I have two more cases that might require some patches to Oathkeeper, specifically the

bearer_token

authenticator. 1. We have some legacy application that uses the

Authorization

header with

AccessToken

instead of

Bearer

which is incompatible as the authenticator just ignores it if it the first part is not

Bearer

. I would like to add an option or something to accept something other than

Bearer

so we can still use the `bearer_token`authenticator 2. This legacy application at the same time will also accepts basic auth credentials that are stored as OAuth2 clients in Hydra using

oauth2_client_credentials

. Currently there is no way for the

check_session_url

in

bearer_token

authenticator to indicate that Oathkeeper should jump to the next authenticator (

authn.ErrAuthenticatorNotResponsible.Error()

), would it be alright if I add for example a HTTP response code like HTTP 406 Not Acceptable (or something else) to trigger this from the session store application What do you think about these changes, could you see at least the idea's being accepted upstream (of course depending on the implementation)?

1: Sounds good 2: Interesting approach! I was thinking for a long time how to resolve such a use case. I think it requires quite a lot of testing to ensure it works well and maybe we want to run checks in parallel to improve response times? But I think a solution like this would be pretty good°!

I still have to add some documentation and clean up some things but I have opened a pull request for these changes https://github.com/ory/oathkeeper/pull/982