https://www.ory.sh/ logo
#talk-oathkeeper
Title
# talk-oathkeeper
h

happy-morning-85531

03/03/2022, 10:22 AM
Follow up question, whats the reason if the
id_token
mutator doesnt change the header?
PIng, anyone know why its not changing the auth header and not seeing any errors in logs šŸ˜•
d

damp-sunset-69236

03/03/2022, 2:43 PM
Do you follow this guide?
h

happy-morning-85531

03/03/2022, 2:44 PM
Well im not using kratos, im using hydra together with the oauth2 flows
d

damp-sunset-69236

03/03/2022, 2:47 PM
I want to write an example of configuring Hydra+Oathkeeper guide but Iā€™m not good at Hydra. Usually it depends on your
access-rules.yml
configuration
Guide with Kratos can be a good example for you to configure it with Hydra.
h

happy-morning-85531

03/03/2022, 2:48 PM
I mean i got the authenticator handlers to work together with hydra, now its just the id_token mutator thats not working
d

damp-sunset-69236

03/03/2022, 2:49 PM
Could you share a configuration for
access-rules.yml
? Maybe I can help you there
h

happy-morning-85531

03/03/2022, 2:49 PM
Copy code
[{
        "id": "general",
        "match": {
          "url": "https://<.*>.<http://company.com|company.com><.*>",
          "methods": [
            "GET", "POST", "PUT", "DELETE", "PATCH", "HEAD"
          ]
        },
        "authenticators": [{
          "handler": "oauth2_client_credentials"
        },
        {
          "handler": "oauth2_introspection"
        }],
        "authorizer": {
          "handler": "allow"
        },
        "mutators": [{
          "handler": "id_token"
        }]
      }]
this is json but should be the same
oh i guess you mean this as well
Copy code
authenticators:
        oauth2_client_credentials:
          enabled: true
          config:
            token_url: <http://hydra-public:4444/oauth2/token>
        oauth2_introspection:
          enabled: true
          config:
            cache:
              enabled: true
              ttl: 5s
            introspection_url: <http://hydra-admin:4445/oauth2/introspect>
            introspection_request_headers:
              x-forwarded-proto: https
      authorizers: 
        allow:
          enabled: true
      mutators:
        noop:
          enabled: false 
        id_token:
          enabled: true
          config:
            issuer_url: "<http://hydra-public:4444>"
            jwks_url: "<http://hydra-admin:4445/keys/hydra.openid.id-token>"
            ttl: 60s
            claims: |
              {
                "session": {{ .Extra | toJson }}
              }
d

damp-sunset-69236

03/03/2022, 2:57 PM
Could you please send a
access-rules:
section from your oathkeeper.yml?
h

happy-morning-85531

03/03/2022, 2:59 PM
so im using the helm chart to deploy things and its configured to just load in the json above, which is mounted as a file using a configmap
Copy code
access_rules:
        repositories:
          - file:///etc/rules/access-rules.json
d

damp-sunset-69236

03/03/2022, 3:05 PM
Looks good. Try to configure error handlers https://www.ory.sh/docs/oathkeeper/pipeline/error Maybe that can give a clue for you
h

happy-morning-85531

03/03/2022, 3:11 PM
but the request is not failing, its returnign 200 ok and forwarding to the recipient server
Im using `httpbin`which has a bunch of endpoints, one is /headers which just returns all headers that it received in the request, its here that i see that the mutator hasnt changed the header instead the original headers are just forwarded
im also having a look here https://github.com/ory/oathkeeper/blob/master/pipeline/mutate/mutator_id_token.go but i dont see where it can just not mutate the header without error
update: just a fyi, it was working, it was istio configuration that prevented the request from being modified so it forwarded the original request even though oathkeeper was doing the substitution šŸ™‚
d

damp-sunset-69236

03/04/2022, 7:45 AM
Ah. Thanks for the update.
11 Views