https://www.ory.sh/ logo
Join Slack
Powered by
Hey everyone! We’re encountering an issue where O...
# general
b
Hey everyone! We’re encountering an issue where OAuth2 introspection works locally with our Hydra instance but fails on Ory Network with a 401 Unauthorized when going via Traefik ForwardAuth -> Oathkeeper -> Hydra. What’s Happening? 1. Locally (Hydra logs): - The rule matches_, and introspection *is attempted*_. - If we switch the authenticator to anonymous, the decision endpoint returns 200, confirming the rule is being matched. - This suggests the issue is either the introspection handler or the authorization header. 2. On Ory Network: - Oathkeeper logs say we do not match any rules when using oauth2_introspection. - However, switching to anonymous works, proving that a rule does match. --- 🛠️ Debugging Steps We Took Confirmed ACCESS_TOKEN is correct by calling introspection endpoint directly. Confirmed the rule matches by switching to anonymous (decision endpoint returns 200). Verified that locally, introspection is attempted. Checked Ory Network logs—rule does not match unless we use anonymous. Tried different introspection request headers with the Ory Network API key. --- Questions 1. Why does the rule fail to match when using oauth2_introspection on Ory Network but not locally? 2. Is there a way to log incoming requests to introspection on Ory Network to debug what’s being sent? Would appreciate any insights—thanks in advance! 🚀 More details in the comment 🧵
--- Relevant Client Configuration • “grant_types”: [“authorization_code”, “refresh_token”], • “response_types”: [“code”], • “scope”: “offline_access, business/orders:read”, • “token_endpoint_auth_method”: “client_secret_post” --- Oathkeeper Configuration
Copy code
authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest
  bearer_token:
    enabled: true
    config:
      check_session_url: <http://disabled>
  oauth2_introspection:
    enabled: true
    config:
      introspection_url: <http://localhost:4445/admin/oauth2/introspect>
      token_from:
        header: Authorization
      retry:
        max_delay: 300ms
        give_up_after: 2s
      cache:
        enabled: true
        ttl: 60s
      introspection_request_headers:
        Authorization: "thisIsEnvironmentSpecific"
--- Rule Template
Copy code
- id: $ENVIRONMENT
  match:
    url: "$API_SERVICE_URL/<.*>"
    methods:
      - GET
      - PATCH
      - POST
      - PUT
      - DELETE
  authenticators:
    - handler: oauth2_introspection
      config:
        introspection_url: "$HYDRA_ADMIN_URL/admin/oauth2/introspect"
        token_from:
          header: Authorization
        retry:
          max_delay: 300ms
          give_up_after: 2s
        cache:
          enabled: true
          ttl: 60s
        introspection_request_headers:
          Authorization: "Bearer $ORY_NETWORK_PROJECT_API_KEY"
  authorizer:
    handler: allow
  mutators:
    - handler: noop
  errors:
    - handler: json
Traefik Middleware Definition:
Copy code
extraObjects:
  - |
    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: ory-oathkeeper-forward-auth
    spec:
      forwardAuth:
        address: <http://acme-api-ory-oathkeeper-api>.{{ .Release.Namespace }}:4456/decisions
        trustForwardHeader: true
        authResponseHeaders:
          - Authentication
2 Views
Open in Slack
PreviousNext
Powered by