Hello all,
I'm trying to set up the oathkeeper oa...
# talk-oathkeeperc
curved-ram-6189
07/11/2023, 12:05 PMHello all,
I'm trying to set up the oathkeeper oath2_introspection authorizer with the id_token mutator. I have the jwks_url pointed at the hydra jwks endpoint that is available, however I get an error in oathkeeper
credentials: no suitable key could be found Copy code
time=2023-07-10T17:38:49Z level=info msg=started handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip, deflate, br authorization:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". postman-token:5a109834-0ed8-41e9-8dba-9063d00fa750 user-agent:PostmanRuntime/7.32.3 x-forwarded-for:10.42.1.1 x-forwarded-host:localhost x-forwarded-port:80 x-forwarded-proto:http x-forwarded-scheme:http x-real-ip:10.42.1.1 x-request-id:2478b72d750e4591880a5b011241a0c5 x-scheme:http] host:localhost method:GET path:/decisions/kratos/admin/ query:<nil> remote:10.42.1.7:55866 scheme:http]
time=2023-07-10T17:38:49Z level=warning msg=The mutation handler encountered an error audience=application error=map[message:credentials: no suitable key could be found] granted=false http_host=localhost http_method=GET http_url=<http://localhost/kratos/admin/> http_user_agent=PostmanRuntime/7.32.3 mutation_handler=id_token reason_id=mutation_handler_error rule_id=some-id service_name=ORY Oathkeeper service_version=v0.40.3 subject=6b667dcb-06d9-49c2-9882-4b4f7bfe72d6
time=2023-07-10T17:38:49Z level=info msg=Access request denied audience=application error=map[message:credentials: no suitable key could be found] granted=false http_host=localhost http_method=GET http_url=<http://localhost/kratos/admin/> http_user_agent=PostmanRuntime/7.32.3 service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-07-10T17:38:49Z level=error msg=An error occurred while handling a request audience=application error=map[message:credentials: no suitable key could be found] http_request=map[headers:map[accept:*/* accept-encoding:gzip, deflate, br authorization:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". postman-token:5a109834-0ed8-41e9-8dba-9063d00fa750 user-agent:PostmanRuntime/7.32.3 x-forwarded-for:10.42.1.1 x-forwarded-host:localhost x-forwarded-port:80 x-forwarded-proto:http x-forwarded-scheme:http x-real-ip:10.42.1.1 x-request-id:2478b72d750e4591880a5b011241a0c5 x-scheme:http] host:localhost method:GET path:/kratos/admin/ query:<nil> remote:10.42.1.7:55866 scheme:http] http_response=map[status_code:500] service_name=ORY Oathkeeper service_version=v0.40.3
time=2023-07-10T17:38:49Z level=info msg=completed handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip, deflate, br authorization:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". postman-token:5a109834-0ed8-41e9-8dba-9063d00fa750 user-agent:PostmanRuntime/7.32.3 x-forwarded-for:10.42.1.1 x-forwarded-host:localhost x-forwarded-port:80 x-forwarded-proto:http x-forwarded-scheme:http x-real-ip:10.42.1.1 x-request-id:2478b72d750e4591880a5b011241a0c5 x-scheme:http] host:localhost method:GET path:/kratos/admin/ query:<nil> remote:10.42.1.7:55866 scheme:http] http_response=map[headers:map[content-type:application/json] size:157 status:500 text_status:Internal Server Error took:7.975344ms] Copy code
- id: some-id
version: v0.36.0-beta.4
upstream:
url: <http://kratos-admin>
match:
url: <http://localhost/kratos/admin/><.*>
methods:
- GET
- POST
- PATCH
authenticators:
- handler: oauth2_introspection
config:
introspection_url: <http://hydra-admin:4445/admin/oauth2/introspect>
scope_strategy: exact
required_scope:
- admin
authorizer:
handler: allow
mutators:
- handler: id_token
errors:
- handler: json Copy code
authenticators:
noop:
enabled: true
oauth2_introspection:
enabled: true
config:
introspection_url: <http://hydra-admin:4445/admin/oauth2/introspect>
scope_strategy: exact
pre_authorization:
enabled: false
token_from:
header: Authorization
introspection_request_headers:
x-forwarded-proto: http
cache:
enabled: false
access_rules:
repositories:
- <file://rules/rules.yaml>
mutators:
id_token:
enabled: true
config:
issuer_url: <http://localhost/hydra/public/>
jwks_url: <http://hydra-public:4444/.well-known/jwks.json>i
icy-manchester-83109
07/11/2023, 4:45 PMThe jwks_url of the mutator must reference key material suitable for signing the jwt, not for the verification of it. When you reference the jwks url exposed by hydra, you will only get the public keys, you can use to verify the jwts issued by hydra
c
curved-ram-6189
07/11/2023, 4:46 PMOh so the mutator is not fetching an id token from hydra, but building a new one? Why doesn't it just fetch one from hydra?
i
icy-manchester-83109
07/11/2023, 5:01 PMWhy should it? The id_token matator creates a jwt based on a template you're providing. Somehow it must be able to sign it. This is not related to hydra at all.
c
curved-ram-6189
07/11/2023, 5:07 PMI thought it was requesting a subset of the hydra id token claims, but now I realize that since you can add custom data to it oathkeeper must sign it. That's a bit inconvenient since then you need a second .well-known url for the oathkeeper jwks keys... I was hoping to create a JWT that has a selected subset of the userinfo stored in hydra/kratos. I thought maybe oathkeeper was smart enough to ask for the token 😞
i
icy-manchester-83109
07/12/2023, 2:13 PMJust out of interest, which subset of the userinfo were you hoping to get requested from hydra by oathkeeper? And based on which information (your id_token config is pretty simple)?
c
curved-ram-6189
07/13/2023, 11:55 AMWe have some 3rd party identifiers that we need in the token (e.g. for calling 3rd party apis).
13 Views