How can I generate JWT from Kratos session to authenticate v Ory Community #talk-oathkeeper

How can I generate JWT from Kratos session to auth...

square-manchester-90468

01/24/2023, 2:17 PM

How can I generate JWT from Kratos session to authenticate via Ory Oathkeeper? I saw a

Ory Oathkeeper is an API Gateway capable of converting sessions to JWTs.

this sentenence in the Kratos docs but didn't find any clue for it.

loud-spoon-23770

01/24/2023, 2:25 PM

you have to use https://www.ory.sh/docs/oathkeeper/pipeline/mutator#id_token

square-manchester-90468

01/24/2023, 2:34 PM

Is this valid use-case if I would like to make ability to users to generate JWT tokens for themselfs?

loud-spoon-23770

01/24/2023, 2:35 PM

I don't think because this a mutator at the gateway level, which will alter the headers of the incoming request before sending it to the upstream, the users have no power at this moment in request life

square-manchester-90468

01/24/2023, 2:36 PM

Hmmmm...

square-manchester-90468

01/24/2023, 2:37 PM

We implemented Kratos in our SaaS application, but we would like to add a feature, where users can generate access tokens (like GitHub) to call our API Gateway. What would be a good choice for us? I'm a little confused in the Ory ecosystem right now 😄

loud-spoon-23770

01/24/2023, 2:40 PM

in this case I would have handled the creation part of the access tokens in your system as you want and in oathkeeper I would use https://www.ory.sh/docs/oathkeeper/pipeline/authz#remote that will check your internal API to check/validate the access tokens

square-manchester-90468

01/24/2023, 2:43 PM

But for authorizing users, we can use Kratos, am I right?

loud-spoon-23770

01/24/2023, 2:45 PM

authorization is not the same as authentication, Kratos is an IDP and his purpose is to authenticate the users oathkeeper gateway can authorize users access to endpoint based on the configuration for this endpoint

square-manchester-90468

01/24/2023, 2:46 PM

Okey, I have few more questions but first dig deeper in the docs, thanks Dejan anyway!

magnificent-energy-493

01/25/2023, 1:31 PM

Hey Levi, I think we do not have a great solution for something like API keys (yet). That being said we are working on something that solves this, will most likely take a more concrete form by Q2 this year.

square-manchester-90468

01/25/2023, 7:48 PM

Thansk @magnificent-energy-493 I will try something else than.

boundless-insurance-60355

03/09/2023, 11:39 PM

@magnificent-energy-493 is this the github ticket to track relating to api tokens? I have a cross domain API i need to communicate with from client to server and provisioning a jwt based off the cookie session would be ideal! https://github.com/ory/kratos/issues/2487

magnificent-energy-493

03/10/2023, 10:59 AM

provisioning a jwt based off the cookie session

Yea its for this, not sure if that is the best mechanism to implement API tokens. Currently you can use Ory Oathkeeper to do exactly this btw, with mutator.

boundless-insurance-60355

03/10/2023, 9:02 PM

Yes, but correct me if I’m wrong… it’s only useful for same domain requests, I have a cross domain request to my oathkeeper proxy and since it’s not on the same domain, the session cookie isn’t sent therefore I cannot use oathkeeper to validate the session and create a JWT for me based off the session 😕

45 Views

Open in Slack

Previous Next