Hey all I m stuck on something that is probably simple but n Ory Community #ory-selfhosting

{
  "id": "43eec26d-3e4b-440a-864b-f4afb66f68e1",
  "active": true,
  "expires_at": "2024-07-03T18:32:45.978608Z",
  "authenticated_at": "2024-07-02T18:32:45.978608Z",
  "authenticator_assurance_level": "aal1",
  "authentication_methods": [
    {
      "method": "password",
      "aal": "aal1",
      "completed_at": "2024-07-02T18:32:45.978600566Z"
    }
  ],
  "issued_at": "2024-07-02T18:32:45.978608Z",
  "identity": {
    "id": "2d7f551c-27a9-48b5-a8b4-fc89f64dd03e",
    "schema_id": "user_v0",
    "schema_url": "<https://chrisdev.local.onyxplus.me/kratos-public/schemas/dXNlcl92MA>",
    "state": "active",
    "state_changed_at": "2024-07-02T18:30:07.310219Z",
    "traits": {
      "email": "chris.wheatley.onyxplus@gmail.com",
      "username": "chrisW"
    },
    "verifiable_addresses": [
      {
        "id": "c5eb757a-0f8b-4944-8d36-044fc15631f2",
        "value": "chris.wheatley.onyxplus@gmail.com",
        "verified": true,
        "via": "email",
        "status": "sent",
        "verified_at": "2024-07-02T18:32:13.257299Z",
        "created_at": "2024-07-02T18:30:07.314022Z",
        "updated_at": "2024-07-02T18:30:07.314022Z"
      }
    ],
    "recovery_addresses": [
      {
        "id": "7fb3b5ed-d97e-43c8-a8ae-cbe069917ed5",
        "value": "chris.wheatley.onyxplus@gmail.com",
        "via": "email",
        "created_at": "2024-07-02T18:30:07.315593Z",
        "updated_at": "2024-07-02T18:30:07.315593Z"
      }
    ],
    "metadata_public": null,
    "created_at": "2024-07-02T18:30:07.312301Z",
    "updated_at": "2024-07-02T18:30:07.312301Z",
    "organization_id": null
  },
  "devices": [
    {
      "id": "edf4b4f5-d176-479f-a91d-c35c5e69d0b2",
      "ip_address": "10.244.0.1",
      "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
      "location": ""
    }
  ]
}

I'd like to use the identity.traits.username as the

sub

field in the JWT token that is forwarded to the upstream server. According to the documentation on the page https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy# it has the following code example:

Copy code

mutators:
  noop:
    enabled: true

  id_token:
    enabled: true
    config:
      issuer_url: <http://127.0.0.1:4455/>
      jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json
      claims: |
        {
          "session": {{ .Extra | toJson }}
        }

So, my question is - how do you set to the claims section of the mutator's id_token to set

sub

instead of

session

to set the value to the

identity.traits.username

from the Kratos session? I have tried

Copy code

claims: `{ "sub": "{{ print .Subject }}" }`

I cannot figure it out from the examples here either https://www.ory.sh/docs/oathkeeper/pipeline#configuration-examples

limited-vr-72564

07/03/2024, 2:16 PM

From this code snippet

Copy code

# ...
authenticators:
  cookie_session:
    enabled: true
    config:
      check_session_url: <http://kratos:4433/sessions/whoami>
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      only:
        - ory_kratos_session
# ...

I think I am not setting the

subject_from

correctly. I have it set to

identity.traits.username

per the Kratos session, but it does not appear to be populating the

Subject

correctly

limited-vr-72564

07/05/2024, 2:19 PM

Even if I completely remove the

sub

from the claims in the

id_token

mutator, it prints an empty subject no matter what value I set the

subject_from

in the `cookie_session`authenticator

limited-vr-72564

07/06/2024, 1:27 PM

FYI for anyone coming across this, I added

force_method: 'GET'

to the cookie_session as I was sending a

POST

but the

/sessions/whoami

needed a

GET

request. It is all working now.

21 Views

Open in Slack

Previous Next