https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> if I have oathkeeper running locall...
# ory-copilot
b
@chilly-king-10285 if I have oathkeeper running locally how do I configure it to point to ory network for authorization?
c
A message from kapa.ai
New message text here
b
@chilly-king-10285 where do I get oryAccessToken to hit ory network endpoints like /relation-tuples/check
c
A message from kapa.ai
The 
oryAccessToken
is a form of authentication required to perform certain operations on Ory Network endpoints. However, the provided extracts do not specify how to obtain this 
oryAccessToken
. For detailed instructions on how to obtain an 
oryAccessToken
, you should refer to the official Ory documentation or the specific API documentation related to the endpoint you are trying to access.
b
@chilly-king-10285 are these equivalent? 
ory is allowed Group:internal#members use Application helloworld --project $project_id
https://<our project URL>check?namespace=Application&object=helloworld&relation=use&subject_id=Group:internal%23members
c
A message from kapa.ai
New message text here
b
@chilly-king-10285 how does end user get permission to hit 
/relation-tuple/check
to be used as oathkeeper authorizer
Copy code
authorizers:
      remote_json:
        enabled: true
        config:
          remote: "https://<ory network url>/relation-tuples/check"
          payload: |
            {
              "subject_id": "{{ print .Subject }}",
              "namespace": "Application",
              "object": "helloworld",
              "relation": "use"
            }
c
A message from kapa.ai
To allow an end user to hit the 
/relation-tuples/check
endpoint and use it as an Ory Oathkeeper authorizer, you need to set up the necessary permissions and access rules. Here's a general process: 1. Define Access Rules: You need to define access rules that specify which users (subjects) have permissions to access the 
/relation-tuples/check
endpoint. This can be done in the Ory Oathkeeper configuration file or in a separate access rules file. The access rules should specify the 
remote_json
authorizer for the relevant paths or methods. 2. Set Up Authentication: The user needs to be authenticated before they can access the endpoint. This can be done using one of Ory Oathkeeper's authenticators, such as the Cookie Session Authenticator or the Anonymous Authenticator. The authenticator validates the user's credentials and creates a session if the credentials are valid. 3. Use the Authorizer: Once the user is authenticated, the 
remote_json
authorizer can be used to authorize the request. The authorizer sends a request to the 
/relation-tuples/check
endpoint with a payload that includes the user's ID and the details of the requested access. If the user has the necessary permissions, the request is authorized. Here's an example of how you might define an access rule for this:
Copy code
yaml - id: access-rule-1   upstream:     url: <http://my-upstream-service.com>   match:     url: <http://my-app.com/api/<.*>>     methods:       - GET   authenticators:     - handler: cookie_session   authorizer:     handler: remote_json   mutators:     - handler: noop
In this example, the 
cookie_session
authenticator is used to authenticate the user, and the 
remote_json
authorizer is used to authorize the request. The 
noop
mutator is used to pass the request through without any changes. Please note that this is a general process and the specific steps may vary depending on your Ory setup and configuration. For more detailed instructions, you should refer to the [Ory Oathkeeper documentation](https://www.ory.sh/docs/oathkeeper/).
5 Views
Open in Slack
PreviousNext
Powered by