Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi everyone,
I don't know if it's a feature or a bug. But if your access rules allow POST/GET/PUT, the HTTP method you use will be forwarded to the authenticator. This is a problem for me because I've setup a bearer token authenticator under the route
`GET /api/1/users/jwt` which returns the `{subject: String, extra: {}}` as outlined in the docs

But when I fire a POST request to `localhost:4555/foo/bar` oathkeeper will make a call to `POST /api/1/users/jwt` to authenticate and my server will return 404.

Is the expectation that we need to support all HTTP methods for the authentication URL or is there a way to override the HTTP method used to authorize the request?

Hi <@U02DYBCMXA9>

Yes you are correct, this is a problem with Oathkeeper and has come up in the past - see this discussion <https://github.com/ory/oathkeeper/discussions/697>

Would you be up to create a PR for this?

<@U01MTU9E4CF> I'm not familiar with golang, but might be a good opportunity to learn it. Will give it a go

Thank you <@U02DYBCMXA9> :grin::ory_love: