careful-engineer-44837
04/29/2022, 2:19 PMcookie_session
but Oathkeeper somehow cannot validate it. The requests gets redirected to the appropriate Ory Cloud /sessions/whoami
path for validation and Ory Cloud sets an appropriate Ory Session cookie. The scope of that cookie seems fine too (.domain.com with cookie path / )
When I change the authorization handler to noop it works fine and I can access the protected ressource. Any ideas what I might be doing wrong?damp-sunset-69236
05/02/2022, 8:11 AMcareful-engineer-44837
05/02/2022, 8:14 AMcareful-engineer-44837
05/02/2022, 9:24 AMlog:
level: debug
format: json
serve:
proxy:
cors:
enabled: true
allowed_origins:
- "*"
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Content-Type
exposed_headers:
- Content-Type
allow_credentials: true
debug: true
errors:
fallback:
- json
handlers:
redirect:
enabled: true
config:
to: <https://ory.domain.com/ui/login>
when:
-
error:
- unauthorized
- forbidden
request:
header:
accept:
- text/html
json:
enabled: true
config:
verbose: true
access_rules:
matching_strategy: glob
repositories:
- file:///etc/config/oathkeeper/access-rules.yml
authenticators:
anonymous:
enabled: true
config:
subject: guest
cookie_session:
enabled: true
config:
check_session_url: <https://ory.domain.com/sessions/whoami>
preserve_path: true
extra_from: "@this"
subject_from: "identity.id"
only:
- ory_kratos_session
noop:
enabled: true
authorizers:
allow:
enabled: true
mutators:
noop:
enabled: true
access-rules.yml
- id: "api:other-world-protected"
upstream:
preserve_host: true
url: "<http://other-world:8090>"
match:
url: "<http://oathkeeper:4455/otherworld>"
methods:
- GET
authenticators:
- handler: cookie_session
mutators:
- handler: noop
authorizer:
handler: allow
errors:
- handler: redirect
config:
to: <https://ory.domain.com/ui/login>
- id: "api:health-check-protected"
upstream:
preserve_host: true
url: "<http://health-check:8090>"
match:
url: "<http://oathkeeper:4455/health>"
methods:
- GET
authenticators:
- handler: noop
mutators:
- handler: noop
authorizer:
handler: allow
errors:
- handler: redirect
config:
to: <https://ory.domain.com/ui/login>
The corresponding Oathkeeper log
[cors] 2022/05/02 09:23:00 Handler: Actual request
[cors] 2022/05/02 09:23:00 Actual request no headers added: missing origin
{"http_request":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip, deflate, br","accept-language":"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7","cookie":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"},"host":"oathkeeper:4455","method":"GET","path":"/otherworld","query":null,"remote":"172.30.0.4:55962","scheme":"http"},"level":"info","msg":"started handling request","time":"2022-05-02T09:23:00Z"}
{"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","status":"Unauthorized","status_code":401},"granted":false,"http_host":"oathkeeper:4455","http_method":"GET","http_url":"<http://oathkeeper:4455/otherworld>","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36","level":"warning","msg":"No authentication handler was responsible for handling the authentication request","reason_id":"authentication_handler_no_match","rule_id":"api:other-world-protected","service_name":"ORY Oathkeeper","service_version":"v0.38.25-beta.1","time":"2022-05-02T09:23:00Z"}
{"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","status":"Unauthorized","status_code":401},"granted":false,"http_host":"oathkeeper:4455","http_method":"GET","http_url":"<http://oathkeeper:4455/otherworld>","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36","level":"warning","msg":"Access request denied","service_name":"ORY Oathkeeper","service_version":"v0.38.25-beta.1","time":"2022-05-02T09:23:00Z"}
{"http_request":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip, deflate, br","accept-language":"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7","cookie":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"},"host":"oathkeeper:4455","method":"GET","path":"/otherworld","query":null,"remote":"172.30.0.4:55962","scheme":"http"},"http_response":{"status":302,"text_status":"Found","took":1386284},"level":"info","msg":"completed handling request","time":"2022-05-02T09:23:00Z"}
The first two lines of the log seemed suspicious to me so I switched CORS off in the oathkeeper config but that didn't help.careful-engineer-44837
05/02/2022, 2:46 PMcookie_session
authenticator that "Please note that Gzipped responses from check_session_url
are not supported, and will fail silently." Upon inspection of the response from <http://ory.domain.com/sessions/whoami|ory.domain.com/sessions/whoami>
it seems that the response is indeed gzipped. I conclude that because the flag content-encoding: gzip
is set in the response headers. Is there any way to switch this off in Ory cloud? If that is actually the problem I don't see any options in Ory Cloud to switch this offdamp-sunset-69236
05/02/2022, 3:28 PMAccept: application/json
and removing Accept-Encoding
header could help youcareful-engineer-44837
05/02/2022, 3:29 PMdamp-sunset-69236
05/02/2022, 5:02 PMadditional_headers
cookie_session:
enabled: true
config:
check_session_url: <http://host.docker.internal:4000/.ory/sessions/whoami>
preserve_path: true
extra_from: "@this"
subject_from: "identity.id"
additional_headers:
accept: application/json # that would override accept header and disable gzip compression