Hi. I'm having trouble getting the

remote_json

authorizer to work with Keto. I've been following the Ory docs as well as some examples from

keto/contrib

as well as https://github.com/ory/examples. I've also read through all Github issues/discussions I could find but it's just not working Authorizer config for a protected resource in

access-rules.yml

authorizers:
    - handler: remote_json
      config:
        remote: <http://keto:4466/check>
        forward_response_headers_to_upstream:
          - Content-Type
        retry:
          max_delay: 1s
          give_up_after: 1s
        payload: |
          {
            "subject_id": "{{ print .Subject }}",
            "relation": "access",
            "namespace": "services",
            "object": "someobject"
          }

Excerpt from

oathkeeper.yml

authorizers:
  allow:
    enabled: true

  remote_json:
    enabled: true
    remote: <http://keto:4466/check>
    forward_response_headers_to_upstream:
      - Content-type
    retry:
      max_delay: 1s
      give_up_after: 1s

The error

aits-msc-oathkeeper-1    | authorizers.remote_json: map[config:map[forward_response_headers_to_upstream:<nil> retry:map[give_up_after:1s max_delay:100ms]] enabled:true forward_response_headers_to_upstream:[Content-type] remote:<http://keto:4466/check> retry:map[give_up_after:1s max_delay:1s]]
aits-msc-oathkeeper-1    |                          ^-- oneOf failed
aits-msc-oathkeeper-1    |
aits-msc-oathkeeper-1    | authorizers.remote_json.config: map[forward_response_headers_to_upstream:<nil> retry:map[give_up_after:1s max_delay:100ms]]
aits-msc-oathkeeper-1    |                                 ^-- doesn't validate with "#/definitions/configAuthorizersRemoteJSON"
aits-msc-oathkeeper-1    |
aits-msc-oathkeeper-1    | authorizers.remote_json.config: map[forward_response_headers_to_upstream:<nil> retry:map[give_up_after:1s max_delay:100ms]]
aits-msc-oathkeeper-1    |                                 ^-- validation failed
aits-msc-oathkeeper-1    | 
aits-msc-oathkeeper-1    | authorizers.remote_json.config.remote: <nil>
aits-msc-oathkeeper-1    |                                        ^-- one or more required properties are missing
aits-msc-oathkeeper-1    |
aits-msc-oathkeeper-1    | authorizers.remote_json.config.forward_response_headers_to_upstream: <nil>
aits-msc-oathkeeper-1    |                                                                      ^-- expected array, but got null
aits-msc-oathkeeper-1    |
aits-msc-oathkeeper-1    | authorizers.remote_json.enabled: true
aits-msc-oathkeeper-1    |                                  ^-- value must be false

Hello. I think that this might work for you. For

oathkeeper.yml

you need to have this configuration under

authorizers

authorizers:
  allow:
    enabled: true

  remote_json:
    enabled: true
    config:
      remote: <http://keto:4466/check>
      payload: |
        { }
      forward_response_headers_to_upstream:
        - X-Foo
      retry:
        max_delay: 1s
        give_up_after: 1s

And for

access-rules.yml

authorizer:
    handler: remote_json
    config:
      remote: <http://keto:4466/check>
      payload: |
        {
          "subject_id": "{{ print .Subject }}",
          "relation": "access",
          "namespace": "services",
          "object": "hello-world-service"
        }

It works!! Thank you once again so much. But I'm curious, what exactly was the problem? Why is an empty payload

{}

required when access-rules.yml overwrites oathkeeper.yml anyway? And what is the header

X-Foo

for? If you don't mind me asking...

We had this yesterday with a different authorizer, it's because

payload

is a required field, and when oathkeeper first starts up, it's not aware of the rules until after it's loaded

oathkeeper.yml

- That's my understanding at least.

I see! I was asking specifically because now that

oathkeeper.yml

is initialized with

{}

Oathkeeper seems to send an empty Keto query because now I'm getting

time=2022-05-06T08:46:18Z level=info msg=started handling request http_request=map[headers:map[accept-encoding:gzip content-length:117 content-type:application/json user-agent:Go-http-client/1.1] host:keto:4466 method:POST path:/check query:<nil> remote:192.168.80.2:53528 scheme:http]

(and ``query:<nil>`` has me curious)

X-Foo

header is the header that comes from remote authorizer in case if you want to add additional headers.

Got it! Does any one of you happen to know where I can read up on the templating values I can use in the payload? For example, I get that

.Subject

comes from the

AuthenticationSession

session struct but I'd appreciate an example with what value this field gets replaced with during runtime.

We have this page in the documentation

Yep found it already, but I need to know what

.Subject

evaluates to at runtime so I know what to put as my subject in a relation tuple. For example

.Subject -> <mailto:my@email.com|my@email.com>

or

.Subject -> some-uuid

?

Subject is some-uuid usually. It depends on cookie_session authenticator

Hmm, weird. It's supposed to be the uuid from

identity.id

per my config

preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      only:
        - ory_kratos_session
      preserve_host: true
      additional_headers:
        accept: application/json

groups:dev#member@7196439e-506b-46eb-9700-206feefee514

But Keto still evaluates it to "unauthorized".

I am having a similar issue, but I am using a JWT instead of a session. I posted a discussion and I am not sure why I am having an issue. Seems odd that

query:<nil>

is showing in the keto log. https://github.com/ory/oathkeeper/discussions/983