Hi there, I deployed Oathkeeper, Kratos and Keto for my app and I want to use Kratos traits (username) as a subject for evaluating access control.
Keto role:
{"id": "agent","members": ["username0"]}
Keto policy:
{
"id": "myorg:resources:policies:policy:role:agent",
"description": "Agent policy.",
"subjects": [
"agent"
],
"effect": "allow",
"resources": [
"myorg:resources:sample-resources"
],
"actions": [
"view"
]
}
]
Oathkeeper rule:
authenticators:
-
handler: cookie_session
authorizer:
handler: keto_engine_acp_ory
config:
subject: "{{ print .Extra.identity.traits.username }}"
required_action: "view"
required_resource: "myorg:resources:sample-resources"
mutators:
- handler: id_token
I got 403 when access resource, but when I try with Keto API, I got allowed: true
curl --location --request POST 'http://keto-host:4456/engines/acp/ory/exact/allowed' --header 'Content-Type: application/json' --header 'Content-Type: application/json' --data-raw '{
"action": "view",
"resource": "myorg:resources:sample-resources",
"subject": "username0"
}'
{"allowed":true}%
What is correct syntax to use Kratos traits as subject in Oathkeeper Keto authorizer? And is there any way to debug the template substitution (print the substituted subject)?
Thanks!