https://www.ory.sh/ logo
Join Slack
Powered by
Hello, I am using Oathkeeper with the `authenticat...
# ory-selfhosting
h
Hello, I am using Oathkeeper with the 
authenticator
type 
cookie_session
. I have successfully configured an access rule so that if a client is not authenticated, the request is stopped at Oathkeeper with a 401 response. However, there is a scenario where some APIs need to retrieve user information if authenticated but should still process the request even if not authenticated. With Oathkeeper, when the client is not authenticated, it currently returns a 401 response immediately. How can I configure Oathkeeper to allow requests to certain APIs to be processed regardless of authentication status but still include user information if the client is authenticated?
There is a workaround I've tested for someone needs: Just add a 
noop
handler (at the end of list) for both authenticator and mutator. Like this:
Copy code
{
  "id": "whoami-optional",
  "upstream": {
    "url": "<http://whoami>"
  },
  "match": {
    "url": "<http://myapp.localhost/whoami/optional>",
    "methods": [
      "GET",
      "POST",
      "PUT",
      "PATCH",
      "DELETE",
      "OPTIONS"
    ]
  },
  "authenticators": [
    {
      "handler": "cookie_session"
    },
    {
      "handler": "noop"
    }
  ],
  "authorizer": {
    "handler": "allow"
  },
  "mutators": [
    {
      "handler": "id_token"
    },
    {
      "handler": "noop"
    }
  ]
}
Case 1: A valid cookie founded
Copy code
Hostname: whoami-cc8cd84d5-dfmxl
IP: 127.0.0.1
IP: ::1
IP: 10.244.0.61
IP: fe80::1868:b5ff:fe90:6cd1
RemoteAddr: 10.244.0.87:45584
GET /whoami/optional HTTP/1.1
Host: whoami
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8,ja;q=0.7
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjI0c3dxRGNRNTN3UWNGdUgiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiY29kZSJdLCJleHAiOjE3MjE3NjQ2MDIsImlhdCI6MTcyMTcyODYwMiwiaXNzIjoiaHR0cDovL29hdGhrZWVwZXItcHJveHk6NDQ1NSIsImp0aSI6ImJkOTMwZjNiLWM2ZjktNDA3Zi1iNmU0LWY3OTdjMGViMDZmNyIsIm5hbWUiOiJOZ3V5ZW4gSHV1IEtpbSIsIm5iZiI6MTcyMTcyODYwMiwicGljdHVyZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImtpbXl2Z3kiLCJyb2xlcyI6IiIsInN1YiI6IjEiLCJ1c2VyX2lkIjoiMSJ9.S5VspdfHNHvcDmv-vFS5eUjLt9VB2Lmbvmk5I8j7sAjrtL7Sp4S-r85LckY7I_jOyJoh_hsi03P_Nb3sHZASJj19XPdeOZmD4DAG_ZodjoYT-nHVwDaXhCI49tILYevwj1Y4umS5STy--G0hDI2lttcWzH8MwdNOGuIpmoojR90YlvE-Nc9t203rQgFZz2tWdhanQzKP0KV7Ch1cCY0MsSloKJ0FvA3Wk9u-P89ztr6LxuEnPk93u7uNqebvrWhglE8x2EFDjvr8xeq7uqUN9WrcnroH-S1BLfh9WvAw4_tf4okcXW3RWHpPgxu9hPJCi46FU_5t9y07n5TC_xInUw
Cache-Control: no-cache
Cookie: viblo_code_auth=eyJpdiI6IkMxb2ZaQjd6ZWc2VDN5YUhtLzhSK2c9PSIsIm1hYyI6IjQ4Y2RlNWQ3NTM3MzQ1YmY0MjAwMmE1YTc5MjQ0ZmViYzk5ZGY4ZGFlZWUwNjA0NGY0MmMyNThmYzhlOGM2OTYiLCJ2YWx1ZSI6ImZ2RjRsa0dha085QlpxaHBXMll4Nkt3NkpJQWs2RW4wQ2F0OW5Yc3ZoTkZSZFIyak9sRnU1SzRUcFZVOEIwczNFeC9aVmU4RE8vaDViZ0FRRkU3Q0hXZ1Byc1gxTklYL25NYzZaWUhMYWI5WlZOKzQ2Z2hPYWZkSDFGYTA5VFh3dnAvZ1FYMmN4YjVoTDNNdk1VcWtzUjhodngrU08vQXU2bnpPNnpmNlNEUnBtQ2RhamhaUi92R1pOM2NyZng3bkVBOXNLVXI1K0NiN0RCaVVMZURFUTMyU1lJVU45NzBRZWJkMWYrZmQ5aU90cWhCRE1UTG8zWXcvWHhNeTBZQVIzalR0b05JRnZ5T2JsUWlaV09lQldRWFZhOVdWZ21tTFoveW9xN0pwK2NHaVNmbng0R0czNkxuRGFFMHNha1p5N0tsVFViZ2FZSjBockxBeld1eHF2K3FWcCtDWEFvNVdHZXFvU2hxZHBvZUJ4aTVZSStrS09PSmxMcWpMdE1lRG1pMGRKMFRiWEdXcVRnaGJvYzh5Y0d1MlFrNFJJU1BxUERNRDBqaU5wOGc9In0=
Dnt: 1
Pragma: no-cache
Upgrade-Insecure-Requests: 1
X-Forwarded-Port: 80
X-Forwarded-Scheme: http
X-Real-Ip: 10.244.0.1
X-Request-Id: 329e52a32cd66e86bfc60bace236fd59
X-Scheme: http
Case 2: No cookie provided
Copy code
Hostname: whoami-cc8cd84d5-dfmxl
IP: 127.0.0.1
IP: ::1
IP: 10.244.0.61
IP: fe80::1868:b5ff:fe90:6cd1
RemoteAddr: 10.244.0.87:46964
GET /whoami/optional HTTP/1.1
Host: whoami
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8,ja;q=0.7
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjI0c3dxRGNRNTN3UWNGdUgiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiY29kZSJdLCJleHAiOjE3MjE3NjQ2MTUsImlhdCI6MTcyMTcyODYxNSwiaXNzIjoiaHR0cDovL29hdGhrZWVwZXItcHJveHk6NDQ1NSIsImp0aSI6ImE1MjJlMzY5LWI0YzctNDI3Ny04N2UxLWVlY2UyZGM1ZDA0OCIsIm5hbWUiOiIiLCJuYmYiOjE3MjE3Mjg2MTUsInBpY3R1cmUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiIiLCJyb2xlcyI6IiIsInN1YiI6IiIsInVzZXJfaWQiOiIifQ.SXSjLOGal1gKEYkVonQkDMN0n31joy3TGCHLq67QJxexXl6XMsZ1G4qlXNmDuEejvi2pQF4YUTm0tZ_qxw12lbd205OvNDunu7znx_Xp-cHdbIcmhhbcelg17pPr3KbH__tV7zaTlGWAJ-9rju9hE1OwWNMpL6TAzUb_zswBmuitp08P2uUeezhrYF6ZJuqjtX4GCcxbVEWmg7t-w4YEPGb531SpZYZ6NREHF7KB0bRWntbuzLv-YH2P4vjzEF3sjwl-_oX1k5T4GVEJdSqGzQeZL6UgCb8sMXiIRYFeOIJF8EXus3BLG9z3ZevyE-QbJmueb4RwWxMLReBYd5YIgQ
Cache-Control: no-cache
Dnt: 1
Pragma: no-cache
Upgrade-Insecure-Requests: 1
X-Forwarded-Port: 80
X-Forwarded-Scheme: http
X-Real-Ip: 10.244.0.1
X-Request-Id: 72e8348081a2c680309fab4f4cba284d
X-Scheme: http
3 Views
Open in Slack
PreviousNext
Powered by