green-waiter-57771
01/29/2022, 3:26 PM{
"namespace": "default-namespace",
"object": "object",
"relation": "access",
"subject_id": "admin"
}
I have this rule configured on oathkeeper
{
"id": "test",
"match": {
"url": "<http://test.com/test>",
"methods": [
"GET"
]
},
"authenticators": [
{
"handler": "cookie_session"
}
],
"authorizer": {
"handler": "remote_json",
"config": {
"remote": "<http://ory-keto.auth-test.svc.cluster.local:4466/check>",
"payload": "{\"namespace\": \"default-namespace\",\n \"object\": \"object\",\n \"relation\": \"access\",\n \"subject_id\": \"{{ print $.Extra.identity.traits.role }}\"}"
}
},
"mutators": [
{
"handler": "noop"
}
]
}
authorizers:
allow:
enabled: true
deny:
enabled: true
remote_json:
enabled: true
config:
remote: <http://ory-keto.auth-test.svc.cluster.local:4466/check>
forward_response_headers_to_upstream: []
payload: |
{
"subject": "{{ print .Subject }}",
"resource": "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}"
}
I am using KRATOS for authentication and checking the session using cookie_session
The authentication seems to be working fine
"identity": {
.....
"state": "active",
"traits": {
"email": "<mailto:mail@mail.com|mail@mail.com>",
"role": "admin"
}
Meanwhile in the authorization section I get this error
<.Extra.identity.traits.role>: nil pointer evaluating interface {}.traits]
I am excepting that oathkeeper will check identity.traits.role and match it with subject_id specified on relation-tuple (admin == admin)
Is this the correct behaviour ?
Has anyone else faced this problem before?steep-lamp-91158
$
before .Extra
?print $.Extra.identity.traits.role
green-waiter-57771
01/31/2022, 2:40 PM