How do I make Oathkeeper use an session token from a header Ory Community #talk-oathkeeper

How do I make Oathkeeper use an session token from...

proud-ram-78226

11/03/2022, 4:17 PM

How do I make Oathkeeper use an session token from a header and validate it against kratos /whoami endpoint? This is my current configuration:

Copy code

authenticators:
  bearer_token:
    enabled: true
    config:
      check_session_url: <https://mypath.projects.oryapis.com/sessions/whoami>
      token_from:
        header: Authorization
      preserve_path: true
      forward_http_headers:
        - Authorization

I pass my token in the auth header like

Authorization: <my-token>

But the response is always the same:

Copy code

{
  "error": {
    "code": 401,
    "status": "Unauthorized",
    "message": "Access credentials are invalid"
  }
}

fresh-byte-82421

11/03/2022, 4:40 PM

Hi @proud-ram-78226 I also found the

Authorization

header unreliable when working with bearer tokens, instead I opted for approach number 2 and use the

X-Session-Token

Copy code

bearer_token:
    enabled: true
    config:
      check_session_url: http://<KRATOSURL>/sessions/whoami
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      token_from:
        header: X-Session-Token
      forward_http_headers:
        - Authorization
        - X-Session-Token

proud-ram-78226

11/03/2022, 5:07 PM

thank you very much! this did the trick

freezing-needle-9807

11/07/2022, 6:45 PM

@proud-ram-78226 the auth header should be like that

Authorization: Bearer <token>

, as the Bearer is the auth scheme. Can you try it?

freezing-needle-9807

11/07/2022, 6:48 PM

I assume, that optional object

token_from

will change the requirement to have bearer

21 Views

Open in Slack

Previous Next