https://www.ory.sh/ logo
Join Slack
Powered by
Facing an issue: Using a `cookie_session` authenti...
# talk-oathkeeper
m
Facing an issue: Using a 
cookie_session
authenticator:
Copy code
cookie_session:
        enabled: true
        config:
          check_session_url: <http://ory-kratos-public/sessions/whoami>
          preserve_path: true
          preserve_query: true
          force_method: GET
          extra_from: "@this"
and a 
remote_json
authorizer:
Copy code
remote_json:
        enabled: true
        config:
          remote: <http://ory-keto-read/check>
          forward_response_headers_to_upstream: []
          payload: |
            {
              "namespace": "access",
              "subject_id": "{{print .Extra.identity.traits.role }}"
              "relation": "{{ print .MatchContext.Method }}"
              "object": "{{ printIndex .MatchContext.RegexpCaptureGroups 2 }}:{{ printIndex .MatchContext.RegexpCaptureGroups 3 }}"
            }
Using the sample UI provided to work with Kretos for authentication.. I can login successfully and in the same 
session
I hit the URL I’ve configured in the access rules:
Copy code
accessRules: |
    [
      {
        "id": "allow-authenticated-with-kratos",
        "upstream": {
          "url": "<https://httpbin.org/anything>"
        },
        "match": {
          "url": "http://<[^/]+>/<devices>/<[[:digit:]]+>",
          "methods": [
            "GET",
            "POST",
            "PUT",
            "DELETE",
            "PATCH"
          ]
        },
        "authenticators": [{
            "handler": "cookie_session"
        }],
        "authorizer": {
          "handler": "remote_json"
        },
        "mutators": [{
          "handler": "noop"
        }]
      }
    ]
The proxy returns 500 and the logs are telling me this:
Copy code
time=2022-07-13T18:25:26Z level=warning msg=Access request denied audience=application error=map[message:payload is not a JSON text: invalid character '"' after object key:value pair] granted=false http_host=<http://oathkeeper.local.com|oathkeeper.local.com> http_method=GET http_url=<http://oathkeeper.local.com/devices/1234> http_user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 service_name=ORY Oathkeeper service_version=v0.38.19-beta.1
if it helps, my identity schema contains a trait called “role” and the UI application also extract and display those information:
I wonder if there is a way for me to know what this yields when this is interpreted: 
extra_from: "@this"
my apologies.. this was caused by a poorly formatted yaml file
s
having the roles in the traits is not a good idea btw 😅 any user will be able to change their role through the self-service settings flow consider instead to use the identity id as the subject, and store the identity->role assignment in keto
alternatively you can use the 
metadata_public
and 
metadata_admin
to store the role both are not editable by the user, and 
metadata_admin
not even readable by the user
m
thanks for the suggestions..
makes perfect sense
might be worth mentioning that the idea to use traits for roles came from this example: https://github.com/ory/examples/tree/master/kratos-keto-oathkeeper-k8s
that may need to be corrected then
s
@magnificent-energy-493
Thanks, we will give it an update
gratitude thank you 1
m
I think updating it to use metadata would be easy, with the “store the identity->role assignment in keto” i would need some help 🙂 ill make a note to start this next week
12 Views
Open in Slack
PreviousNext
Powered by