Url matching in authenticators

kinloth · April 17, 2020, 12:49pm

Hi guys! Good day to everyone!

I was following the discussion in this feature request: https://github.com/ory/oathkeeper/issues/205
By comment, the URL matching in authenticators is now possible, but I just can’t make it work… I didn’t find that in docs.
I tried either using Go Templates:

[...]
    "match": {
        "url": "http://oathkeeper/v2/action/<.*>",
        "methods": [
            "POST"
        ]
    },
    "authenticators": [{
        "handler": "oauth2_introspection",
        "config": {
            "required_scope": ["{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}"],
            "scope_strategy": "exact"
        }
    }]

either by variables, like using keto_engine_acp_ory:

[...]
"match": {
        "url": "http://oathkeeper/v2/action/<.*>",
        "methods": [
            "POST"
        ]
    },
    "authenticators": [{
        "handler": "oauth2_introspection",
        "config": {
            "required_scope": ["$2"],
            "scope_strategy": "exact"
        }
    }]

and many other variations with no success…
Could, please, someone help me how to have the dinamic scope?

hackerman · April 22, 2020, 9:29am

Which version are you using?

kinloth · April 23, 2020, 8:42pm

I’m using the last one for Oathkeeper (v0.37.1-beta.1).

Reading the older docs, I realized that olders versions was using the variable format, example: $1.
The newer versions match the URL regex using Go Templates:

{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}

(Doc)

But this apparently only works for authorizers, not for authenticators…It just doesn’t parse it in authenticators

hackerman · April 24, 2020, 12:02pm

It’s possible that this is not supported in the introspection authenticator right now. If you want, open an issue and/or PR!