Based on the information provided in the extracts, the

forward_http_headers

configuration in the

cookie_session

authenticator allows you to specify which headers will be forwarded. However, it doesn't explicitly mention if these headers are forwarded to the authorizer. In the context of Ory Oathkeeper's pipeline, after the authentication step, the request proceeds to the authorization step. It would be logical to assume that any headers forwarded by the authenticator would be available to the authorizer. However, the extracts do not provide a definitive answer to this. For a more accurate answer, you may want to refer to the [Ory Oathkeeper documentation](https://www.ory.sh/docs/oathkeeper/pipeline/authn#cookie_session-configuration).

Mutators in Ory take effect after the authentication and authorization steps in the request processing pipeline. They transform the HTTP request before it is forwarded to the upstream server. For example, the [ID Token Mutator](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#id_token) takes all the available session information and puts it into a JSON Web Token (JWT). The protected application will then receive this JWT in the HTTP Header. Similarly, the [Header Mutator](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#header) allows you to pass the credentials to the upstream application via the headers, and the [Cookie Mutator](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#cookie) allows you to pass the credentials via cookies. Remember, the specific mutator used and its configuration can be defined in the access rule for the request.

Based on the provided extracts, there is no explicit information about adding a header to the request to the authorizer in Ory. The extracts discuss how headers can be included in requests to resource servers and how AJAX requests need to be configured to include cookies. They also mention how headers are used in the context of the

fetch

function and the

Authorization

header. However, they do not provide specific details about adding a header to the request to the authorizer. For more detailed information, you may want to refer to the [Ory Oathkeeper documentation](https://www.ory.sh/docs/oathkeeper/).

When using a remote authorizer in Ory Oathkeeper, the payload is defined in the configuration of the

remote_json

authorizer. This payload is a JSON object that is sent to the remote authorizer as part of the HTTP POST request. Here is an example of how the payload can be defined in the configuration:

yaml authorizers:    remote_json:    config:    remote: <http://my-remote-authorizer/authorize>    payload: |    {    "subject": "{{ print .Subject }}",    "resource": "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}"    }

In this example, the payload includes two fields:

subject

and

resource

. The values for these fields are extracted from the authentication session using Go's

text/template

package. The

{{ print .Subject }}

and

{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}

are template expressions that are evaluated to produce the final payload. For more details, you can refer to the [Ory Oathkeeper documentation](https://www.ory.sh/docs/oathkeeper/pipeline/authz#remote_json).

Based on the provided extracts, the

remote_json

authorizer configuration does not explicitly support supplying headers. The configuration options mentioned for

remote_json

are

remote

and

payload

. Here is an example of how the

remote_json

authorizer can be configured:

yaml authorizers:    remote_json:    config:    remote: <http://my-remote-authorizer/authorize>    payload: |    {    "subject": "{{ print .Subject }}",    "resource": "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}"    }

However, the

remote

authorizer configuration does support supplying headers. Here is an example:

yaml authorizers:    remote:    config:    remote: <http://my-remote-authorizer/authorize>    headers: |    {    "header1": "{{ print .Header1 }}",    "header2": "{{ print .Header2 }}"    }

For more detailed information, you may want to refer to the [Ory Oathkeeper documentation](https://www.ory.sh/docs/oathkeeper/pipeline/authz#remote).

Based on the provided extracts, Ory's current design for the

remote_json

authorizer and

remote

authorizer does not include a handler where you can supply both a header and a payload. The

remote_json

authorizer allows you to define a payload that is sent to the remote authorizer as part of the HTTP POST request, while the

remote

authorizer allows you to define headers. This design decision might be due to the separation of concerns, where each handler is designed to handle a specific task. However, the exact reasoning behind this design choice is not provided in the extracts. If you need to send both headers and a payload to a remote authorizer, you might need to implement a custom authorizer or request this feature from the Ory community. For more detailed information, you may want to refer to the [Ory Oathkeeper documentation](https://www.ory.sh/docs/oathkeeper/pipeline/authz).