We are prototyping the intergration of kratos keto oathkeepe Ory Community #talk-oathkeeper

We are prototyping the intergration of kratos/keto...

average-policeman-69189

03/15/2023, 8:08 PM

We are prototyping the intergration of kratos/keto/oathkeeper to our auth stack. Actually we user

remote_json

to call keto to allow access based on API method and path pattern, it work beautifully, now I need to implement access rule per entity id, what's the best way to do it ? Keto check api allow only one tuple to be checked, so I will need kind of a proxy API to check the API access tuple and the entity id access rule ... or is it better to delegate the entity based id check to the backend API ? Thanks for your help

steep-lamp-91158

03/16/2023, 12:02 PM

what do you mean by "access rule per entity id"? what is an entity in your case? and what kind of check did you get to work already?

average-policeman-69189

03/16/2023, 4:40 PM

HI Patrick, by ex, if a User access POST /api/product/{productId}/publish I need to validate that the method and the path is allowed for the User (currently works), then I need to check if Product ID is allowed for the current user (basically I need to check if the product is attached to a Team of the current user internally (those informations are all into Keto)

average-policeman-69189

03/22/2023, 5:43 PM

@steep-lamp-91158 sorry to ping you on this one, but I'm really interested to have your point of view ?

steep-lamp-91158

03/23/2023, 7:49 AM

hm, why don't you use the permissions in keto instead of making two calls? so similar to

Copy code

class Product implements Namespace {
  related: {
    owner: (Team | User)[]
    viewer: (Team | User)[]
  }

  permits = {
    publish: (ctx) => this.related.owner.includes(ctx.subject),
    edit: (ctx) => this.related.owner.includes(ctx.subject),
    view: (ctx) => this.related.owner.includes(ctx.subject) || this.related.viewer.includes(ctx.subject),
  }
}

then you have to select the right permission depending on the path and method, basically by having multiple access rules, one for each permission

Copy code

- id: product-publish
  match:
    methods: [POST]
    url: "/api/product/<.*>/publish"
  authorizer:
    handler: remote_json
    config: # with the publish permission
- id: product-view
  match:
    methods: [GET]
    url: "/api/product/<.*>"
  authorizer:
    handler: remote_json
    config: # with the view permission
- id: product-edit
  match:
    methods: [PUT, POST]
    url: "/api/product/<.*>"
  authorizer:
    handler: remote_json
    config: # with the edit permission

steep-lamp-91158

03/23/2023, 7:49 AM

does that help you?

average-policeman-69189

03/23/2023, 2:34 PM

I will try this, and let you know how it work for us. Thanks a lots for your help, and your awesome software, really like to work with kratos, keto and oathkeeper.

average-policeman-69189

03/23/2023, 10:59 PM

Thanks @steep-lamp-91158 it work perfectly and cover our use case nicely. Now lets write a big Oathkeeper configuration to cover all ours APIs.

steep-lamp-91158

03/24/2023, 7:02 AM

Nice, glad to help

Open in Slack

Previous Next