I am using ORY Oathkeeper as a reverse proxy and ORY Kratos for user authentication. These are running in a Docker, along with an Angular application as the front-end. My application’s API server is running locally. I am trying to set up some API Access Rules for this server.
I have successfully integrated Kratos and have user registration and login/logout working well. However, when I use the cookie_session authorizer on an Oatkeeper rule, I keep getting “Access credentials are invalid.” I expect that I am missing a step in the process, but I can’t see where it is.
All requests are being sent with withCredentials: true.
Oathkeeper config.yaml
serve:
proxy:
port: 4455
tls:
key:
path: /certs/myapp.com-key.pem
cert:
path: /certs/myapp.com.pem
cors:
enabled: true
allowed_origins:
- "https://*myapp.com"
allowed_methods:
- PATCH
- PUT
- GET
- POST
- DELETE
allowed_headers:
- Authorization
- Content-Type
exposed_headers:
- Content-Type
allow_credentials: true
max_age: 0
debug: true
api:
port: 4456
access_rules:
repositories:
- file:///config/rules.json
errors:
fallback:
- json
handlers:
json:
enabled: true
config:
verbose: true
redirect:
enabled: true
config:
to: https://www.ory.sh/docs
mutators:
header:
enabled: true
config:
headers:
X-User: "{{ print .Subject }}"
noop:
enabled: true
authorizers:
allow:
enabled: true
deny:
enabled: true
authenticators:
noop:
enabled: true
anonymous:
enabled: true
config:
subject: guest
cookie_session:
enabled: true
config:
check_session_url: http://kratos:4433/sessions/whoami
preserve_path: true
extra_from: "@this"
subject_from: "identity.id"
only:
- ory_kratos_session
Oathkeeper rules.json (snippet)
{
"id": "allow-api",
"version": "v0.36.0-beta.4",
"upstream": {
"url": "http://host.docker.internal:8080"
},
"match": {
"url": "https://api.myapp.com/<.*>",
"methods": [
"GET",
"POST",
"PATCH",
"PUT",
"DELETE",
"OPTIONS"
]
},
"authenticators": [
{
"handler": "cookie_session"
}
],
"authorizer": {
"handler": "allow"
},
"mutators": [
{
"handler": "noop"
}
]
}
Docker logs:
myapp.com | [cors] 2020/08/26 21:08:02 Handler: Actual request
myapp.com | [cors] 2020/08/26 21:08:02 Actual response added headers: map[Access-Control-Allow-Credentials:[true] Access-Control-Allow-Origin:[https://myapp.com] Access-Control-Expose-Headers:[Content-Type] Vary:[Origin]]
myapp.com | time="2020-08-26T21:08:02Z" level=info msg="started handling request" method=GET remote="172.18.0.1:39040" request=/api/v1/ui/datasource/get-datasources/filesystem
myapp.com | time="2020-08-26T21:08:02Z" level=warning msg="No authentication handler was responsible for handling the authentication request" error="Access credentials are invalid" granted=false http_host=api.myapp.com http_method=GET http_url="https://api.myapp.com/api/v1/ui/datasource/get-datasources/filesystem" http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" reason_id=authentication_handler_no_match rule_id=allow-api
myapp.com | time="2020-08-26T21:08:02Z" level=warning msg="Access request denied" error="Access credentials are invalid" granted=false http_host=api.myapp.com http_method=GET http_url="https://api.myapp.com/api/v1/ui/datasource/get-datasources/filesystem" http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36"
myapp.com | time="2020-08-26T21:08:02Z" level=error msg="An error occurred while handling a request" code=401 debug= details="map[]" error="Access credentials are invalid" reason= request-id= status=401 writer=JSON
myapp.com | time="2020-08-26T21:08:02Z" level=info msg="completed handling request" measure#oathkeeper-proxy.latency=874300 method=GET remote="172.18.0.1:39040" request=/api/v1/ui/datasource/get-datasources/filesystem status=401 text_status=Unauthorized took="874.3µs"
Browser network log (requests made with the ory_kratos_session cookie):
