https://www.ory.sh/ logo
Join SlackCommunities
Powered by
```[ { "id": "helloworld:protected1", "u...
# ory-selfhosting
s
Copy code
[
  {
    "id": "helloworld:protected1",
    "upstream": {
      "preserve_host": true,
      "url": "<http://host.docker.internal:8080>"
    },
    "match": {
      "url": "<http://127.0.0.1:4455/><**>",
      "methods": [
        "GET",
        "POST",
        "PUT",
        "DELETE",
        "PATCH"
      ]
    },
    "authenticators": [
      {
        "handler": "noop"
      }
    ],
    "authorizer": {
      "handler": "allow"
    },
    "mutators": [
      {
        "handler": "noop"
      }
    ]
  },
  {
    "id": "helloworld:protected2",
    "upstream": {
      "preserve_host": true,
      "url": "<http://host.docker.internal:8080>"
    },
    "match": {
      "url": "<http://127.0.0.1:4455/hello>",
      "methods": [
        "GET"
      ]
    },
    "authenticators": [
      {
        "handler": "bearer_token"
      }
    ],
    "authorizer": {
      "handler": "remote_json"
    },
    "mutators": [
      {
        "handler": "id_token"
      }
    ]
  }
]
1. all requests to oathkeeper match with my app 2. I want to set an endpoint http://127.0.0.1:4455/hello must need authentication and authorization, but I got this message when call this endpoint 
"message": "Expected exactly one rule but found multiple rules"
Could anyone can suggest me a way to solve? Thank you!
s
It might be becz following rules match with each other: http://127.0.0.1:4455/<**> http://127.0.0.1:4455/hello The 1st rule will match the /hello endpoint as well. But apart from that, what you're doing is kind of wrong from security standards. Security follows principle of least access. Hence: 1. By default, you must deny access to all endpoints without authentication 2. Only allow the unsecured endpoints selectively.
s
Yes, I figured it out. From security standards, you are right. I am new with Ory so I changed and saw how it worked on demo Thank you so much!
Assume I have some apis:
Copy code
<http://127.0.0.1:4455/hello>
<http://127.0.0.1:4455/welcome>
<http://127.0.0.1:4455/health>
<http://127.0.0.1:4455/dashboard>
...
I want to protect http://127.0.0.1:4455/dashboard + http://127.0.0.1:4455/hello, other apis are public As you said, we must deny access to all endpoints without authentication. After, make some apis become public. So I have access-rule like:
Copy code
[
  {
    "id": "helloworld:protected",
    "upstream": {
      "preserve_host": true,
      "url": "<http://host.docker.internal:8080>"
    },
    "match": {
      "url": "<http://127.0.0.1:4455/><**>",
      "methods": [
        "GET",
        "POST",
        "PUT",
        "DELETE",
        "PATCH"
      ]
    },
    "authenticators": [
      {
        "handler": "bear_token"
      }
    ],
...
  },
  {
    "id": "helloworld:public1",
    "upstream": {
      "preserve_host": true,
      "url": "<http://host.docker.internal:8080>"
    },
    "match": {
      "url": "<http://127.0.0.1:4455/hello>",
      "methods": [
        "GET"
      ]
    },
...,
  {
    "id": "helloworld:public2",
    "upstream": {
      "preserve_host": true,
      "url": "<http://host.docker.internal:8080>"
    },
    "match": {
      "url": "<http://127.0.0.1:4455/dashboard>",
      "methods": [
        "GET"
      ]
    },
...
  }
]
So I must do many many matchers, but as my above codes http://127.0.0.1:4455/<**> includes http://127.0.0.1:4455/dashboard and http://127.0.0.1:4455/hello => I also get error: 
"message": "Expected exactly one rule but found multiple rules"
. Do you have any suggestion for this?
s
There are 2 approaches: 1. I haven't tried Oathkeeper yet, but I think it works based on the orders of the rules as well. Or there would be something to define priority. In case it does, then you can have the apis you allow before the general deny rule. 2) You can try to divide your APIs in subpaths. For example: http://127.0.0.1:4455/public http://127.0.0.1:4455/private/.... <- Authenticated
s
Thank you, I will try them
2 Views
Open in Slack
PreviousNext
Powered by