Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

We are using oathkeeper to protect access to our API. Is there an easy way to enforce authenticator_assurance_level to be aal2/3 with only configuration in oathkeeper, or do we need to add support to our API itself?

Note that I don't want to configure required_aal in kratos for all users. I just want to require aal2 for users that are using this particular API

Hey <@U03KTAXSLMQ>
To enforce a certain AAL for users accessing a particular API, you would need to implement this logic in your API or in a service that sits between Ory Oathkeeper and your API. This service would check the AAL of the user (which can be included in the session token) and decide whether to grant access based on the AAL.
Remember that the AAL is set during the user's session, so it's not something that Ory Oathkeeper can enforce on its own without additional logic.

Ack. I was thinking to forward the aal level via an additional header to work around this.

Btw, would you be interested in adding a CEL or WASM based authorizer where the operator can configure simple checks directly in oathkeeper?

(I would help to work on this if you are interested)