Hi everyone I m using Ory Network for an OIDC client a nativ Ory Community #talk-oathkeeper

Hi everyone! I’m using Ory Network for an OIDC cli...

famous-sandwich-23258

07/25/2023, 8:49 AM

Hi everyone! I’m using Ory Network for an OIDC client (a native mobile app), on which I authenticate and get an opaque token (ie.

ory_at_xxx

). Then, I want to use that token to validate before accessing our API, so I’m trying to set up Oathkeeper for this but I’m a bit confused on which authenticator should I use for this. I tried using

oauth2_introspect

but I always get a 401 status code regardless if the token is active or not. If I use

ory introspect token ory_at_xxx

on the CLI, I get a correct value. I am sending the token on a custom header (

x-auth-token

) as a bearer token by the way, and this is my authenticator code:

Copy code

oauth2_introspection:
    enabled: true
    config:
      introspection_url: <https://xxxxx.projects.oryapis.com/admin/oauth2/introspect>
      token_from:
        header: x-auth-token

I’m suspecting that I’m doing something wrong either with the URL given to me by Ory Network or that I’m missing some authentication step to connect to that endpoint beforehand. Does anyone have some pointers on where I should look for this? There are no examples on

oauth2_introspect

on the example repo 😓

famous-sandwich-23258

07/25/2023, 8:52 AM

the message error on Oathkeeper:

Copy code

time=2023-07-25T08:39:07Z level=warning msg=The authentication handler encountered an error audience=application authentication_handler=oauth2_introspection error=map[message:Introspection returned status code 401 but expected 200] granted=false http_host=127.0.0.1:8080 http_method=POST http_url=<http://127.0.0.1:8080/graphql> http_user_agent=xxx/5.14.0-debug (iPhone; iOS 16.4) reason_id=authentication_handler_error rule_id=graphql-api service_name=ORY Oathkeeper service_version=v0.40.3

famous-sandwich-23258

07/25/2023, 9:40 AM

I realized that I probably need the

pre_authorization

part, but I still can’t manage to get it to work:

Copy code

oauth2_introspection:
    enabled: true
    config:
      pre_authorization:
        enabled: true
        client_id: xxxxx
        client_secret: xxxxx
        token_url: <https://xxxxx.projects.oryapis.com/oauth2/token>
      introspection_url: <https://xxxxx.projects.oryapis.com/admin/oauth2/introspect>
      token_from:
        header: x-auth-token

32 Views

Open in Slack

Previous Next