Hey there! we are wondering, once the authorization has done it's part, is there a way to send the headers AND the body of the original request to the upstream? Eg: we're using kratos as our authenticator and keto as our authorization. We have implemented a rule that if the path is keto-write, it checks against the keto-read to see if the user has permissions to work with the keto-write endpoint. This seems to be working fine since we see in keto logs "`status:200 text_status:OK`". However, once the user has been authenticated and authorized, the request should be redirected to the keto-write endpoint with all the information sent in the original request ("Content-Type: application/json" -d '{"namespace":"groups", "object": "all_users", "relation": "member", "john@doe"}' but we get a 307 error instead without further info

status:307 text_status:Temporary Redirect

In the authorized config we added the

forward_response_headers_to_upstream

and the rule goes something like this:

"id": "ory:keto:write",
    "upstream": {
        "url": "<http://keto-write/admin/relation-tuples>",
        "strip_path": "/keto-write"
    },
    "match": {
        "url": "http://<[^/]+>/keto-write<.*>",
        "methods": [
        "GET",
        "POST",
        "PUT",
        "DELETE",
        "PATCH"
        ]
    },
    "authenticators": [
        {
          "handler": "cookie_session"
        }
    ],
    "authorizer": {
        "handler": "remote_json",
        "config": {        
          "payload": "{\"namespace\": \"Group\", \"object\": \"admin\", \"relation\": \"admin\", \"subject_id\": \"{{ print .Extra.identity.traits.email }}\"}"
        }
    },
    "mutators": [
        {
        "handler": "noop"
        }
    ]
    },

Any idea?

I've encountered similar problem but in Kratos's

/admin/identities

endpoint, see https://github.com/ory/kratos/discussions/3327

I'll check that, thanks @clever-hair-84680!