I’m a bit confused…according to documentation for access rule matching it states that:

The information is taken either from the URL, or from the X-Forwarded-Method, X-Forwarded-Proto, X-Forwarded-Host, X-Forwarded-Uri headers (if present) of the incoming request.

So if those headers are present they should override the

scheme

/

host

/ etc from the

Request

correct? However with the following request:

2023-03-17 01:41:59 time=2023-03-17T08:41:59Z level=info msg=started handling request http_request=map[headers:map[accept-encoding:gzip cdn-loop:cloudflare; subreqs=1 cf-connecting-ip:2a06:98c0:3600::103 cf-ew-via:15 cf-ipcountry:US cf-ray:7a93f0a370ef0d4c-LAX cf-visitor:{"scheme":"https"} cf-warp-tag-id:5a2bc243-32e1-4ba7-b0c3-b1cb7a1a2540 cf-worker:<http://foundry-staging.xyz|foundry-staging.xyz> connection:keep-alive x-forwarded-for:2a06:98c0:3600::103 x-forwarded-host:<http://iap-development.foundry-staging.xyz|iap-development.foundry-staging.xyz> x-forwarded-proto:https] host:oathkeeper:4455 method:GET path:/jwks/.well-known/jwks.json query:<nil> remote:172.31.0.12:58988 scheme:http]

It fails with the following response since there’s no match:

2023-03-17 01:41:59 time=2023-03-17T08:41:59Z level=warning msg=Access request denied audience=application error=map[debug: message:Requested url does not match any rules reason: status:Not Found status_code:404] granted=false http_host=oathkeeper:4455 http_method=GET http_url=<https://oathkeeper:4455/jwks/.well-known/jwks.json> http_user_agent= service_name=ORY Oathkeeper service_version=v0.40.1

So we can see that the rule that it is looking for is

<https://oathkeeper:4455/jwks/.well-known/jwks.json>

Which appears to take the

scheme

from the

X-Forwarded-Proto

which is

https

but it is not using the

X-Forwarded-Host

which is

<http://iap-development.foundry-staging.xyz|iap-development.foundry-staging.xyz>

. I was expecting the url to be:

*https*://*<http://iap-development.foundry-staging.xyz|iap-development.foundry-staging.xyz>*/jwks/.well-known/jwks.json

based on the documentation. What am I missing? I guess there’s some ambiguity on what takes priority to generate the URL to match and has left me confused…especially because I see there are tests that show that if these headers are present, then they should override the Request parameters but in my case, not all headers are replacing the Request params 🤯 https://github.com/ory/oathkeeper/blob/f3ec24a35ca2faeded81e06ba2c27027ed69529b/api/decision_test.go#L399

Hi. Take a look here: https://github.com/ory/oathkeeper/blob/f3ec24a35ca2faeded81e06ba2c27027ed69529b/api/decision.go#L43 Actually it should take the values, as you expect