Hi All I m trying to integrate Oathkeeper with other Ory sta Ory Community #talk-oathkeeper

Hi All. I'm trying to integrate Oathkeeper with ot...

delightful-microphone-63906

06/09/2023, 12:17 PM

Hi All. I'm trying to integrate Oathkeeper with other Ory stack (Hydra, Kratos). I want to use

oauth2_introspection

authenticator and in case no valid token was found, initialize authorization code flow. So when the request is unauthorized, I'm using an error handler to redirect to

<http://hydra:4444/oauth2/auth?client_id=some-client-id&scope=openid+email&response_type=code&redirect_uri=http://127.0.0.1:8080/hello&state=somerandomstate>

. I'm then using Azure AD to log a user in. After the logon at external IdP, the request lands with an authorization code at

<http://127.0.0.1:8080/hello?code=ory_ac_code>

. It then enters in an endless loop: the request is still unauthorized (because introspection endpoint needs an access token), so it calls /oauth2/auth again to handle the error. My question is: how can oathkeeper call /oauth2/token instead to exchange the authorization code for an access token, so that it can be sent to the introspection endpoint? I tried to use hydrator mutator to call the token endpoint, but the request never manages to get through it because it's stuck at error handler redirection. Has anyone managed to integrate with Hydra? Thanks in advance for help.

numerous-umbrella-61726

06/09/2023, 12:22 PM

oathkeeper cannot (and should not) do this for you. the client making the request must be the one that performs the authorization code flow as it is the oauth 2.0 client accessing the API on behalf of the user, not oathkeeper.

icy-manchester-83109

06/09/2023, 1:52 PM

Depending on what you mean by an "access token" for the introspection endpoint, you can configure the

oauth2_introspection

handler to request that token. See also

pre_authorization

property in the documentation: https://www.ory.sh/docs/oathkeeper/pipeline/authn#oauth2_introspection-configuration

icy-manchester-83109

06/09/2023, 1:53 PM

The token issued for your client application (upon user authentication) and the token required for the introspection endpoint are two completely different things. It looks you've confused both.

delightful-microphone-63906

06/09/2023, 3:45 PM

@numerous-umbrella-61726 thank you. I will try integrating with kratos then.

delightful-microphone-63906

06/09/2023, 3:52 PM

@icy-manchester-83109 thanks for your answer. I know those tokens are different and I was already using pre-authorization for client credentials, but that doesn't solve my issue with user authentication.

icy-manchester-83109

06/09/2023, 4:00 PM

I just took a look at your question again:

how can oathkeeper call /oauth2/token instead to exchange the authorization code for an access token, so that it can be sent to the introspection endpoint?

Oathkeeper does not implement functionality which would allow it to manage the authorization code grant flow. It only verifies tokens and other types of auth data, already present in the request. And this will not change as long as you're using hydra for 1st party context (the tokens are issued for your own application).

delightful-microphone-63906

06/09/2023, 4:04 PM

That seems to be the case. I will try with kratos.

12 Views

Open in Slack

Previous Next