Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I'm trying to use either the `remote` or `remote_json` authorizer together with Open Policy Agent decisions. But I fail to either make <#C01340V8KSM|oathkeeper> treat an empty response as a `forbidden` decision or make OPA convert an empty response into a 403 status code. Any solution or work around to that?

I'm doing the same thing (using OPA). The workaround I had for several things is to create an endpoint on my backend which normalizes responses to what Oathkeeper needs, and configuring the remote json authorizer to point there instead of directly at OPA.

It'll be nice once they support OPA directly.