Revoking a jwt issued from kratos and rejecting at oathkeeper

ORY Oathkeeper
#1

It’s entirely possible that I’m missing something relatively simple here, but I can’t seem to find an answer to this:

How would I go about having oathkeeper respect the revocation of a session?

My understanding from my research so far is:

  • Upon performing some actions (such as initiating a user settings flow), kratos would check if the session had been deleted (from the session persister).
  • On all actions that do not require hitting kratos, oathkeeper will simply validate that the session has not yet expired then allow the user to pass though.
  • I understand that JWT’s are secure to allow through if they haven’t yet expired, but I could imagine situations where we would want to black list a single token and have it immediately revoked.
  • This problem has been somewhat detailed here, but that was related to using hydra only (the issue about revocation)

So my question is in two parts:

  • Is what I’ve outlined above correct?
  • Would it be in line with the goals of the project to open a pr that adds “online” token checks to oathkeeper?
    • I.E. every time we get a token, check with kratos --possibly using the whoami kratos endpoint (can’t link to it due to new user restrictions)

Question above aside, I did want to drop a note saying thanks for all your work on these projects! I’ve only been able to arrive at this question because all the documentation and code has been quite easy to work with.

#2

I’ve done a bit more research on this topic, and it seems that the cookie authentication supports what I’m after here. From the gatekeeper example:

  cookie_session:
    enabled: true
    config:
      check_session_url: http://kratos:4433/sessions/whoami
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      only:
        - ory_kratos_session

I was mistaken in my original understanding that kratos issued jwts. From reading the code and docs further, its clear that kratos issues a normal gorilla cookie, that is then checked against the database, so the kratos specific part of this question is invalid.

I believe my question is still valid for the jwt authenticator though. In the case that the jwt does not fit in cookies, or cannot be sent through cookies for some reason, it seems there is not a supported way to do an online check. I realize doing an online check removes some of the advantages of using JWTs, but at the current moment the oathkeeper does not seem to support any sort of blacklist functionality, which would be useful for revocation.

My flawed understanding of kratos has made this question a bit hard to word, so I’m going to mark this response as the answer and reopen a better worded question.

Edit: opened a feature request here