Ory feature request and bug:
- Ory Hydra Token Int...
# ory-networkc
creamy-fall-97349
04/17/2023, 2:02 PMOry feature request and bug:
• Ory Hydra Token Introspect should support OAuth2 Client Credentials Token not just Ory Cloud API Key (for security)
• Ory Oathkeeper regex path match doesn't work if regex is specified for the entirety of the URL as in
url: "<.*>"h
high-optician-2097
04/17/2023, 2:43 PM
1. No because introspection is an internal endpoint, and anyone can register oauth2 clients - this is by design
2. That’s very strange - I saw two or three discussions / issues by you - which one is the one we should look at?
c
creamy-fall-97349
04/17/2023, 2:44 PM1. However, if someone access the proxy gaining access to the API key, they could in theory gain access to the rest of Ory cloud
creamy-fall-97349
04/17/2023, 2:46 PMh
high-optician-2097
04/17/2023, 3:23 PM
1. We’re currently working on scoping API keys, so in the future they won’t be root credentials but you can say what they should be allowed to do. We’re still gathering customer info to understand what credentials are useful - I think this is a good example. @steep-lamp-91158 can we add this to the requirements? Making the API key able to “check oauth2 tokens” which allows e.g. token introspection?
2. thanks! can you please share what URLs you’re calling that aren’t being matched?
high-optician-2097
04/17/2023, 3:24 PM
Regarding (2) - are you sure you have not enabled glob matching? https://www.ory.sh/docs/oathkeeper/api-access-rules
c
creamy-fall-97349
04/17/2023, 6:16 PM100%
creamy-fall-97349
04/17/2023, 6:17 PMIn regards to that github issue, both regex are similar except one redirects ./.ory/kratos/public and this works fine
creamy-fall-97349
04/17/2023, 6:17 PMbut /api/account doesnt
creamy-fall-97349
04/17/2023, 6:18 PMeven though they're both the same regex and have been tested using other regex tools to match the routes correctly
4 Views