I try to implement the keto_engine_acp_ory authorizer, but somehow I seem to be unable to connect Oathkeeper with Keto. I can reach Keto directly via curl requests, and Oathkeeper is able to forward requests to Keto via the internal network as well (I just tested this to make sure I don’t have problems with my network).
I suppose that I have some mistake in the configuration and I have to admit that the docs are quite unclear to me. Especially why I should specify required_action and required_resource both in access_rules.yml and oathkeeper.yml.
This is my configuration of Oathkeeper:
authorizers:
allow:
enabled: true
keto_engine_acp_ory:
enabled: true
config:
base_url: http://ory-keto-example--keto:4466/
flavor: exact
required_action: read
required_resource: example_resource
subject: subject0
and this is my access rule:
-
id: "nuxt-app:protected"
upstream:
preserve_host: true
url: "http://nuxt-app-1:3000"
match:
url: "http://127.0.0.1:4455/<{dashboard,settings}>"
methods:
- GET
- POST
- PUT
- DELETE
- PATCH
authenticators:
-
handler: anonymous
authorizer:
handler: keto_engine_acp_ory
config:
subject: subject0
required_action: read
required_resource: example_resource
flavor: exact
mutators:
- handler: id_token
errors:
- handler: redirect
config:
to: http://127.0.0.1:4455/
I get the following error:
oathkeeper_1 | [cors] 2020/08/12 08:55:20 Handler: Actual request
oathkeeper_1 | [cors] 2020/08/12 08:55:20 Actual request no headers added: missing origin
oathkeeper_1 | time=2020-08-12T08:55:20Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0] host:127.0.0.1:4455 method:GET path:/dashboard query:<nil> remote:172.24.0.1:54168 scheme:http]
oathkeeper_1 | time=2020-08-12T08:55:20Z level=warning msg=The authorization handler encountered an error audience=application authorization_handler=keto_engine_acp_ory error=map[debug: message:The matched handler uses Regexp MatchingStrategy which is not selected in the configuration reason: status:Internal Server Error status_code:500] granted=false http_host=127.0.0.1:4455 http_method=GET http_url=http://127.0.0.1:4455/dashboard http_user_agent=Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 reason_id=authorization_handler_error rule_id=nuxt-app:protected service_name=ORY Oathkeeper service_version=v0.38.3-beta.1 subject=guest
oathkeeper_1 | time=2020-08-12T08:55:20Z level=warning msg=Access request denied audience=application error=map[debug: message:The matched handler uses Regexp MatchingStrategy which is not selected in the configuration reason: status:Internal Server Error status_code:500] granted=false http_host=127.0.0.1:4455 http_method=GET http_url=http://127.0.0.1:4455/dashboard http_user_agent=Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 service_name=ORY Oathkeeper service_version=v0.38.3-beta.1
oathkeeper_1 | time=2020-08-12T08:55:20Z level=error msg=An error occurred while handling a request code=500 debug= details=map[] error=The matched handler uses Regexp MatchingStrategy which is not selected in the configuration reason= request-id= status=500 writer=JSON
oathkeeper_1 | time=2020-08-12T08:55:20Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0] host:127.0.0.1:4455 method:GET path:/dashboard query:<nil> remote:172.24.0.1:54168 scheme:http] http_response=map[status:500 text_status:Internal Server Error took:5.471121ms]
I don’t really know why it complains about regex specifically, since the error occurs with any (false) base_url, so that it seems to not be able to connect to Keto at all.