Is it possible to have an optional mutator in an access rule Ory Community #talk-oathkeeper

Is it possible to have an optional mutator in an a...

cuddly-australia-64189

02/17/2022, 6:30 PM

Is it possible to have an optional mutator in an access rule? Use case is that I have a service (Hasura) that can both be accessed with and without an authenticated session. I have an

id_token

mutator that should run if the request is authenticated, but should just be ignored if not. I could split it into a public and a protected endpoint (eg

/.hasura/public

and

/.hasura/protected

), but I'd like to avoid having to determine the auth state on the clients, since the upstream url is the same anyway. The functionality I'm looking for would be something like

Copy code

mutators:
    - handler: id_token
      when: authenticated # run this only when it's an authenticated request

thousands-church-11419

02/19/2022, 8:20 PM

How do you know if it's supposed to be an authenticated request but they just didn't supply credentials?

thousands-church-11419

02/19/2022, 8:21 PM

We’re kind of running into the same issue - with graphql since we can't tell immediately if the query requires auth or not

cuddly-australia-64189

02/20/2022, 8:13 PM

I don't really know, but the hasura server handles authorization/permissions, so I don't need to know in advance

thousands-church-11419

02/20/2022, 11:04 PM

Sounds like you could forward all requests directly to hasura and skip oathkeeper then no?

cuddly-australia-64189

02/21/2022, 7:59 AM

Almost, but I need oathkeeper to transform the cookie session into a JWT

magnificent-energy-493

02/22/2022, 9:40 AM

Hey, cool to see more Hasura users in here! We are currently starting to work on a simple integration with Ory Kratos + Hasura. I think we can add Oathkeeper et al to the mix after that as well.

👍 2

4 Views

Open in Slack

Previous Next