https://www.ory.sh/ logo
#talk-keto
Title
# talk-keto
g

green-waiter-57771

01/29/2022, 3:26 PM
I have created a relation-tuple in keto
{
"namespace": "default-namespace",
"object": "object",
"relation": "access",
"subject_id": "admin"
}
I have this rule configured on oathkeeper
{
"id": "test",
"match": {
"url": "<http://test.com/test>",
"methods": [
"GET"
]
},
"authenticators": [
{
"handler": "cookie_session"
}
],
"authorizer": {
"handler": "remote_json",
"config": {
"remote": "<http://ory-keto.auth-test.svc.cluster.local:4466/check>",
"payload": "{\"namespace\": \"default-namespace\",\n  \"object\": \"object\",\n  \"relation\": \"access\",\n \"subject_id\": \"{{ print $.Extra.identity.traits.role }}\"}"
}
},
"mutators": [
{
"handler": "noop"
}
]
}
authorizers:
allow:
enabled: true
deny:
enabled: true
remote_json:
enabled: true
config:
remote: <http://ory-keto.auth-test.svc.cluster.local:4466/check>
forward_response_headers_to_upstream: []
payload: |
{
"subject": "{{ print .Subject }}",
"resource": "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}"
}
I am using KRATOS for authentication and checking the session using cookie_session The authentication seems to be working fine
"identity": {
.....
"state": "active",
"traits": {
"email": "<mailto:mail@mail.com|mail@mail.com>",
"role": "admin"
}
Meanwhile in the authorization section I get this error
<.Extra.identity.traits.role>: nil pointer evaluating interface {}.traits]
I am excepting that oathkeeper will check identity.traits.role and match it with subject_id specified on relation-tuple (admin == admin) Is this the correct behaviour ? Has anyone else faced this problem before?
s

steep-lamp-91158

01/31/2022, 11:34 AM
I think you just have to remove the
$
before
.Extra
?
In this statement:
print $.Extra.identity.traits.role
g

green-waiter-57771

01/31/2022, 2:40 PM
I already tried that, still get the same error 😕 I am not sure what "extra" structure has
3 Views