https://www.ory.sh/ logo
Join Slack
Powered by
Hi, we are trying to integrate JWT authentication ...
# talk-oathkeeper
q
Hi, we are trying to integrate JWT authentication with ory oathkeeper and keto and we are running into an issue where JWT is not getting parsed and the subject is not getting passed to the authorizer which in our case is keto layer. Can someone point us to the right config which is used to do this in the oathkeeper layer. The ORY docker version we are using is the latest 0.40.6 cc @brave-pillow-3744
b
Hi everyone, Just want to highlight this issue that we are facing currently as it is a major blocker for oath keeper and keto integration. Does anyone has successfully configure the oath keeper and keto using remote_json authorizers? To provide more context: • In the remote_json authorizers, in the payload, we want to pass the email Id which is in the JWT token. Where JWT token on parse has email id stored in bellow format:
Copy code
{  
 "<https://example.com/user_email>": "<mailto:sanket@example.com|sanket@example.com>",
}
• In the request headers in the ory oath keeper logs, we can see the token but is not parsed.
Copy code
authorization:["Bearer <token>"]
• Currently, the JWT flow with the oath keeper is working fine. Is there any way to pass the parse JWT token to the remote_json authorizers payload? Any ideas/pointers will be very helpful to debug the issue.
s
I assume you are talking about the JWT authenticator? https://www.ory.sh/docs/oathkeeper/pipeline/authn#jwt
b
@steep-lamp-91158 The JWT authenticator is not the issue, it is the authorizers in remote_json payload. We are not getting the parsed JWT in the AuthenticationSession https://github.com/ory/oathkeeper/blob/cae282488070984986391fb496f614f0c802e895/pipeline/authn/authenticator.go#L45C1-L50C2
s
@brave-pillow-3744 could you share how are you trying to retrieve the data from the jwt and how you're loading it into the payload? We were able to use a jwt token as autenticator and remote_json (keto) as authorizer. We are loading the payload as follows 
{{ print .Extra.email }}
we didn't need to use mutators nor anything. In the logs you won't see the jwt being parsed, it'll appear as 
Authorization: Bearer YOURTOKEN
. Also, note that the logs in keto won't show the payload being received to authorize (or at least, we didn't manage to show them) .
b
Hi @shy-beach-55709 and @steep-lamp-91158, Thank you for supporting us, After spending some time understanding the Golang and text template, I realise that there were a couple of things that I was not aware of and was doing in the wrong way. • Golang text template was not able to map the key in the object which has special chars, for that we need {{ index .Extra 
<https://example.com/user_email>
}} • Golang only supports backquotes and double quotes. For more context on the oath keeper config: In JWT, The email is in the format:
Copy code
{
   "<https://example.com/user_email>": "<mailto:sanket@example.com|sanket@example.com>",
}
In the oathkeeper.yml config:
Copy code
authorizers:
  remote_json:
    enabled: true
    config:
      remote: <https://api.example.com/relation-tuples/check>
      payload: |
        {
          "subject_id": "{{ index .Extra `<https://example.com/user_email>` }}"
        }
And in access-rules.yml :
Copy code
authorizer:
    handler: remote_json
    config:
      remote: <https://api.example.com/relation-tuples/check>
      payload: |
        {
          "namespace": "default-namespace",
          "object": "product",
          "relation": "read",
          "subject_id": "{{ index .Extra `<https://example.com/user_email>` }}"
        }
8 Views
Open in Slack
PreviousNext
Powered by