Hi We are trying to integrate JWT with Oathkeeper ...
# talk-oathkeeperq
quaint-exabyte-70991
05/10/2023, 5:56 AMHi We are trying to integrate JWT with Oathkeeper and when doing docker compose, I am facing the below error. Can someone help please?
Copy code
2023-05-10 11:20:53 time=2023-05-10T05:50:53Z level=error msg=The provided configuration is invalid and could not be loaded. Check the output below to understand why. audience=application config_file=/etc/oathkeeper/config.yaml service_name=oathkeeper service_version=
2023-05-10 11:20:53
2023-05-10 11:20:53 authorizers.allow: map[enabled:true handler:map[name:allow]]
2023-05-10 11:20:53 ^-- additionalProperties "handler" not allowed
2023-05-10 11:20:53
2023-05-10 11:20:53 serve: map[api:map[cors:map[allow_credentials:false allowed_headers:[Authorization Content-Type] allowed_methods:[GET POST PUT PATCH DELETE] allowed_origins:[] debug:false enabled:false exposed_headers:[Content-Type] max_age:0] host: port:4456 timeout:map[idle:120s read:5s write:120s]] listen:map[address::4455] prometheus:map[collapse_request_paths:true host: metrics_path:/metrics port:9000] proxy:map[cors:map[allow_credentials:false allowed_headers:[Authorization Content-Type] allowed_methods:[GET POST PUT PATCH DELETE] allowed_origins:[] debug:false enabled:false exposed_headers:[Content-Type] max_age:0] host: port:4455 timeout:map[idle:120s read:5s write:120s]]]
2023-05-10 11:20:53 ^-- additionalProperties "listen" not allowed
2023-05-10 11:20:53
2023-05-10 11:20:53 authenticators.jwt: map[] enabled:true jwks_cache_duration:3600 jwks_urls:[] leeway:60]
2023-05-10 11:20:53 ^-- oneOf failed
2023-05-10 11:20:53
2023-05-10 11:20:53 authenticators.jwt.config: map[scope_strategy:none]
2023-05-10 11:20:53 ^-- doesn't validate with "#/definitions/configAuthenticatorsJwt"
2023-05-10 11:20:53
2023-05-10 11:20:53 authenticators.jwt.config.jwks_urls: <nil>
2023-05-10 11:20:53 ^-- one or more required properties are missing
2023-05-10 11:20:53
2023-05-10 11:20:53 authenticators.jwt.enabled: true
2023-05-10 11:20:53 ^-- value must be false
2023-05-10 11:20:53
2023-05-10 11:20:53 access_rules: map[interval:5s matching_strategy:regexp path:file:///etc/oathkeeper/rules.yml]
2023-05-10 11:20:53 ^-- additionalProperties "path", "interval" not allowed
2023-05-10 11:20:53
2023-05-10 11:20:53 (root)
2023-05-10 11:20:53 ^-- additionalProperties "upstream", "config", "rules" not allowed
2023-05-10 11:20:53
2023-05-10 11:20:53 time=2023-05-10T05:50:53Z level=fatal msg=The services failed to start because the configuration is invalid. Check the output above for more details. audience=application service_name=oathkeeper service_version=i
icy-stone-85106
05/10/2023, 7:21 AMHello Aankesh,
Your configuration file seems having some issues. Can you share it maybe to help ?
You can find the documentation about it here if that can help you: https://www.ory.sh/docs/oathkeeper/reference/configuration
q
quaint-exabyte-70991
05/10/2023, 7:23 AM@square-restaurant-45811 can you share the config ?
b
brave-pillow-3744
05/10/2023, 7:35 AM Copy code
# Config version - this should always be set to v1
config:
version: v1
# HTTP server configuration for the proxy
serve:
listen:
address: ":4455"
# HTTP server configuration for the API
upstream:
oathkeeper:
url: "<http://localhost:4456>"
backend:
url: "<http://localhost:3001>"
# Authenticators configuration
authenticators:
anonymous:
enabled: true
jwt:
enabled: true
jwks_urls:
- <https://example.auth0.com/.well-known/jwks.json>
audience:
- example-audience
jwks_cache_duration: 3600
leeway: 60
# Authorizers configuration
authorizers:
allow:
enabled: true
handler:
name: allow
# Rules configuration
rules:
# A rule that applies to all routes of the API
- id: api-routes
match:
methods: ["GET", "POST", "PUT", "DELETE"]
url: ".*"
authenticators:
- anonymous
- jwt
authorizer:
handler: allow
upstream:
name: oathkeeper
# A rule that applies to all routes of the backend service
- id: backend-routes
match:
methods: ["GET", "POST", "PUT", "DELETE"]
url: ".*"
authenticators:
- anonymous
- jwt
authorizer:
handler: allow
upstream:
name: backend
access_rules:
path: file:///etc/oathkeeper/rules.json
interval: 5s Copy code
{
"rules": [
{
"id": "allow-users",
"description": "Allow access to the /users endpoint",
"subjects": [
{
"type": "jwt",
"audience": "example-audience",
"issuer": "<https://example.auth0.com/>",
"jwks_urls": [
"<https://example.auth0.com/.well-known/jwks.json>"
]
}
],
"resources": [
{
"uri": "/users",
"methods": [
"GET"
]
}
],
"actions": [
"allow"
]
},
{
"id": "deny-products",
"description": "Deny access to the /products endpoint",
"subjects": [
{
"type": "any"
}
],
"resources": [
{
"uri": "/products",
"methods": [
"GET"
]
}
],
"actions": [
"deny"
]
}
]
}oryd/oathkeeper:v0.38.6i
icy-stone-85106
05/10/2023, 5:20 PMI did not test on an OAthKeeper instance but your rules seems actually using a wrong format. You should have an authenticators property as it is explained by the error.
You can find the documentation about the rule format here: https://www.ory.sh/docs/oathkeeper/api-access-rules#access-rule-format
q
quaint-exabyte-70991
05/10/2023, 5:27 PMthanks.. we will check this.
b
brave-pillow-3744
05/11/2023, 7:08 AMHi @icy-stone-85106,
We updated the rules now it’s working fine but we are facing issues when hitting the backend service endpoint.
Copy code
{
"error": {
"code": 401,
"status": "Unauthorized",
"reason": "The matched rule uses a feature which is not enabled in the server configuration",
"message": "Access credentials are invalid"
}
}i
icy-stone-85106
05/24/2023, 10:14 AMSorry for the late response. Can you share the new access rules file ?
As the error described, you probably use a feature not yet enabled in the config file. The feature to enable depends on your rules but you have an example here: https://www.ory.sh/docs/oathkeeper/api-access-rules#handler-configuration
b
brave-pillow-3744
05/24/2023, 10:15 AMI have updated the rule and now it’s working fine.
14 Views