Have I misunderstood?

I think I’d like to use oathkeeper as a forwardauth handler to Traefik 2.x. I’d like to to either accept externally minted JWT’s (from HashiCorp Vault) or humans. If it’s a human (ie, there’s no creds), they need to be auth’d via Okta. In both cases I’d like to mint fresh JWT’s and have that injected into the headers to the forwarded request.

It looks like Oathkeeper is what I want, but I’ll be honest with you, I only get about knee-deep into OAuth2 on a good day; I’m in a maze of URLs and client keys - all similar.

The Traefik integration I can handle, but right now I’m trying to extend the hello world example so it uses oauth2_introspection - and I’d like it if there’s neither a JWT or OAuth creds, that the request is redirected to Okta to be authenticated.

Is Oathkeeper what I’m looking for? There’s almost no integration documentation, so I’m wondering if I’ve gone down the wrong path?

JAmes

Yeah looks like Oathkeeper can help - especially wrt JWT. One question is if you want Oathkeeper to also handle the oauth2 login flow - if that’s the case then that’s not something you can do with Oathkeeper. But maybe you can combine https://github.com/pomerium/pomerium with Oathkeeper to achieve both!