Hi,
I’m trying to run a simple test with oathkeeper and envoy, using external authorization, but I can’t succeed, nor I can find any example. At the moment I’m trying to authorize anonymously (I’m trying to get the most basic running).
I already have envoy sending requests to oathkeeper for external authorization, but oathkeeper is always returning [404 Not Found]. If I use curl directly to the oathkeeper server like that curl -v http://127.0.0.1:4456/decisions/prisma/auth I get an [202 OK] response.
Sample oathkeeper output when accessing throw envoy:
time=2020-10-17T17:39:18Z level=info msg=completed handling request http_request=map[headers:map[x-forwarded-for:172.18.0.7] host:127.0.0.1:9090 method:GET path:/prisma/auth/ query:<nil> remote:172.18.0.1:54880 scheme:http] http_response=map[status:404 text_status:Not Found took:443.545µs]
Sample oathkeeper output when directly using curl:
time=2020-10-17T18:03:24Z level=info msg=completed handling request http_request=map[headers:map[accept:*/* user-agent:curl/7.72.0] host:127.0.0.1:4456 method:GET path:/prisma/auth query:<nil> remote:172.18.0.1:55384 scheme:http] http_response=map[status:200 text_status:OK took:253.227µs]
Right now, they are running as separate docker-compose containers (this is why I use 172.17.0.1).
I’m really stuck and I can’t find any example, tutorial, or similar showing how it’s done, so any help will be really appreciated.
My envoy.yaml config:
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address: { address: 0.0.0.0, port_value: 9901 }
static_resources:
listeners:
- name: listener_0
address:
socket_address: { address: 0.0.0.0, port_value: 9090 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: selfservice-ui
http_filters:
- name: envoy.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
path_prefix: "/decisions/prisma/auth"
server_uri:
uri: http://172.17.0.1:4456
cluster: ext-authz
timeout: 0.25s
include_peer_certificate: true
- name: envoy.filters.http.router
clusters:
- name: selfservice-ui
connect_timeout: 0.25s
type: logical_dns
lb_policy: round_robin
load_assignment:
cluster_name: selfservice-ui
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 172.17.0.1
port_value: 4435
- name: ext-authz
connect_timeout: 0.25s
type: logical_dns
lb_policy: round_robin
load_assignment:
cluster_name: ext-authz
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 172.17.0.1
port_value: 4456
My access-rules.yml:
-
id: "ory:kratos-selfservice-ui-node:selfservice-ui"
match:
url: "http://127.0.0.1:4456/prisma/auth"
methods:
- GET
authenticators:
-
handler: anonymous
authorizer:
handler: allow
mutators:
-
handler: noop
I also tried matching port 9090:
-
id: "ory:kratos-selfservice-ui-node:selfservice-ui"
match:
url: "http://127.0.0.1:9090/prisma/auth"
methods:
- GET
authenticators:
-
handler: anonymous
authorizer:
handler: allow
mutators:
-
handler: noop