Subject type of an OAuth token

ArthurKnoep · June 2, 2020, 1:11pm

Hi everyone,

In our stack we use hydra, oathkeeper and keto. I’ve configured oathkeeper to pass the subject of the request to our API and then I use it as the user ID in our services. This works well for the authorization code grant and the implicit grant but the problem is that now, I would like to implement the client credentials flow in our API. Obviously hydra already handles this mechanism but the problem I have is that the subject I get is now a client id (and not a user id).

So my question is, is there a way to know if a token represent a user or an application ?

If there is not, do you think that adding a field nammed subject_type in the introspection response would be a good idea ?

Thank you in advance for your answers

hackerman · June 2, 2020, 1:41pm

No there is not, I guess what you want is some type of Service Account or Account Impersonation feature?

ArthurKnoep · June 2, 2020, 2:19pm

We will probably do something like this in the end but for now I found that way too complicated for the size of our API.

I was planning to detect if the token represent an application (hence my question) and then use the owner of the application as the subject of the query.

hackerman · June 2, 2020, 2:31pm

Ok, I would however be very careful when implementing it like so, because the client does not usually act on the owner’s behalf but on it’s own! If you however have that in mind whenever you do implement this it should be ok.

ArthurKnoep · June 2, 2020, 3:28pm

As said our API is quite simple for the moment, I think it should be ok. We will implement a stronger mechanism (probably service account) later.

So since there is no way for determining the subject type of a token, do you think adding a subject_type in the introspection answer would be a good idea ?
If needed I could be up for developing the feature for hydra (and updating the authenticator in oathkeeper for storing the value in the session context)

Edit: Getting this value in the introspection (and consequently in oathkeeper) could be helpful to create special permissions with keto

hackerman · June 2, 2020, 8:48pm

That would be very uncommon and quite bespoke for your use case. Since you have access to the access token payload for regular users, why don’t you take the absence of a specific field as an indicator for what the token expresses in your system?

ArthurKnoep · June 3, 2020, 1:31pm

What do you mean by “access token payload” ? I’m not using jwt if this is what you are saying.

hackerman · June 3, 2020, 2:01pm

The stuff you set with session.access_token when accepting a consent request

ArthurKnoep · June 4, 2020, 1:20pm

Ok nice, I’m gonna try that

Thanks

mbalsam · June 10, 2020, 3:33pm

Can’t you simply check if client_id and sub claim are equal in the introspect response?

hackerman · June 9, 2020, 4:25pm

That could work also

ArthurKnoep · June 10, 2020, 3:33pm

In the end, that’s what I’ve done.
And for integrating everything correctly with oathkeeper I used an hydrator

tnm0113 · September 4, 2020, 4:52am

I dont get that, i think they always are equal, can u explain that case for me ? tks in advance

tnm0113 · September 4, 2020, 4:53am

so you used a hydrator to get user id and then check with keto ? i have same case with you

ArthurKnoep · September 4, 2020, 1:56pm

For any request my hydrator is called, then there are few different cases:
Either the subject is “anonymous”, in this case I just forward the request and set an extra variable to the subect
Either the subject is different from the client_id, in this case I also forward the request and set an extra variable to the current subject
Either the subject is equal to the client_id, in that case, I request hydra to return me the oauth client (using the client_id) and then I set the extra variable to the field “Owner” of the oauth client

After that, with oathkeeper, I use a header mutator to forward my extra variable to my micro-services

tnm0113 · September 7, 2020, 9:22am

tks for answering me, i have one more question, as i know hydrator hasnt been implemented, what’s version you use now ? i mean the one has hydrator step before authorization

ArthurKnoep · September 12, 2020, 6:26pm

Hi, sorry I did not see your reply

As far as I know we are using the latest version of keto and in the version we use the hydration is after the authentication

tnm0113 · September 17, 2020, 3:02am

can you give me version of oathkeeper which you used ? current release of oathkeeper doesnt have hydration between authentication and authorization

ArthurKnoep · September 17, 2020, 8:50am

My bad, I made a mistake. I was talking of oathkeeper in my previous message.

I finally achieved to find the version number: ORY Oathkeeper v0.38.3-beta.1

tnm0113 · September 17, 2020, 9:28am

Thanks, can you show me your configuration of hydration and rules ?