[0.39.4] cookie_session not sending Cookie header to check endpoint

[BradleyChatha]

Hello! I'm new to using OathKeeper and was experimenting with it to serve as the ingress for my new (internal) project.

However, while trying to test locally with the following config I keep getting an unauthorised error:

version: v0.39.4

access_rules:
  matching_strategy: regexp
  repositories:
    - "file://./rules/ui.yaml"
    - "file://./rules/kratos_.yaml"

authenticators:
  noop:
    enabled: true
  cookie_session:
    enabled: true
    config:
      check_session_url: http://localhost:4433/sessions/whoami # Kratos public API
      extra_from: "@this"
      subject_from: identity.id
      only:
        - ory_kratos_session

authorizers:
  allow:
    enabled: true

mutators:
  noop:
    enabled: true

errors:
  handlers:
    json:
      enabled: true
      config:
        verbose: true

I've confirmed via Oathkeeper's logs that it is getting the cookie header correctly, but doesn't appear to be sending it to check_session_url, as I can confirm from Kratos' logs:

time=2022-09-03T14:42:51Z level=info msg=An error occurred while handling a request audience=application error=map[debug: message:The request could not be authorized reason:No valid session cookie found. stack_trace:
github.com/ory/kratos/session.(*ManagerHTTP).FetchFromRequest
	/project/session/manager_http.go:136
github.com/ory/kratos/session.(*Handler).whoami
	/project/session/handler.go:177
github.com/ory/kratos/x.NoCacheHandle.func1
	/project/x/nocache.go:18
github.com/julienschmidt/httprouter.(*Router).ServeHTTP
	/go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:387
github.com/ory/nosurf.(*CSRFHandler).handleSuccess
	/go/pkg/mod/github.com/ory/[email protected]/handler.go:234
github.com/ory/nosurf.(*CSRFHandler).ServeHTTP
	/go/pkg/mod/github.com/ory/[email protected]/handler.go:185
github.com/urfave/negroni.Wrap.func1
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46
github.com/urfave/negroni.HandlerFunc.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/kratos/x.glob..func1
	/project/x/clean_url.go:12
github.com/urfave/negroni.HandlerFunc.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1
	/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:198
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1
	/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:101
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1
	/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:68
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2
	/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:76
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1
	/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:165
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2047
github.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1
	/go/pkg/mod/github.com/ory/[email protected]/prometheusx/metrics.go:108
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2047
github.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP
	/go/pkg/mod/github.com/ory/[email protected]/prometheusx/middleware.go:30
github.com/urfave/negroni.middleware.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/x/metricsx.(*Service).ServeHTTP
	/go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:275
github.com/urfave/negroni.middleware.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/kratos/x.HTTPLoaderContextMiddleware.func1
	/project/x/httploadermiddleware.go:20
github.com/urfave/negroni.HandlerFunc.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38 status:Unauthorized status_code:401] http_request=map[headers:map[accept:application/json accept-encoding:gzip cookie:[] user-agent:OpenAPI-Generator/1.0.0/go] host:localhost:4433 method:GET path:/sessions/whoami query:<nil> remote:172.24.0.1:63166 scheme:http] http_response=map[status_code:401] service_name=Ory Kratos service_version=v0.10.1

I am running Kratos with the --dev flag, so the cookies aren't marked as Secure, and I'm running it locally over HTTP not HTTPS. I don't know if it's worth mentioning, but I'm running Kratos in Docker, and Oathkeeper outside of Docker.

Any advice would be appreciated :)

[vinckr]

Hello @BradleyChatha
Apologies for the late answer! I hope you are not still stuck on this.
Based on the information provided, there are a few things you could check:

1. Configuration of Ory Oathkeeper: Ensure that your Ory Oathkeeper configuration is correct. The access_rules, authenticators, authorizers, and mutators should be properly set up. For example, the cookie_session authenticator should be enabled and correctly configured to point to Ory Kratos' /sessions/whoami API. Here is an example of how it should look like:

   
   authenticators:  
    cookie_session:  
    enabled: true  
    config:  
    check_session_url: http://kratos:4433/sessions/whoami  
    preserve_path: true  
    extra_from: "@this"  
    subject_from: "identity.id"  
    only:  
    - ory_kratos_session
   

   (Source)

2. Access Rules: Ensure that your access rules are correctly defined. The rules should match the HTTP requests for your access rules. Here is an example of how it should look like:

   access_rules:  
    matching_strategy: glob  
    repositories:  
    - file:///etc/config/oathkeeper/access-rules.yml
   

   (Source)

3. Docker Network: If you're running Kratos in Docker and Oathkeeper outside of Docker, you need to ensure that they can communicate with each other. The ws hostname is resolved through the Docker network. If you aren't deploying your application within Docker, this would just be your localhost IP.
   (Source)