Oathkeeper as a Relying Party

[synclpz]

Hi! Any thoughts on how to implement an OAuth2/OIDC to secured by cookie web-app flow?

At the moment, I use custom-built proxy that acts as a relying party: receives a callback with auth_code from OP, retrieves tokens from OP, caches them, issues a cookie to browser and checks if session is valid through access_token introspection endpoint periodically. Also it does handle token refresh when access_token expires and back-channel logout requests from OP for fast session invalidation in case of user logged out on OP.

I want to achieve the same goal with Oathkeeper and Hydra, do you have any ideas how to achieve it? Or may you provide any advice how do I do my scenario in another way?

[Benehiko]

Hi,

Is this maybe what you are looking for https://www.ory.sh/oathkeeper/docs/pipeline/mutator?

[synclpz]

Nope, it's not as far as I see. This allows to make changes to proxied request, but what I want is:

1. Browser goes to https://myservice/some/deep/link without any cookie (or an expired one)
2. Oathkeeper detects no session is active, redirects to Hydra
3. Hydra performs SSO or performs login through login app
4. Redirects back http://myservice/oauth2/code?auth_code=....&return_to=/some/deep/link which is handled by Oathkeeper
5. Oathkeeper exchanges code for tokens, checks authz policies, if ok issues a session cookie with redirect to "return_to"
6. Browser goes again to https://myservice/some/deep/link this time with cookie
7. Oathkeeper checks cookie vs tokens, checks if token valid, proxies request to destination adding JWT/header with mutator.

[Benehiko]

Okay, so first things first.

Why do you need Hydra for SSO? If you have some external clients logging into your system, then they will need to handle steps 1 and 2.

Steps 3, 4, 5 (keto?), 6 are all management by Ory Kratos + Oathkeeper.

If you want user management, you need Ory Kratos. If you want permissions for each redirect you need Ory Keto + Oathkeeper.

[synclpz]

Okay, step aside with Hydra, imagine it would be some kind of OpenID Provider (Google/Facebook), I'd like to have a setup when Oathkeeper stands between my front-end (browser) and back-end (server) and my app uses OIDC from external provide for user authentication. In this example Oathkeeper needs to be able to: receive auth_code, exchange it for tokens, validate tokens and create cookie-based session for browser, mutating all incoming requests with Authorization and/or other headers using cached tokens before forwarding to back-end.

[synclpz]

Created an issue with more concise description #647