Hi I have local docker setup with runing Kratos, O...
# ory-selfhostingg
green-oil-88994
07/31/2023, 11:11 AMHi I have local docker setup with runing Kratos, Oathkeeper and Keto.
I'm trying to put Oathkeeper in front of Keto write API:
My oathkeeper.yml authorizers config is :
Copy code
authorizers:
allow:
enabled: true
keto_engine_acp_ory:
enabled: true
config:
base_url: "<http://host.docker.internal:4467>"
required_action: "..."
required_resource: "..." Copy code
- id: "ory:keto-admin-api:protected"
upstream:
preserve_host: false
strip_path: "/keto-admin"
url: "<http://host.docker.internal:4467>"
match:
url: "<http://localhost:4455/keto-admin/><**>"
methods:
- GET
- POST
- PUT
- DELETE
- PATCH
authenticators:
-
handler: cookie_session
authorizer:
handler: keto_engine_acp_ory
enabled: true
config:
required_resource: "Role:members:{{ print print .Extra.identity.id }}"
mutators:
- handler: noop # id_token
errors:
- handler: redirect
config:
to: <http://localhost:3000> Copy code
import {Context, Namespace, SubjectSet} from "@ory/keto-namespace-types"
class User implements Namespace {
related: {
members: User[]
admins: User[]
}
permits = {
modify: (ctx: Context): boolean =>
this.related.admins.includes(ctx.subject),
}
}
class Role implements Namespace {
related: {
members: SubjectSet<User, "members">[]
}
}
class AccessGroup implements Namespace {
related: {
members: SubjectSet<Role, "members">[]
}
permits = {
view: (ctx: Context): boolean =>
this.related.members.includes(ctx.subject),
}
}👀 1
s
shy-beach-55709
08/03/2023, 7:59 PM@green-oil-88994 note that keto_engine_acp_ory is being deprecated, see here: https://community.ory.sh/t/problems-with-configuration-of-keto-engine-acp-ory-authorizer/2079
You should use remote_json instead: https://www.ory.sh/docs/oathkeeper/pipeline/authz#remote_json and get the information needed to authorize the user from the cookie session info.
g
green-oil-88994
08/10/2023, 2:35 PMOK, thanks!
4 Views