I’m trying to setup in an Ory hosted dev environment Oathkeeper. I can’t get the _cookie_session_ authenticator to work. For some weird reason, authenticator will reject my request to https://my.domain (and any other uri), but it will accept requests to *https://my.domain/sessions/whoami* Since it’s a dev env, I do not have a custom domain set, which may interfere with the cookies domain. Can Oathkeeper be effectively setup and tested without a custom domain?

If the cookie domain is the problem you probably need the Ory tunnel: https://www.ory.sh/docs/guides/cli/proxy-and-tunnel

That is what I am trying, but now I cannot get a tunnel to work in K8S. Using the project API key or a workspace API key still requires a browser to login… I am reading the doc back and forth but I do not understand how to run the tunnel in an automated environment.

I think you need both API keys.

Error: project API key is set but workspace is also set, please remove one

That is when setting both workspace and project API keys. Same message when setting one of the keys and passing a WS ID or a Project ID. That being said, it seems that the setting I need is

preserve_path: true

in my

cookie_session

config for Oathkeeper. when settings to true the token get’s checked correctly. I still need a tunnel to test my setup in a test environment, which is brittle IMO. I guess that is the side effect of having an old legacy PROD plan which does not include a staging environment.