Hi people, I'm trying to hide a website with

oathkeeper

using the

cookie_session

authenticator. When trying to access the site I get successfully redirected to my login page, but after that I still get no access to my hidden site. So all requests are redirected to my login page.

Oathkeeper

logs following message:

[cors] 2022/09/03 13:30:18 Handler: Actual request
[cors] 2022/09/03 13:30:18   Actual request no headers added: missing origin

Based on this message I assumed that my origin wasn't sent, which was true. First question here: How do I make sure that the

Origin

header is being sent? I thought, that this header would only be set if a request was made via script. After that following was logged:

{
  "audience": "application",
  "authentication_handler": "cookie_session",
  "error": {
    "debug": "",
    "message": "Access credentials are not sufficient to access this resource",
    "reason": "Get \"<http://127.0.0.1:4460/sessions/whoami>\": dial tcp 127.0.0.1:4460: connect: connection refused",
    "status": "Forbidden",
    "status_code": 403
  },
  "granted": false,
  "http_host": "<http://foo.bar.de|foo.bar.de>",
  "http_method": "GET",
  "http_url": "<http://foo.bar.de/>",
  "http_user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0",
  "level": "warning",
  "msg": "The authentication handler encountered an error",
  "reason_id": "authentication_handler_error",
  "rule_id": "foo:protected",
  "service_name": "ORY Oathkeeper",
  "service_version": "v0.39.2",
  "time": "2022-09-03T14:14:34Z"
}

Both

kratos

and

oathkeeper

sit behind a `HAProxy,`while

oathkeeper

is directly communicating with

kratos

on

127.0.0.1

. Associated rule:

- id: 'foo:protected'
  upstream:
    preserve_host: true
    url: '<http://127.0.0.1:4480>'
  match:
    url: '<http://foo.bar.de/><**>'
    methods:
      - GET
      - POST
  authenticators:
    - handler: cookie_session
  mutators:
    - handler: noop
  authorizer:
    handler: allow
  errors:
    - handler: redirect
      config:
        to: <https://login.bar.de/login>

And config:

log:
  level: debug
  format: json
  leak_sensitive_values: true
  
serve:
  proxy:
    cors:
      enabled: true
      allowed_origins:
        - <http://foo.bar.de>
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Content-Type
        - Cookie
      exposed_headers:
        - Content-Type
        - Set-Cookie
      allow_credentials: true
      debug: true

errors:
  fallback:
    - json

  handlers:
    redirect:
      enabled: true
      config:
        to: <https://login.bar.de/login>
        when:
          - error:
              - unauthorized
              - forbidden
            request:
              header:
                accept:
                  - text/html
    json:
      enabled: true
      config:
        verbose: true

access_rules:
  matching_strategy: glob
  repositories:
    - file:///etc/config/oathkeeper/rules.yml

authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest

  cookie_session:
    enabled: true
    config:
      check_session_url: <http://127.0.0.1:4460/sessions/whoami>
      preserve_path: true
      extra_from: '@this'
      subject_from: 'identity.id'

  noop:
    enabled: true

authorizers:
  allow:
    enabled: true

mutators:
  noop:
    enabled: true

Thank you!

Hello @bored-vegetable-68997 can you take a look at the examples in here: https://github.com/ory/examples/tree/master/oathkeeper Let me know if you use case is not covered. Would be great if we had an example for every common oathkeeper usecase in that repo 🙂

Hi, I already fixed the issues. It had to do with my configuration of my docker networks. I will take a look at the examples and maybe contribute an example for a setup with

haproxy