https://www.ory.sh/ logo
Join Slack
Powered by
Hey team, has anyone here managed to integrate Oat...
# talk-oathkeeper
s
Hey team, has anyone here managed to integrate Oathkeeper, Kratos and Casbin? I’m looking for insights :)
f
I guess you need to write your own authorizer for this. https://www.ory.sh/docs/oathkeeper/pipeline/authz#remote
s
thank you, I’ll have a look. I was just wondering if someone already did it, so it could save me some time 🙂
w
Oathkeeper authorizers seem to be the missing link indeed.
s
Thank you all, I’ve managed to hit my API endpoint. Now another question 🙂 What’s the recommended way to forward the 
ory_kratos_session
? I’ll use the session with Casbin enforcer, to check if the user has the right permissions. I’ve tried forwarding the 
Cookie
and also setting a cookie 
mutator
, but none of that seems to work.
f
why do you need to forward the cookie at all?
s
I thought I needed that to fetch the user who is performing the request? So I can pass that to the Casbin enforcer… or there is another (better) way?
f
after casbin authorizing the request you have user context
which you can pass using the headers for example to your service
otherwise if you pass the ory_kratos_session further to your service and then asks about user info from casbin/kratos ..
for me it looks like you touch casbin 2 times for the same info
why do you need a proxy then?
s
I’m not touching it two times. The flow is the following. I have a gRPC server with oath keeper middleware. Which calls an authorization api (this is the part where I’m stuck right now), the authorization api calls casbin. But from my understanding, I need to forward the cookie from the initial gRPC call, to the authorization api, so I’m able to check if that specific user has the right permission for that request.
f
Which calls an authorization api (this is the part where I’m stuck right now), the authorization api calls casbin.
this part is made via oathkeeper remote authorization, right?
s
Yes, that’s correct.
f
and you want to pass 
ory_kratos_session
cookie on this step to remote authz?
s
unless there’s another way, yes.
f
you should be able to get the Header object
Copy code
"authorizer": {
    "handler": "remote",
    "config": {
      "remote": "<http://my-remote-authorizer/authorize>",
      "headers": {
        "X-Subject": "{{ print .Subject }}"
      },
Copy code
type Header map[string][]string
s
I have something similar but when I check the headers in the forwarded API, it is empty:
Copy code
authorizer:
    handler: remote
    config:
      remote: <http://127.0.0.1:8084/v1/authorize>
      headers:
        Cookie: "{{ print .Subject }}"

ctx.Request.Cookies(): [anonymous=]
str:
f
your cookie are in Headers
not in the Subject
"{{ .Header.Get \"cookie\" }}"
s
ah, that I didnt tried, tried just 
{{ print .Header }}
lemme check
still no luck:
Copy code
authorizer:
    handler: remote
    config:
      remote: <http://127.0.0.1:8084/v1/authorize>
      headers:
        Cookie: '{{ .Header.Get "Cookie" }}'
Copy code
authorizers:
  remote:
    enabled: true
    config:
      remote: <http://127.0.0.1:8084/v1/authorize>
      headers:
        Cookie: '{{ .Header.Get "Cookie" }}'
And from the logs, I can see that the initial request contains the Cookie
tried with 
print
and 
MatchContext
as well
f
let me test it locally
so, for me Header is 
nil
but upstream get all initial headers
what kind authenticator do you use?
s
noop
f
it looks like authenticator drops header and authorizers get nil
I can see that it is possible to pass headers in 
cookie_session
authenticators: - handler: cookie_session config: check_session_url: https://session-store-host only: - sessionid forward_http_headers: - Connect - Authorization - Cookie - X-Forwarded-For
s
I tried that as well, but with that, I wasn’t able to call the authorize API, lemme check what was the error
f
idea of the pipeline that on the first step (authentication) you get a 
Subject
if Subject is allowed it goes to authz
and you check permissions for this Subject
s
Copy code
WARN[2023-02-27T16:15:00+01:00] No authentication handler was responsible for handling the authentication request  audience=application error=map[debug: message:Access credentials are invalid reason: status:Unauthorized status_code:401] granted=false http_host=127.0.0.1:4455 http_method=POST http_url=<grpc://127.0.0.1:4455/club.v1.ClubService/CreateClub> http_user_agent= reason_id=authentication_handler_no_match rule_id=ory:kratos:public service_name=Ory Oathkeeper Middleware service_version=master
WARN[2023-02-27T16:15:00+01:00] failed to handle request                      audience=application error=map[debug: message:Access credentials are invalid reason: status:Unauthorized status_code:401] http_request=map[headers:map[] host:127.0.0.1:4455 method:POST path:/club.v1.ClubService/CreateClub query:<nil> remote: scheme:http] middleware=oathkeeper service_name=Ory Oathkeeper Middleware service_version=master
btw this was. the error I got when using the cookie_session
f
No authentication handler was responsible for handling the
it looks like the answer
is it come from 
noop
?
s
not sure, I’m a bit lost already tbh 😄
f
😁
s
when I add the cookie_session authenticator, the http url looks wrong: 
http_url=<grpc://http>:%2F%2F127.0.0.1:4455/club.v1.ClubService/CreateClub
f
I can’t say here anything about grpc (
s
what I mean is that there’s both schemes in the url 😄
both grpc and http
f
🙂
s
but thanks a lot @faint-insurance-61054 I’ll keep trying 😄
9 Views
Open in Slack
PreviousNext
Powered by