround for something that may be more useful if more broad configuration options were made available. I can see a use for signing payloads to other authz handlers as well. I can imagine that this could enhance security around any 
    hydrator
    upstreams that may be in a similar situation that my legacy authz handler is in.
    0
  • w
    I have a use case for adding negative lookbehind to my oathkeeper rules. I came across https://github.com/ory/oathkeeper/issues/441 and have joined that conversation; offering my 2c on the topic. Since ory/oathkeeper uses ory/ladon (for parsing the regexp from the config) and dlclark/regexp2 (as the underlying regexp engine), and dlclark/regexp2 supports lookbehinds (positive and negative) as well as possessive matches, I made the following changes: • Updated ory/ladon's 
    regex.go
    to support multi-byte delimiters by slightly refactoring the 
    delimiterIndices
    to process 
    []rune
    (
    string
    cast to 
    []rune
    ) and 
    rune
    (
    byte
    cast to 
    rune
    ) for the 
    pattern
    , 
    delimiterStart
    , and 
    delimiterEnd
    parameters respectively. • Updated ory/ladon's 
    regex.go
    CompileRegex
    to send 
    delimiterIndicies
    parameters cast properly and gently refactored the internal for loop to support the update from 
    string
    to 
    []rune
    . • Why? Processing the 
    string
    as a 
    []rune
    eliminates the importance of the delimiter byte length. Each "character" of the string is processed as a distinct "character". Since these characters can be multi-byte, using 
    []rune
    eliminates the need to care. This means that a pattern can look like this: ◦ 
    urn:foo:«(?<type>\w+):(?<id>(?<!hax:)\w+)»
    or 
    urn:foo:<<(?<type>\w+):(?<id>(?<!hax:)\w+)>>
    and inputs 
    urn:foo:person:user1
    or 
    urn:foo:user:user2
    would match but 
    urn:foo:haxor:user3
    would not match. • But... Why? My use-case requires negative lookbehind to make my oathkeeper rules not make me want to cry. Since oathkeeper uses dlclark/regexp2, lookbehind (and friends) are already supported out-of-the-box. The issue is that within oathkeeper (read: ladon) there is a bug that occurs when it attempts to parse a rule with 
    (?<
    or 
    (?>
    included in the pattern; as would be the case for positive lookbehind, negative lookbehind, and possessive matches. My modification fixes this.
    0
  • r
    Hi! I currently running an configuration from kong <> oathkeeper <> kratos on my development. And i stumbled upon an issue where I need to fetch an 
    verifiable_addresses
    data from kratos. Here is my sample config for oathkeeper
    Copy code
    - id: "api:httpbin-protected"
  upstream:
    preserve_host: true
    url: "<http://httpbin:80/anything>"
  match:
    url: "<http://oathkeeper:4455/httpbin/><.*>"
    methods:
      - GET
      - POST
      - PUT
      - PATCH
      - DELETE
  authenticators:
    - handler: cookie_session
  mutators:
    - handler: header
      config:
        headers:
          X-Verified: "{{ print .Extra.identity.verifiable_addresses }}"
  authorizer:
    handler: allow
  errors:
    - handler: redirect
      config:
        to: <http://localhost:4435/panel/login>
    This will give the upstream the 
    X-Verified: [map[created_at:2024-02-01T07:12:38.871976Z id:7652afd1-c05b-432c-bf80-98e6d6a6efcd status:completed updated_at:2024-02-01T07:12:38.871976Z value:<mailto:test@test.com|test@test.com> verified:true verified_at:2024-02-01T07:12:57.743714Z via:email]]"
    but i only want the 
    verified:true
    part. Is it possible for oathkeeper to get the first data from the array of map? thank you 🙏
    0
    i
    w
    • 3
    • 3
  • g
    Hey folks, is there a way to proxy http/2 grpc traffic with oathkeeper? 🙂 I only found this issue that eventually got closed by was at one point connected to a milestone: https://github.com/ory/oathkeeper/issues/134 🙂
    0
    r
    • 2
    • 2
  • a
    Hello. If i am using authenticator to protect some endpoint is there a way i can include subject to the header of the authenticated request, so protected service receive subject in header after it was authenticated by oathkeeper?
    0
    g
    • 2
    • 1
  • a
    I have access rules like …/users/me …/users/<**> …/users/update But this will not work because more then one rule is found for e.g /me and /:id. I am using <**> for uuid ids. So how can i make this work? I would not like to change the endpoint routes.
    0
    n
    • 2
    • 4
  • d
    Hello! Would you help me understand how the readiness check works? The docs say "This endpoint returns a HTTP 200 status code when Ory Oathkeeper is up running and the environment dependencies (e.g. the database) are responsive as well." However, Oathkeeper doesn't need a database. What dependencies does it check then? Where can I find the ReadyCheckers? I'm asking because this check constantly fails in my setup, even though oathkeeper is operative.
    Copy code
    [oathkeeper] {"audience":"application","error":{"message":"The requested resource could not be found"},"http_request":{"headers":{"accept-encoding":"gzip","user-agent":"Go-http-client/2.0"},"host":"oathkeeper.test-tls.svc.cluster.local:4456","method":"GET","path":"/health/ready","query":null,"remote":"172.31.6.205:9927","scheme":"https"},"http_response":{"status_code":503},"level":"error","msg":"An error occurred while handling a request","service_name":"ORY Oathkeeper","service_version":"v0.40.6","time":"2024-01-09T14:55:46.544664509Z"}
    0
    w
    • 2
    • 9
  • g
    Hi everyone, We have multiple sub domains for different products/API/website. So do we need to have multiple instance of oathkeeper with their own specific config installed on k8s or Is there a way to handle it via a single instance. eg 
    <http://example.com|example.com>
    , 
    <http://api.example.com|api.example.com>
    , 
    <http://drive.example.com|drive.example.com>
    , 
    <http://chat.example.com|chat.example.com>
    so do I need to install 4 instance of oathkeeper. for single instance If it is possible then can you help me with that? we are using single instance of kratos are referencing it like 
    <service>.<namespace>.svc.cluster.local:4434
    0
  • s
    Hello, I just installed the oathkeeper helm chart, but the deployment pod is crash looping because the readiness probe is getting a 503 status code. The logs show:
    Copy code
    ... error=map[message:The requested resource could not be found] ... host:127.0.0.1 method:GET path:/health/ready
    0
  • h
    Hi everyone, I have a question related to the Error Handler with the 
    redirect
    mode. Oathkeeper is behind Kong Gateway.
    Copy code
    # oathkeeper.yaml
# ...
errors:
  handlers:
    redirect:
      enabled: true
      config:
        to: <http://app.lc/login>
        return_to_query_param: continue
        when:
          - error:
              - unauthorized
              - forbidden
    • Navigate http://whoami.lc:8000/pages/private • Unauthenticated request. Redirect to http://app.lc/login?continue=... • But the query param 
    continue
    is wrong URL. ◦ Expect: http://app.lc/login?continue=http://whoami.lc:8000/pages/private ◦ Actually: http://app.lc/login?continue=http://oathkeeper:4455/pages/private How do I fix this issue? There is my access-rules:
    Copy code
    # access-rules.yaml
- id: whoami:page-private
  version: v0.40.6
  upstream:
    url: <http://whoami>
    preserve_host: false
  match:
    url: <http://oathkeeper:4455/pages/private><(/.*)?>
    methods:
      - GET
      - POST
      - PUT
      - DELETE
      - PATCH
      - OPTIONS
  authenticators:
    - handler: cookie_session
  authorizer:
    handler: allow
  mutators:
    - handler: header
  errors:
    - handler: redirect
    Debug logs:
    Copy code
    {"http_request":{"headers":{"accept":"application/json","accept-encoding":"gzip, deflate, br","connection":"keep-alive","user-agent":"got (<https://github.com/sindresorhus/got>)","x-forwarded-for":"172.19.0.1","x-forwarded-host":"<http://whoami.lc|whoami.lc>","x-forwarded-path":"/pages/private","x-forwarded-port":"8000","x-forwarded-proto":"http","x-kong-request-id":"facbf508e60b1d6411826d0cbafc0e00","x-real-ip":"172.19.0.1"},"host":"oathkeeper:4455","method":"GET","path":"/pages/private","query":null,"remote":"172.19.0.11:60092","scheme":"http"},"level":"info","msg":"started handling request","time":"2023-12-04T01:12:48.105434044Z"}
{"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","stack_trace":"\<http://ngithub.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest|ngithub.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest>\n\t/project/proxy/request_handler.go:236\ngithub.com/ory/oathkeeper/proxy.(*Proxy).Rewrite\n\t/project/proxy/proxy.go:133\nnet/http/httputil.(*ReverseProxy).ServeHTTP\n\t/usr/local/go/src/net/http/httputil/reverseproxy.go:433\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/corsx.ContextualizedMiddleware.func1\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/corsx/middleware.go:26\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/reqlog.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/reqlog/middleware.go:142\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP\n\t/project/metrics/middleware.go:103\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/metricsx/middleware.go:272\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*Handler).ServeHTTP\n\t/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.36.4/handler.go:204\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2936\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1995\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1598","status":"Unauthorized","status_code":401},"granted":false,"http_host":"oathkeeper:4455","http_method":"GET","http_url":"<http://oathkeeper:4455/pages/private>","http_user_agent":"got (<https://github.com/sindresorhus/got>)","level":"warning","msg":"No authentication handler was responsible for handling the authentication request","reason_id":"authentication_handler_no_match","rule_id":"whoami:page-private","service_name":"ORY Oathkeeper","service_version":"v0.40.6","time":"2023-12-04T01:12:48.105826497Z"}
{"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","stack_trace":"\<http://ngithub.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest|ngithub.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest>\n\t/project/proxy/request_handler.go:236\ngithub.com/ory/oathkeeper/proxy.(*Proxy).Rewrite\n\t/project/proxy/proxy.go:133\nnet/http/httputil.(*ReverseProxy).ServeHTTP\n\t/usr/local/go/src/net/http/httputil/reverseproxy.go:433\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/corsx.ContextualizedMiddleware.func1\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/corsx/middleware.go:26\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/reqlog.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/reqlog/middleware.go:142\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP\n\t/project/metrics/middleware.go:103\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.565/metricsx/middleware.go:272\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*Handler).ServeHTTP\n\t/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.36.4/handler.go:204\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2936\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1995\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1598","status":"Unauthorized","status_code":401},"granted":false,"http_host":"oathkeeper:4455","http_method":"GET","http_url":"<http://oathkeeper:4455/pages/private>","http_user_agent":"got (<https://github.com/sindresorhus/got>)","level":"warning","msg":"Access request denied","service_name":"ORY Oathkeeper","service_version":"v0.40.6","time":"2023-12-04T01:12:48.105944474Z"}
{"http_request":{"headers":{"accept":"application/json","accept-encoding":"gzip, deflate, br","connection":"keep-alive","user-agent":"got (<https://github.com/sindresorhus/got>)","x-forwarded-for":"172.19.0.1","x-forwarded-host":"<http://whoami.lc|whoami.lc>","x-forwarded-path":"/pages/private","x-forwarded-port":"8000","x-forwarded-proto":"http","x-kong-request-id":"facbf508e60b1d6411826d0cbafc0e00","x-real-ip":"172.19.0.1"},"host":"oathkeeper:4455","method":"GET","path":"/pages/private","query":null,"remote":"172.19.0.11:60092","scheme":"http"},"http_response":{"headers":{"content-type":"text/html; charset=utf-8","location":"<http://app.lc/login?continue=http%3A%2F%2Foathkeeper%3A4455%2Fpages%2Fprivate>"},"size":114,"status":302,"text_status":"Found","took":801890},"level":"info","msg":"completed handling request","time":"2023-12-04T01:12:48.106218184Z"}
    0
    i
    • 2
    • 1
  • f
    Hi everyone, do you know if RegexpCaptureGroups can be used in authenticator config in the access rules? I have a rule that look like this aiming to enforce JWT’s audience to match the requested domain. However the RegexpCaptureGroups reference didn’t render (cause of the error) and get printed out literally in the log.
    Copy code
    {
    "id": "protected_resources",
    "version": "v0.40.6",
    "match": {
      "url": "<http|https>://<.*>/<playground|query|anything/header>",
      "methods": [
        "GET",
        "POST"
      ]
    },
    "authenticators": [
      {
        "handler": "jwt",
        "config": {
          "target_audience": [
            "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}://{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}"
          ]
        }
      }
    ],
    Error in log:
    Copy code
    "reason": "id=\nrid=\nerror=The request could not be authorized\nreason=Token audience [<https://my.domain.com>] is not intended for target audience {{ printIndex .MatchContext.RegexpCaptureGroups 0 }}://{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}
    0
  • a
    Hello 👋, While using Ory Network, I needed to also use Oathkeeper. Now, the upstream I use, Adds its mandatory CORS headers to response it sends. Also, Oathkeeper also add its CORS headers while returning response. So, I am consistently getting multiple "Access-Control-Allow-Origin" and that results in error showing it expected one 'Access-Control-Allow-Origin' but got multiple "Access-Control-Allow-Origin" . What can be way to remove the upstream response headers or Oathkeeper CORS headers so that this problem can be solved? Any suggestion will be helpful. @magnificent-energy-493
    0
  • b
    Hey all. Is keto_engine_acp_ory authorizer in oathkeeper v0.40.6 supposed to perform checks against 
    /engines/acp/ory/exact/allowed
    ?
    0
  • e
    Hi, I have a question related to the id_token mutator . The documentation says > This mutator takes the authentication information (such as subject) and transforms it to a signed JSON Web Token, and more specifically to an OpenID Connect ID Token. In the example, it show a Basic Authorization request, with the session information converted into a JWT and propagated in the 
    authorization
    header. Is there a reason this is specifically an OpenId Connect ID token, or does it just match that convention? The example isn't really using an OIDC flow. From usage, it seems like it's an internal token intended as something like a session token, to propagate authentication information to a downstream service. If I remember correctly, the 
    id_token
    is intended for use by the client rather than being propagated downstream. Sorry if this is a philosophical point, I'm just trying to understand the intend usage to I don't use this for the wrong reasons 😅 The idea of swapping an external authentication (the session info) for an internal represenation (a JWT) is what I'm looking for, so the way it works seems to fit, but the mention of OIDC has confused me a little bit.
    0
    n
    i
    • 3
    • 5