How to forward authenticator's identity to upstream

balahoho · November 20, 2020, 7:39am

this is config.yaml:

serve:
 proxy:
   port: 4455 # run the proxy at port 4455
 api:
   port: 4456 # run the api at port 4456

access_rules:
 repositories:
   - file:///app/config/rules/rules.json

authenticators:
 noop:
   enabled: true

 cookie_session:
   enabled: true
   config:
     check_session_url: http://kratos-public.mysite.com/sessions/whoami
     preserve_path: true
     extra_from: "@this"
     subject_from: "identity.id"
     only:
       - ory_kratos_session

       
authorizers:
 allow:
   enabled: true
  
 deny:
   enabled: true
   
mutators:
 noop:
   enabled: true

 header:
   enabled: true
   config:
     headers:
       X-User: '{{ print .Subject }}'    

errors:
 fallback:
   - json
 handlers:
   json:
     enabled: true
     config:
       verbose: true
   redirect:
     enabled: true
     config:
       to: https://www.ory.sh/docs

this is rules.json:

[
    {
        "id": "rule-1",
        "version": "",
        "description": "",
        "match": {
            "methods": [
                "POST",
                "GET",
                "DELETE",
                "PUT",
                "PATCH"
            ],
            "url": "http://oathkeeper-proxy.mysite.com/kernel/<.*>"
        },
        "authenticators": [
            {
                "handler": "cookie_session",
                "config": null
            }
        ],
        "authorizer": {
            "handler": "allow",
            "config": null
        },
        "mutators": [
            {
                "handler": "header",
                "config": null
            }
        ],
        "errors": null,
        "upstream": {
            "preserve_host": false,
            "strip_path": "/kernel",
            "url": "http://business.mysite.com"
        }
    }
]

I use authenticator by cookie_session, I need to forward identify to the upstream url when I passed inspection from the kratos server.
How do I change the configuration?
Thanks.

hackerman · November 23, 2020, 4:31pm

Hey there, unfortunately the error stuff is pretty difficult to configure. We hope to improve this with the refactoring of ORY Oathkeeper. Here is a config we have used to do this - maybe it can help you figure this out:

oathkeeper:
  config:

    errors:
      fallback:
        - json

      handlers:
        redirect:
          enabled: true
          config:
            to: http://127.0.0.1:4455/auth/login
            when:
              -
                error:
                  - unauthorized
                  - forbidden
                request:
                  header:
                    accept:
                      - text/html
        json:
          enabled: true
          config:
            verbose: true

balahoho · November 24, 2020, 2:56am

Why is the error section configured？I am confused.

hackerman · November 24, 2020, 4:03pm

Hm could you explain what you are confused with? I don’t understand