I am using Ory Cloud (for kratos and ketos), but I also need to use Oathkeeper. Untill Oathkeeper is released on ory cloud*, want to host it on google cloud run*. Will switch this oathkeeper from cloud run to ory cloud when ory cloud will also bring Oathkeeper to ory cloud. Had some confusion for self-hosting oathkeeper, thought to ask: My backend api are on

<http://api.abc.com|api.abc.com>

domain. So, all the GET/POST/DELETE request to backend to fetch data from db will be made on this sub-domain. _Domain for authentication_:

<http://auth.abc.com|auth.abc.com>

_Cookie domain_*:*

<http://abc.com|abc.com>

CORS : Enabled Question-1: Will we have to keep one more separate sub-domain for oathkeeper, on which oathkeeper will run? eg:

<http://oathkeep.abc.com|oathkeep.abc.com>

or can Oathkeeper and Backend API use same sub-domain (

<http://api.abc.com|api.abc.com>

) Question-2: If we use separate sub-domain`(oathkeep.abc.com)` for Oathkeeper, then all the api requests that will be made to backend api

(<http://api.abc.com|api.abc.com>)

to fetch data: Question-2a. Will they be made first to oathkeeper sub-domain, which then checks session/authentication and redirect to upstream every time, like on each request? In this case arn't we creating a time lag at every request? Question-2b. In this case of request first to oathkeeper sub-domain, that redirect to upstream sub-domain url, if a POST request with json data has to be made to backend api (

<http://api.abc.com|api.abc.com>

), then will json be used to submitted to

(<http://oathkeep.abc.com|oathkeep.abc.com>)

?

Question 1: I would recommend running Ory Oathkeeper with the decision API and using a proxy like Nginx, Envoy, .. with an auth_filter that uses Ory Oathkeeper. Then, you can use Ory Oathkeeper on any URL you want as long as it goes through your API gateway! Alternatively, you can use Ory Oathkeeper as you API Gateway. So yes, that should be possible to work on the same sub-domain. Question 2a: Oathkeeper supports caching for this if I recall correctly. In the end it will be a trade-off between performance and security (how often do you need to check to be secure, how often do you want to check to improve performance). Question 2b: Given my answer from 1 I don’t think you need this.

@high-optician-2097 I’m having an issue with Oathkeeper not being able to authenticate to Ory Cloud Keto. I assume there must be a way to do this?

@magnificent-engine-41970 I fear that there’s an open issue to get this done: https://github.com/ory/oathkeeper/issues/969 Unfortunately, both of our keto leads are currently OOO. But I’ll ping one of them to maybe just add this quickly to oathkeeper to unblock you

Perfect. Thank you for the quick response. I can work around the issue by calling Keto directly for now (dev only).

👍 perfect