https://www.ory.sh/ logo
#talk-oathkeeper
Title
# talk-oathkeeper
c

careful-engineer-44837

05/06/2022, 8:14 AM
Hi. I'm having trouble getting the
remote_json
authorizer to work with Keto. I've been following the Ory docs as well as some examples from
keto/contrib
as well as https://github.com/ory/examples. I've also read through all Github issues/discussions I could find but it's just not working Authorizer config for a protected resource in
access-rules.yml
Copy code
authorizers:
    - handler: remote_json
      config:
        remote: <http://keto:4466/check>
        forward_response_headers_to_upstream:
          - Content-Type
        retry:
          max_delay: 1s
          give_up_after: 1s
        payload: |
          {
            "subject_id": "{{ print .Subject }}",
            "relation": "access",
            "namespace": "services",
            "object": "someobject"
          }
Excerpt from
oathkeeper.yml
Copy code
authorizers:
  allow:
    enabled: true

  remote_json:
    enabled: true
    remote: <http://keto:4466/check>
    forward_response_headers_to_upstream:
      - Content-type
    retry:
      max_delay: 1s
      give_up_after: 1s
The error
Copy code
aits-msc-oathkeeper-1    | authorizers.remote_json: map[config:map[forward_response_headers_to_upstream:<nil> retry:map[give_up_after:1s max_delay:100ms]] enabled:true forward_response_headers_to_upstream:[Content-type] remote:<http://keto:4466/check> retry:map[give_up_after:1s max_delay:1s]]
aits-msc-oathkeeper-1    |                          ^-- oneOf failed
aits-msc-oathkeeper-1    |
aits-msc-oathkeeper-1    | authorizers.remote_json.config: map[forward_response_headers_to_upstream:<nil> retry:map[give_up_after:1s max_delay:100ms]]
aits-msc-oathkeeper-1    |                                 ^-- doesn't validate with "#/definitions/configAuthorizersRemoteJSON"
aits-msc-oathkeeper-1    |
aits-msc-oathkeeper-1    | authorizers.remote_json.config: map[forward_response_headers_to_upstream:<nil> retry:map[give_up_after:1s max_delay:100ms]]
aits-msc-oathkeeper-1    |                                 ^-- validation failed
aits-msc-oathkeeper-1    | 
aits-msc-oathkeeper-1    | authorizers.remote_json.config.remote: <nil>
aits-msc-oathkeeper-1    |                                        ^-- one or more required properties are missing
aits-msc-oathkeeper-1    |
aits-msc-oathkeeper-1    | authorizers.remote_json.config.forward_response_headers_to_upstream: <nil>
aits-msc-oathkeeper-1    |                                                                      ^-- expected array, but got null
aits-msc-oathkeeper-1    |
aits-msc-oathkeeper-1    | authorizers.remote_json.enabled: true
aits-msc-oathkeeper-1    |                                  ^-- value must be false
d

damp-sunset-69236

05/06/2022, 8:30 AM
Hello. I think that this might work for you. For
oathkeeper.yml
you need to have this configuration under
authorizers
Copy code
authorizers:
  allow:
    enabled: true

  remote_json:
    enabled: true
    config:
      remote: <http://keto:4466/check>
      payload: |
        { }
      forward_response_headers_to_upstream:
        - X-Foo
      retry:
        max_delay: 1s
        give_up_after: 1s
And for
access-rules.yml
Copy code
authorizer:
    handler: remote_json
    config:
      remote: <http://keto:4466/check>
      payload: |
        {
          "subject_id": "{{ print .Subject }}",
          "relation": "access",
          "namespace": "services",
          "object": "hello-world-service"
        }
@User ^^
c

careful-engineer-44837

05/06/2022, 8:38 AM
It works!! Thank you once again so much. But I'm curious, what exactly was the problem? Why is an empty payload
{}
required when access-rules.yml overwrites oathkeeper.yml anyway? And what is the header
X-Foo
for? If you don't mind me asking...
t

tall-angle-41306

05/06/2022, 8:41 AM
We had this yesterday with a different authorizer, it's because
payload
is a required field, and when oathkeeper first starts up, it's not aware of the rules until after it's loaded
oathkeeper.yml
- That's my understanding at least.
c

careful-engineer-44837

05/06/2022, 8:49 AM
I see! I was asking specifically because now that
oathkeeper.yml
is initialized with
{}
Oathkeeper seems to send an empty Keto query because now I'm getting
time=2022-05-06T08:46:18Z level=info msg=started handling request http_request=map[headers:map[accept-encoding:gzip content-length:117 content-type:application/json user-agent:Go-http-client/1.1] host:keto:4466 method:POST path:/check query:<nil> remote:192.168.80.2:53528 scheme:http]
(and ``query:<nil>`` has me curious)
d

damp-sunset-69236

05/06/2022, 9:03 AM
X-Foo
header is the header that comes from remote authorizer in case if you want to add additional headers.
c

careful-engineer-44837

05/06/2022, 9:14 AM
Got it! Does any one of you happen to know where I can read up on the templating values I can use in the payload? For example, I get that
.Subject
comes from the
AuthenticationSession
session struct but I'd appreciate an example with what value this field gets replaced with during runtime.
d

damp-sunset-69236

05/06/2022, 10:00 AM
We have this page in the documentation
c

careful-engineer-44837

05/06/2022, 10:02 AM
Yep found it already, but I need to know what
.Subject
evaluates to at runtime so I know what to put as my subject in a relation tuple. For example
.Subject -> <mailto:my@email.com|my@email.com>
or
.Subject -> some-uuid
?
https://www.ory.sh/docs/oathkeeper/pipeline#templating doesn't really tell me that as far as I can see
d

damp-sunset-69236

05/06/2022, 10:05 AM
Subject is some-uuid usually. It depends on cookie_session authenticator
c

careful-engineer-44837

05/06/2022, 11:55 AM
Hmm, weird. It's supposed to be the uuid from
identity.id
per my config
Copy code
preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      only:
        - ory_kratos_session
      preserve_host: true
      additional_headers:
        accept: application/json
Copy code
groups:dev#member@7196439e-506b-46eb-9700-206feefee514
But Keto still evaluates it to "unauthorized".
^ This problem could be solved thanks to @User . See https://github.com/ory/oathkeeper/discussions/962
d

dry-apartment-19958

07/06/2022, 6:00 PM
I am having a similar issue, but I am using a JWT instead of a session. I posted a discussion and I am not sure why I am having an issue. Seems odd that
query:<nil>
is showing in the keto log. https://github.com/ory/oathkeeper/discussions/983
^ @damp-sunset-69236 @careful-engineer-44837
5 Views