Oathkeeper Authorizer keto_engine_acp_ory - how to populate subject field from value in JWT Bearer token?

johncct · January 26, 2020, 7:59pm

Hi everyone,

I am working on a PoC of Keto and Oathkeeper for our solution, initially thought we would do a direct integration with Keto but the Oathkeeper API access rules would really simplify our integration so I am trying to figure them out.

We already have an authentication solution in place: Cognito with Apigee gateway performing token verification.

Using a proxy configuration for Oathkeeper, I am trying to create an authorizer rule which which will only allow the requestor access to the mockservice API based on ladon policy I have configured in Keto. I am able to get this flow to work if I use a static value subject that is hardcoded into the rule. However, what I want to do is have the subject value populated by the email value from the Bearer token passed by the requestor.

[{
  "id": "keto-api-health",
  "upstream": {
    "url": "http://keto:4466",
    "preserve_host": true,
    "strip_path": "/pd/ssup/accesspolicy/v1"
  },
  "match": {
    "url": "http://localhost:4455/pd/ssup/accesspolicy/v1/health/<.*>",
    "methods": [
      "GET"
    ]
  },
  "authenticators": [{
    "handler": "noop"
  }],
  "authorizer": { "handler": "allow" },
  "mutators": [{ "handler": "noop" }]
},
{
  "id": "mockservice-api-getpets",
  "upstream": {
    "url": "http://mock-service:4010",
    "preserve_host": true,
    "strip_path": "/mockservice/v1"
  },
  "match": {
    "url": "http://localhost:4455/mockservice/v1/pets/<.*>",
    "methods": [
      "GET"
    ]
  },
  "authenticators": [{
    "handler": "noop"
  }],
  "authorizer": {
    "handler": "keto_engine_acp_ory",
    "config": {
        "required_action": "get",
        "required_resource": "mockservice:pets",
        "subject": "{{ .Extra.email }}",
        "flavor": "regex"
    }
  },
  "mutators": [{ "handler": "noop" }]
}
]

As my gateway is already performing verification on the JWT bearer token, I just want to read a value from it (email).

In the Oathkeeper documentation, the anonymous handler is used in the rule configuration:

However, when I test this using a Cognito provided id token in my request I get this error from Oathkeeper:

Access request denied" error="Access credentials are invalid"

Am I missing a step here?

johncct · January 26, 2020, 8:46pm

In case this helps someone, I was able to get this working using this authorizer configuration in my rule:

  "authenticators": [{
    "handler": "jwt",
    "config": {
      "jwks_urls": [
        "file://jwks.json"
      ]
    }
  }],

The contents for jwks.json is the public key, which is avilable via this URL for cognito:

https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json

That works if I want the email address for my subject, however I actually want to use a different field from the JWT which is:

custom:Group

Rule config:

"subject": "{{ .Extra.custom:Group }}",

but I get an error from Oathkeeper when I try using that field. Does anyone have any ideas on that?

hackerman · January 27, 2020, 5:54pm

It’s a syntax error, try : is not supported as a literal

I believe you’re looking for index .Extra "custom:Group" (edited)

https://gowebexamples.com/templates/