https://www.ory.sh/ logo
#talk-oathkeeper
Title
# talk-oathkeeper
c

careful-engineer-44837

04/29/2022, 2:19 PM
I’d like to rephrase that problem because I could now pinpoint what the problem is. However, I don’t really know yet how to solve it. The problem is the Oathkeeper authentication handler for aws.domain.com/otherworld. It is set to
cookie_session
but Oathkeeper somehow cannot validate it. The requests gets redirected to the appropriate Ory Cloud
/sessions/whoami
path for validation and Ory Cloud sets an appropriate Ory Session cookie. The scope of that cookie seems fine too (.domain.com with cookie path / ) When I change the authorization handler to noop it works fine and I can access the protected ressource. Any ideas what I might be doing wrong?
d

damp-sunset-69236

05/02/2022, 8:11 AM
Hello. Could you please share access-rules and oathkeeper.yml? Please remove any sensitive information
c

careful-engineer-44837

05/02/2022, 8:14 AM
Hey. I'm pretty sure the problem is the reverse proxy not serving HTTPS right now. I inspected the issued cookie and it has the Secure flag set. It only makes sense that the browser wouldn't include it in my unsecured request to a different subdomain. I'm in the process of installing a certificate. If that won't fix it I'll share all the necessary configs 🙂
So unfortunately that didn't solve the overall problem, but at least my browser now sends the Session cookie with the request. I still get redirected to Ory login even after being authorized (makes sense since that is the default error handler). Somehow Oathkeeper is not able to extract and process the Session cookie. Is it possible that my Nginx reverse proxy somehow interferes with the request in a destructive way? Oathkeeper.yml
Copy code
log:
  level: debug
  format: json

serve:
  proxy:
    cors:
      enabled: true
      allowed_origins:
        - "*"
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Content-Type
      exposed_headers:
        - Content-Type
      allow_credentials: true
      debug: true

errors:
  fallback:
    - json

  handlers:
    redirect:
      enabled: true
      config:
        to: <https://ory.domain.com/ui/login>
        when:
          -
            error:
              - unauthorized
              - forbidden
            request:
              header:
                accept:
                  - text/html
    json:
      enabled: true
      config:
        verbose: true

access_rules:
  matching_strategy: glob
  repositories:
    - file:///etc/config/oathkeeper/access-rules.yml

authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest

  cookie_session:
    enabled: true
    config:
      check_session_url: <https://ory.domain.com/sessions/whoami>
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      only:
        - ory_kratos_session

  noop:
    enabled: true

authorizers:
  allow:
    enabled: true

mutators:
  noop:
    enabled: true
access-rules.yml
Copy code
- id: "api:other-world-protected"
  upstream:
    preserve_host: true
    url: "<http://other-world:8090>"
  match:
    url: "<http://oathkeeper:4455/otherworld>"
    methods:
      - GET
  authenticators:
    - handler: cookie_session
  mutators:
    - handler: noop
  authorizer:
    handler: allow
  errors:
    - handler: redirect
      config:
        to: <https://ory.domain.com/ui/login>

- id: "api:health-check-protected"
  upstream:
    preserve_host: true
    url: "<http://health-check:8090>"
  match:
    url: "<http://oathkeeper:4455/health>"
    methods:
      - GET
  authenticators:
    - handler: noop
  mutators:
    - handler: noop
  authorizer:
    handler: allow
  errors:
    - handler: redirect
      config:
        to: <https://ory.domain.com/ui/login>
The corresponding Oathkeeper log
Copy code
[cors] 2022/05/02 09:23:00 Handler: Actual request
[cors] 2022/05/02 09:23:00   Actual request no headers added: missing origin
{"http_request":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip, deflate, br","accept-language":"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7","cookie":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"},"host":"oathkeeper:4455","method":"GET","path":"/otherworld","query":null,"remote":"172.30.0.4:55962","scheme":"http"},"level":"info","msg":"started handling request","time":"2022-05-02T09:23:00Z"}
{"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","status":"Unauthorized","status_code":401},"granted":false,"http_host":"oathkeeper:4455","http_method":"GET","http_url":"<http://oathkeeper:4455/otherworld>","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36","level":"warning","msg":"No authentication handler was responsible for handling the authentication request","reason_id":"authentication_handler_no_match","rule_id":"api:other-world-protected","service_name":"ORY Oathkeeper","service_version":"v0.38.25-beta.1","time":"2022-05-02T09:23:00Z"}
{"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","status":"Unauthorized","status_code":401},"granted":false,"http_host":"oathkeeper:4455","http_method":"GET","http_url":"<http://oathkeeper:4455/otherworld>","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36","level":"warning","msg":"Access request denied","service_name":"ORY Oathkeeper","service_version":"v0.38.25-beta.1","time":"2022-05-02T09:23:00Z"}
{"http_request":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip, deflate, br","accept-language":"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7","cookie":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"},"host":"oathkeeper:4455","method":"GET","path":"/otherworld","query":null,"remote":"172.30.0.4:55962","scheme":"http"},"http_response":{"status":302,"text_status":"Found","took":1386284},"level":"info","msg":"completed handling request","time":"2022-05-02T09:23:00Z"}
The first two lines of the log seemed suspicious to me so I switched CORS off in the oathkeeper config but that didn't help.
@User I've discovered something interesting. The docs state for the
cookie_session
authenticator that "Please note that Gzipped responses from
check_session_url
are not supported, and will fail silently." Upon inspection of the response from
<http://ory.domain.com/sessions/whoami|ory.domain.com/sessions/whoami>
it seems that the response is indeed gzipped. I conclude that because the flag
content-encoding: gzip
is set in the response headers. Is there any way to switch this off in Ory cloud? If that is actually the problem I don't see any options in Ory Cloud to switch this off
d

damp-sunset-69236

05/02/2022, 3:28 PM
I think that combination of
Accept: application/json
and removing
Accept-Encoding
header could help you
c

careful-engineer-44837

05/02/2022, 3:29 PM
You mean I should change these headers in the Nginx configuration?
d

damp-sunset-69236

05/02/2022, 5:02 PM
After hours of debugging: There’s a way to override request headers proxies by oathkeeper by setting
additional_headers
Copy code
cookie_session:
    enabled: true
    config:
      check_session_url: <http://host.docker.internal:4000/.ory/sessions/whoami>
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      additional_headers:
        accept: application/json # that would override accept header and disable gzip compression
🙌 1
11 Views