Hi all, We are currently working on integrating Oathkeeper into our Kubernetes (k8s) environment for the authentication of our service requests through the Nginx Ingress controller. We're using JWT tokens provided by Hydra for this purpose. So far, we have managed to authenticate successfully using the Authorization header. However, when attempting to pass

token_from.query_parameter: id-token

, we encounter a 401 error and are unable to proceed. Our Oathkeeper setup is configured to use the JWT authenticator with jwks_uri obtained from Hydra. We discovered a similar issue here: https://github.com/ory/oathkeeper/issues/1105. But this seems to pertain more to the bearer token authenticator. We're reaching out for any insights or possible solutions to this problem. Any assistance is greatly appreciated!

Are you trying to use the id_token mutator or just the authorization header authenticator? When we tried to use the mutator we discovered that the private keys needed for signing id_tokens are not present in hydras jwks endpoint, so oathkeeper cannot use them to generate a new id_token. Might be related?

We don't use the id_token mutator because we've already signed the jwt provided by Hydra. So we simply use the jwt authenticator with the authorization header and it's work. But it doesn't work when we try to switch to

authenticators.jwt.token_from.query_parameter

or

authenticators.jwt.token_from.cookie

.

@delightful-noon-48365 how is your jwt authenticator configured?

Hi @shy-beach-55709, thanks for your message. We have successfully used Oathkeeper API Decision with Nginx Ingress Controller using the JWT authenticator inside our k8s. @magnificent-energy-493 I'll be creating a new example in the next few weeks.

@delightful-noon-48365 That would be very cool 😎 Let me know if I can support you in any way! You can also just throw over some config code and instructions and I take care of the rest

Id_token shouldn't be used and oauth2 token renewed from refresh token with scope and consent should be preferred as a first party ressource token for oauth2 ressource comsumption and verified from oathkeeper (hydra emits multiple token for multiple use, id_token is the most basic one normally used just to verify than an identity exists with OpenID provider)