https://www.ory.sh/ logo
Join Slack
Powered by
Hey folks! I’ve been setting up Kratos + Oathkeepe...
# talk-oathkeeper
g
Hey folks! I’ve been setting up Kratos + Oathkeeper for a project and I’m really happy with it so far. It really suits my way of thinking, though it took a little bit of poking and prodding to understand some of the nuance. But there’s one thing where I’m stuck… We’ve been using Hasura for many projects for the past 4 years or so, and generally we’ve been using Keycloak. There are many things I dislike about Keycloak, but it was pretty easy for us to get up and running with Hasura: point Hasura at the jwk url and with a couple mappers, we were good to go. With Oathkeeper, I like that we can configure things with go templates in the config, but it seems like something is missing from the jwks (I generated private jwks using 
oathkeeper credentials generate --alg RS256
). Specifically, Keycloak provided the following fields publicly which don’t appear in the public Oathkeeper jwks: 
x5c
, 
x5t
, 
x5t#S256
From what I can tell in the Hasura docs, the cert is what’s missing from the Oathkeeper jwks. Is there a way to configure Oathkeeper to provide those values? From what I gather it shouldn’t be too complicated to generate them? I’m not at all familiar with Go, but I really want to use Oathkeeper with Hasura, so if it’s not possible at the moment I could be down to learn a bit to try and contribute something.
For reference, it’s through this issue with Hasura that I started to realize that I might have something missing on the Oathkeeper side.
i
If you let Oathkeeper generate the key material, it will generate just it. It will not generate a certificate as there is no way to specify the corresponding attributes via the 
credentials generate
command. If it would, the certificate would be self signed, which you could use for trying things out, but never in production. So, the only option you have is to generate a key pair by yourself, acquire a certificate from a CA of your choice and create a jwks out of all that to let oathkeeper use it. If you would like to have it just running for your scenario, generate a key pair, as well as a self-signed certificate with openssl and convert both into the jwks format. However, oathkeeper will just use the key material, it will not check the certificate, whether it is still valid and use it, even it is already expired.
g
@icy-manchester-83109 thanks for the info!
7 Views
Open in Slack
PreviousNext
Powered by