Oathkeeper how to pass context to Keto

How do I pass context from Oathkeeper to Keto? I need to check if a subject is the owner of a resource.

I could check if the subject is an owner in my api code. However, I want to allow subjects that are part of the admin role to be able to do anything. I can’t figure out how to check in keto if a subject is part of the admin role without pulling all subjects a role contains /engines/acp/ory/{flavor}/roles/{id} (which seems unscalable and inefficient).

Ok, so here’s what I’m doing so far. Please let me know if there is a better approach.

I create an admin role that can access everything.

    "subjects": ["admin"],
    "resources": ["<.*>"],
    "effect": "allow",
    "actions": ["<.*>"]

In the api code I first check if the subject has access to the resource ‘any’ and the action ‘any’. If the subject does, I grant him access. If the subject does not, I check if the subject is the owner, in which case I grant him access.

The only danger with this approach, is that any subject with a resource ‘any’ and action ‘any’ will now be treated like an admin, even if they are not an admin.

I have a similar issue.
I simply want to check if the subject accessing the resource is its owner like
/someResource/{userId}} should only be accesible for {{userId}}.

I tried this with the subject condition
“description”: “One policy to rule them all.”,
“subjects”: [“users:maria”],
“actions”: [“delete”, “create”, “update”],
“effect”: “allow”,
“resources”: [“resources:articles:<.*>”],
“conditions”: {
“owner”: {
“type”: “EqualsSubjectCondition”,
“options”: {}

But for this to work I need to be able to construct an owner in oathkeeper and pass it in the context to keto. So far I didn’t find a solution for that. And seeing the code ref below makes me think it is not possible to define a context in oathkeeper

I too am having an issue with this. I can create a policy in Keto to require some context, and i can manually pass in a request via curl/postman with that context(example below)

“action”: “create”,
“resource”: “resources:test-resource”,
“subject”: “subjects:id-12345”,
“context”: {
“test”: “value”

This works fine, but i’m not able to build that context with oathkeeper in any way that i can see, and the request fails because of it.

Is there any way to pass in a context from oathkeeper currently? Or will there be in the future? This seems like a rather large part of using Oathkeeper to authorize that doesn’t work unless I’m missing how to pass the context somewhere.