Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello :wave: I’m using oathkeeper as an api-gateway in front of my microservices.
I am now integrating with some webhooks so I added a new access rule. I would like to restrict the calling IP addresses for this new rule. Is there a way to do this ?

Currently my access rule looks like this and is very permissive. I’d like to whitelist 3 IP addresses for it
```- id: 'my-webhook'
  upstream:
    preserve_host: false
    url: <http://my-service>
  match:
    url: <https://my-api.com/my-webhook>
    methods:
      - POST
  authenticators:
    - handler: noop
  authorizer:
    handler: allow
  mutators:
    - handler: noop```

You cannot do that in oathkeeper, but you could use a remote_json authorizer, which could do that for you