https://www.ory.sh/ logo
Join SlackCommunities
Powered by
<@U04UQ68083H> I have this authorizer but it does ...
# ory-copilot
a
@chilly-king-10285 I have this authorizer but it does not work. If I write the subject_id, which is just the rolename manually e.g. "ADMIN", it works. But I need to extract the role of the user from the metadata_admin column of the identity (kratos identity). Any Idea how I can manage this? I know I could just move the role to the traits and that would work but I was told that saving role information in the traits is not secure enough. If it is, please let me now.
Copy code
authorizers:
  allow:
    enabled: true
  remote_json:
    enabled: true
    config:
      remote: <http://keto:4466/relation-tuples/check>
      payload: |
        {
          "namespace": "api_access",
          "object": "endpoints",
          "relation": "access",
          "subject_id": "{{ print .Extra.identity.metadata_admin.role }}"
        }
While at it, another question: How can I forward the other metadata_admin key value pairs to the service? I would think it would be like this but I cannot access the metadata_admin at all.
Copy code
mutators:
  - handler: header
    config:
      headers:
        X-Company-ID: "{{ print .Extra.identity.metadata_admin.companyId }}"
c
A message from kapa.ai
Based on the information provided in the extracts, it seems like you're trying to access the 
metadata_admin
field from the identity object in Ory. However, the extracts do not provide specific information on how to access this field directly. In the context of Ory Oathkeeper, the 
remote_json
authorizer and the 
header
mutator both support Go Templates, which allow you to customize the payload and headers respectively. The Go Templates are applied to an 
AuthenticationSession
object. However, the extracts do not provide details on whether the 
metadata_admin
field is accessible through this object. As for your second question, the 
header
mutator can indeed be used to forward metadata to the service. Your configuration seems correct, assuming that 
metadata_admin
and 
companyId
are accessible fields. However, as mentioned earlier, the extracts do not provide specific information on accessing these fields. I would recommend checking the Ory documentation or reaching out to the Ory community for more specific guidance on accessing these fields. Here are some relevant links from the extracts: - [Oathkeeper Pipeline](https://www.ory.sh/docs/oathkeeper/pipeline) - [Oathkeeper Mutators](https://www.ory.sh/docs/oathkeeper/pipeline/mutator) - [Oathkeeper Authorizers](https://www.ory.sh/docs/oathkeeper/pipeline/authz) Please note that the security of storing role information in traits would depend on your specific application and security requirements. It's always a good idea to follow best practices for data security and privacy.
5 Views
Open in Slack
PreviousNext
Powered by