Yes, it is possible to use Ory Network for authorization when self-hosting Oathkeeper. Ory Oathkeeper is a versatile component of the Ory ecosystem that can be configured for various authentication and authorization scenarios. When self-hosting Ory Oathkeeper, you can protect access to your APIs using Ory Oathkeeper or a comparable API Gateway. The APIs of Ory open-source Servers don't come with integrated access control, so it's crucial to secure them properly to avoid security risks ([source](https://www.ory.sh/docs/self-hosted/operations/api-access-control)). Ory Oathkeeper's decision engine allows you to configure how it authorizes HTTP requests. This process happens in four steps: Access Rule Matching, Authentication, Authorization, and Mutation. Each of these steps can be configured to suit your needs ([source](https://www.ory.sh/docs/oathkeeper#decision-engine)). For example, you can create access rules for Ory Oathkeeper that only allow authenticated requests to certain upstream URLs. This can be done by using the cookie authenticator against Ory Kratos ([source](https://www.ory.sh/docs/oathkeeper/guides/proxy-websockets#configure-ory-oathkeeper-and-ory-kratos)). Remember to consult the Ory Oathkeeper [REST API documentation](https://www.ory.sh/docs/reference/api) and the [Ory Oathkeeper SDK](https://www.ory.sh/docs/oathkeeper/sdk) for more details on how to integrate Ory Oathkeeper into your application.

I'm sorry, but the provided extracts do not contain specific examples of an authorizer that uses Ory Network for authorization when self-hosting Oathkeeper. However, Ory Oathkeeper does support various types of authorizers, including

remote

and

remote_json

, which can make HTTP POST requests to a remote endpoint for authorization decisions. For example, the

remote_json

authorizer configuration might look like this:

yaml # Global configuration file oathkeeper.yml   authorizers:    remote_json:    # Set enabled to "true" to enable the authenticator, and "false" to disable the authenticator. Defaults to "false".    enabled: true       config:    remote: <http://my-remote-authorizer/authorize>    payload: |    {    "subject": "{{ print .Subject }}",    "resource": "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}"    }

(Source: [Ory Oathkeeper Documentation](https://www.ory.sh/docs/oathkeeper/pipeline/authz#remote_json-example)) In this example, the

remote

field would be the URL of your Ory Network endpoint. The

payload

field is a JSON object that is sent to the remote authorizer. The values in the payload are parsed from the

AuthenticationSession

object. Please refer to the [Ory Oathkeeper documentation](https://www.ory.sh/docs/oathkeeper/) for more detailed information and examples.

Yes, Ory Oathkeeper can be used with Nginx via Authentication Based on Subrequest Result. While the provided extracts do not contain a specific example of this setup, they do mention that Ory Oathkeeper's Access Control Decision API works with Nginx via Authentication Based on Subrequest Result ([source](https://www.ory.sh/docs/oathkeeper)). Here's a general idea of how you might set this up: 1. Configure Nginx to make an authentication subrequest to Ory Oathkeeper for each incoming request. This can be done using the

auth_request

directive in your Nginx configuration:

nginx location /protected/ {     auth_request /authz;     ... }  location = /authz {     internal;     proxy_pass <http://ory-oathkeeper-api-url/decisions;>     proxy_pass_request_body off;     proxy_set_header Content-Length "";     proxy_set_header X-Original-URI $request_uri; }

In this example, Nginx would send a subrequest to the

/decisions

endpoint of your Ory Oathkeeper API for each request to a URL under

/protected/

. The

X-Original-URI

header is set to the original request URI. 2. Configure Ory Oathkeeper to make authorization decisions based on these subrequests. This would involve setting up appropriate access rules in Ory Oathkeeper. An example of an access rule can be found in the provided extracts ([source](https://www.ory.sh/docs/oathkeeper/guides/proxy-websockets#configure-ory-oathkeeper-and-ory-kratos)). Please refer to the [Ory Oathkeeper documentation](https://www.ory.sh/docs/oathkeeper/) and the [Nginx documentation](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more detailed information and examples.