Hi folks, how would one create an access rule that...
# talk-oathkeeperm
mammoth-country-5949
03/14/2023, 5:16 PMHi folks, how would one create an access rule that use
oauth2_introspectionremote_jsonsubSubjectw
witty-midnight-20567
03/15/2023, 11:23 AMwhat is your usecase? asking because I might be interested in achieving something similar. - to replace pomerium (oauth-proxy) with ory: https://github.com/ory/oathkeeper/discussions/1075
m
mammoth-country-5949
03/15/2023, 10:13 PMSo it seems that this happens automatically. The documentation (https://www.ory.sh/docs/oathkeeper/pipeline/authn#oauth2_introspection) suggests:
The subject is extracted from theWhen I run a Hydra token through introspection endpoint (http://ory-hydra-admin:4445/admin/oauth2/introspect), I see something like this (and this is what OathKeeper gets back):field.username
Copy code
{
"active": true,
"scope": "kafka",
"client_id": "e31f3c03-80bc-4918-a0fa-afe9f433b400",
"sub": "e31f3c03-80bc-4918-a0fa-afe9f433b400",
"exp": 1678920413,
"iat": 1678916813,
"nbf": 1678916813,
"aud": [],
"iss": "<https://public.hydra.mydomain.com>",
"token_type": "Bearer",
"token_use": "access_token"
}usernameSubjectsubmammoth-country-5949
03/15/2023, 10:18 PMSo although the documentation is not correct, the code reveals that it’s indeed the
submammoth-country-5949
03/15/2023, 10:22 PMMy use-case is system to system integration where a client acquires a token from Hydra and use that token to call another system’s APIs whilst passing that token. The API call gets authorized by:
1- Validating token through Hydra’s introspection endpoint (which resolves the above JSON object)
2- Fine-grained authorization through Keto in which the client id of the caller is used the subject of a Query Tuple
7 Views