I have created a relation-tuple in keto

{

"namespace": "default-namespace",

"object": "object",

"relation": "access",

"subject_id": "admin"

}

I have this rule configured on oathkeeper

{

"id": "test",

"match": {

"url": "<http://test.com/test>",

"methods": [

"GET"

]

},

"authenticators": [

{

"handler": "cookie_session"

}

],

"authorizer": {

"handler": "remote_json",

"config": {

"remote": "<http://ory-keto.auth-test.svc.cluster.local:4466/check>",

"payload": "{\"namespace\": \"default-namespace\",\n  \"object\": \"object\",\n  \"relation\": \"access\",\n \"subject_id\": \"{{ print $.Extra.identity.traits.role }}\"}"

}

},

"mutators": [

{

"handler": "noop"

}

]

}

authorizers:

allow:

enabled: true

deny:

enabled: true

remote_json:

enabled: true

config:

remote: <http://ory-keto.auth-test.svc.cluster.local:4466/check>

forward_response_headers_to_upstream: []

payload: |

{

"subject": "{{ print .Subject }}",

"resource": "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}"

}

I am using KRATOS for authentication and checking the session using cookie_session The authentication seems to be working fine

"identity": {

.....

"state": "active",

"traits": {

"email": "<mailto:mail@mail.com|mail@mail.com>",

"role": "admin"

}

Meanwhile in the authorization section I get this error

<.Extra.identity.traits.role>: nil pointer evaluating interface {}.traits]

I am excepting that oathkeeper will check identity.traits.role and match it with subject_id specified on relation-tuple (admin == admin) Is this the correct behaviour ? Has anyone else faced this problem before?

I think you just have to remove the

$

before

.Extra

?

I already tried that, still get the same error 😕 I am not sure what "extra" structure has