Hi, quick question! Is

keto_engine_acp_ory

depricated? Should we use

remote_json

for Ory Keto as well? Thank you

yeah it was for pre-zanzibar keto (pre v0.6)

remote_json

should work, maybe you can share a small working example?

please share, im going to add authz using keto in the coming days and this would speed the progress up 👍

Oathkeeper config file (authorizer)

...
authorizers:
  allow:
    enabled: true
  deny:
    enabled: true
  remote_json:
    enabled: true
    config:
      remote: ${KETO_URL}/check
      forward_response_headers_to_upstream: []
      payload: |
        {
          "subject": "{{ print .Subject }}"
        }
...

NOTE: I have the services deployed in a K8s cluster. ${KETO_URL} must be the local address of Keto, inside the cluster. For some reasons, the public address did not work in my case.

Thanks

One example of the rules I’m using. Note the comment I made on match.url. Of course, the payload strongly depends on the way you structure the relation tuples.

{
  "id": "unique_id",
  "match": {
    "url": "<http://api.example.com/resource>", // The protocol should be http in order to be matched, even though the endpoint has https. 
    "methods": ["GET"]
  },
  "authenticators": [
    {
      "handler": "cookie_session"
    }
  ],
  "authorizer": {
    "handler": "remote_json",
    "config": {
      "remote": "${KETO_URL}/check",
      "payload": "{\"subject_id\": \"{{ print .Subject }}\", \"relation\": \"get\", \"object\": \"resource\"}"
    }
  },
  "mutators": [
    {
      "handler": "header"
    }
  ]
}