Hello all, I am trying to use Oathkeeper & Kratos together in order to do something which (I thought) would be quite simple. All that needs to happen is check if the current Kratos session is valid, and if so, get the requested path from the upstream server. The upstream server does not need any headers — this setup just relies on security through obscurity of that server’s URL. My Oathkeeper rule looks like this (upstream URL is a placeholder here)

{
            "id": "allow-cookie-authn",
            "version": "v0.40.1",
            "upstream": {
                "url": "<https://httpbin.org/anything/header>",
                "strip_path": "/portal-builds"
            },
            "match": {
                "url": "https://<.*>/portal-builds/<.*>",
                "methods": [
                    "GET"
                ]
            },
            "authenticators": [
                {
                    "handler": "cookie_session",
                    "config": {}
                }
            ],
            "authorizer": {
                "handler": "allow"
            },
            "mutators": [
                {
                    "handler": "noop"
                }
            ]
        },

… and the cookie_session authenticator is defined as:

cookie_session:
        enabled: true
        config:
          check_session_url: <https://kratos-public/sessions/whoami>
          forward_http_headers: []

I think this worked exactly once, but I couldn’t reproduce it. All I get now are

502

/

504

intermittently after restarting the pod, or

403

Access credentials are not sufficient to access this resource

. Edit: Resolved