https://www.ory.sh/ logo
Join Slack
Powered by
Hi everyone, <@U03F4Q8A40N> and I are experiencing...
# ory-network
f
Hi everyone, @gentle-bird-90474 and I are experiencing an issue with Oauthkeeper that is blocking us from using our unauthenticated/open APIs. We have set our Oauthkeeper rules for our endpoint to have the following authenticators:
Copy code
authenticators:
    - handler: cookie_session
    - handler: anonymous
    - handler: bearer_token
And whenever we make an unauthenticated request (without a session cookie), however containing ANY other cookie (such as a simple 
test=helloWorld
) it returns a 401 and ignores our 
anonymous
rule. If we remove all cookies and perform the same request, it works as intended and is handled as an 
anonymous
request. Steps to reproduce can be setting these same authenticators rules and simply adding a cookie to the page (
document.cookie = "test=helloWorld";
e.g.). Then calling any endpoint that has those rules will return a 401, even though the 
anonymous
handler is there. Could someone have a look? Thank you!
r
Had a similar issue and split my rules and I think ended up with noop handler on some routes.
Don't want to rule out that I am misunderstanding something. Maybe a bug report on GitHub would be better? Especially if you have a short example.
f
Makes sense, I am creating a bug report today and will send it later here in this thread.
I have created this bug ticket about this issue. Unfortunately we were still not able to solve it and are getting a 401 whenever we make an unauthenticaed request with any cookie to an endpoint that has both the 
anonymous
and the 
cookie_session
authenticators.
🙏 1
g
Dear Ory team! This is a real blocker for us. If we cannot solve this or (temporarily) work around this issue, we’ll have to consider replacing Ory Cloud with something else.
Open in Slack
PreviousNext
Powered by