Looking for opinions: we have a backend that should accept auth from firebase as well as kratos. My plan is to use oathkeeper as an authorization aggregator. Depending on the used header it should check the token against firebase or our kratos and unify it to an id-token for our backend, containing the userId and if its firebase / kratos. Is that possible? I thought i would need two authenticators, maybe one like that for firebase

bearer_token:
    enabled: true
    config:
      check_session_url: <https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=[API_KEY]>
      token_from:
        header: firebaseIdToken
      preserve_path: true

and another one for kratos with another header selector. Would it be possible to transform the Header firebaseIdToken to a query parameter in check_session_url? TIA

Hey, I think that should be possible, however I have not tried something like this before. Let us know how it goes - would be a great addition to the oathkeeper examples!

I will. Any hints how I can transform an incoming Header to a get-Parameter in the check_session_url?

AFAIK it is not possible to translate the request in that manner in the bearer_token authenticator. To solve this problem in our system we built a thin API that does the translation for us.