Oathkeeper example with Kratos API session_token

wezzle · December 8, 2020, 3:16pm

Is there any example yet on how to validate a user that is authenticating through the session_token provided by the Kratos API login flow?

As far as I can tell, just like the cookie_session authenticator, the Authorization: Bearer <session_token> should be forwarded to kratos’s /sessions/whoami endpoint. According to the docs there is no authenticator available yet to handle a bearer token by simple checking with an endpoint?

Can the oauth2_introspection perhaps be used to accomplish this? It’s not an oauth2 flow but as long as there is no issue with checking scopes this might work? The extra_from and subject_from configuration options are missing though.

wezzle · December 10, 2020, 12:24pm

I’ve decided to submit a pull request for a new authenticator that works just like cookie_session but uses the Authorization: bearer <token> header:

vinckr · December 10, 2020, 3:00pm

Thanks for being so proactive and coming right out with a pull request, wezzle!

I am not qualified to comment on your work here, but I am sure hackerman will look over the pull request once he is free .