I have finally integrated oathkeeper to use the Ory Network permissions. There seems to be an issue where oathkeeper is unable to send the authorization header when making the tuple check call. Here is my config oathkeepr config.

authorizers:
      allow:
        enabled: true
      remote:
        enabled: true
        config:
          remote: <http://localhost:3001/relation-tuples/check>
      remote_json:
        enabled: true
        config:
          remote: <http://localhost:3001/relation-tuples/check>
          # <https://github.com/ory/oathkeeper/issues/797>
          forward_response_headers_to_upstream: []
          payload: |
            {
              "subject": "{{ print .Subject }}",
              "resource": "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}"
            }

Since I have this deployed on k8s using helm here is my extraContainer config. Here is the code for the proxy. Its very simple. https://github.com/ballerabdude/secure-http-proxy

extraContainers: |
    - name: http-proxy
      image: <http://myazureacr.azurecr.io/http-proxy:0.0.13|myazureacr.azurecr.io/http-proxy:0.0.13>
      env:
      - name: TARGET_URL
        value: "<https://oryurl.com>"
      - name: SECRET_PREFIX
        value: "httpproxy-"
      - name: KEYVAULT_URL
        value: <https://my-kv.vault.azure.net>
      - name: DEBUG_MODE
        value: "true"

My access rule for the authorization part

authorizer:
    handler: remote_json
    config:
      payload: |
        {
          "namespace": "Site",
          "object": "<http://mysite.com|mysite.com>",
          "relation": "allows",
          "subject_id": "{{print .Extra.identity.id }}",
          "subject": "User"
        }

1. Either SubjectSet or SubjectID can be provided in the authorizers payload. 2. Your authorizer show looks something like oathkeeper-config.yml

authorizers:
  remote_json:
    enabled: true
    config:
      remote: <http://localhost:3001/relation-tuples/check>
      payload: |
        {
          "subject_id": "{{ print .Extra.identity.id }}"
        }

access-rules.yml

authorizer:
    handler: remote_json
    config:
      remote: <http://localhost:3001/relation-tuples/check>
      payload: |
        {
          "namespace": "Site",
          "object": "<http://mysite.com|mysite.com>",
          "relation": "allows",
          "subject_id": "{{ print .Extra.identity.id }}"
        }

Make sure when you do authentication using authenticators, the response payload has the

Extra.identity.id

Hope this will be helpful.

@narrow-greece-70477: do you mean, you cannot let oathkeeper do the check request against keto as it results in an error due to missing authentication data required by that endpoint? This relates to https://github.com/ory/oathkeeper/issues/969. As of today, the only solution to resolve it is to either proxy that requests via e.g. an nginx, which would set the required header, or use alternatives to oathkeeper allowing that configuration.

@icy-manchester-83109 When doing my initial testing I was hosting all of the components on my k8s cluster so everything was working as expected. Only when I switched to Ory Network is when I started to have this issue. @brave-pillow-3744 It looks like I might have to read up some more on SubjectSets. My original design was to have something like this.

{
  "namespace": "Site",
  "object": "<http://mysite.com|mysite.com>",
  "relation": "allows",
  "subject_id": "164cc415-499e-4ad7-bcc5-b9823af9dfea",
  "subject": "User",
  "subject_set": {
    "namespace": "Group",
    "object": "mysite-admins",
    "relation": "members"
  }
}

I wanted only users in the admin group to have access.