Hello tl dr the question is How to make oauthkeeper use Ory Ory Community #talk-oathkeeper

Hello, tl;dr the question is: "How to make oauthke...

aloof-cartoon-86581

08/03/2023, 8:10 AM

Hello, tl;dr the question is: "How to make oauthkeeper use Ory API Key to make sending requests to Ory network /admin endpoint possible?" So, the situation looks as follows: 1. We created a client in Ory Network and with Ory CLI we validated that it works 2. Agents outside of our clusters authenticate the oaut2 client with the Ory Netwrok and receives back the token 3. Agents make request to our cluster with the received token 4. In our cluster Emissary Ingress receives the request with the token and passes it to oauthkeeper 5. Oauthkeeper tries to validate the token via https://<project-endpoint>/admin/oauth2/introspect But the last part is not being successful, and from the logs we are receiving:

Copy code

msg=The authentication handler encountered an error audience=application authentication_handler=oauth2_introspection error=map[message:Introspection returned status code 401 but expected 200] granted=false

So, I suppose we need to pass the API Key (which we have) to the oauthkeepr in order to be able to use mentioned endpoint. Does anyone know how to do this?

steep-lamp-91158

08/03/2023, 8:57 AM

I think you are looking for https://github.com/ory/oathkeeper/issues/969

aloof-cartoon-86581

08/03/2023, 9:24 AM

Hmmm, this issue mentions Ory Keto, while I'm asking about Oauthkeeper, so I don't think it's what I'm looking for

aloof-cartoon-86581

08/03/2023, 10:04 AM

And still in the issue there is only workaround proposed which is still only workaround, not a solution

steep-lamp-91158

08/03/2023, 10:35 AM

The issue is about adding arbitrary headers to the

remote_json

authorizer, which then allows you to include the Ory Network API key to do the call.

faint-terabyte-48594

08/03/2023, 12:48 PM

Yeah, but aren't authenticators called BEFORE authorizers?

steep-lamp-91158

08/03/2023, 1:55 PM

ahh so you need additional headers on the authenticator, sorry, different story but similar issue

faint-terabyte-48594

08/03/2023, 1:56 PM

yes, exactly 🙂 to cloud Hydra exactly, as the introspection endpoint is under /admin, so the API key must be provided as a bearer token

faint-terabyte-48594

08/03/2023, 1:57 PM

we're trying to migrate from self-hosted to managed Hydra, but this issue blocked us 😞

steep-lamp-91158

08/03/2023, 1:58 PM

it should be a fairly quick fix, contributions welcome

faint-terabyte-48594

08/03/2023, 1:58 PM

looking at the

pre_authentication

configuration block it seems it should be possible to work around this issue by creating a dummy client and using its credentials to obtain the token, but we wondered if there isn't any better (i.e. api key-based) approach possible

faint-terabyte-48594

08/03/2023, 1:59 PM

seems like an easy fix, true

faint-terabyte-48594

08/03/2023, 1:59 PM

the problem is we don't have any go developers atm 😄

faint-terabyte-48594

08/10/2023, 1:38 PM

in case somebody has the same problem in the future, there is a working solution - use the