Multi-tenancy with Oathkeeper

[markrepedersen]

I'm using Oathkeeper with Kratos (following this guide: https://www.ory.sh/kratos/docs/guides/zero-trust-iap-proxy-identity-access-proxy/) to create a multi-tenant application. To support multi-tenancy, it seems like I would need to create a Kratos instance for each tenant and then have Oathkeeper route requests to the respective Kratos instance based on the URL path, which would require specifying multiple authentication servers in the Oathkeeper configuration.

Is it possible to do this with Oathkeeper and, if so, can someone give an example of how to do it?

Thanks!

[Benehiko]

Hi @markrepedersen,

I believe you can override the global oathkeeper configurations file inside your access rule as specified here.

This is your global cookie_session config:

# Global configuration file oathkeeper.yml
authenticators:
  cookie_session:
    # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
    enabled: true
    config:
      check_session_url: https://session-store-host

This is your overridden cookie_session config

# Some Access Rule: access-rule-1.yaml
id: access-rule-1
# match: ...
# upstream: ...
authenticators:
  - handler: cookie_session
    config:
      check_session_url: https://session-store-host
      only:
        - sessionid

[markrepedersen]

Thanks for the help!

Doesn't this mean that I would have to duplicate each rule for every tenant that I have? I assume I could just create a access-rule-<tenant>.yaml for every tenant to make this somewhat palatable, but I'm wondering if there's a way to do this dynamically by capturing the dynamic portion of the URL and forwarding it to a named Kratos instance?

e.g. example.com/tenant1 -> tenant1.kratos assuming tenant1.kratos is a docker-compose service.

Possibly with this? https://www.ory.sh/oathkeeper/docs/api-access-rules/#match-strategy-behavior. However, I don't see any documentation for how to use this feature.

[Benehiko]

Yes, I don't believe what you describe is possible. I would think the only way you can make this dynamic is to utilise the configurations hot reload feature of Oathkeeper. This means adding entries of your access-rule-<tenant>.yaml to the oathkeeper.yml using a script and oathkeeper will reload the configurations on change. You can even pass the access-rule-<tenant> to oathkeeper using an inline base64 string as described here

# If the URL Scheme is `inline://`, the access rules (an array of access rules is expected)
# are expected to be a base64 encoded (with padding!) JSON/YAML string (base64_encode(`[{"id":"foo-rule","authenticators":?> [....]}]`)):
- inline://W3siaWQiOiJmb28tcnVsZSIsImF1dGhlbnRpY2F0b3JzIjpbXX1d

[markrepedersen]

Is this something I could create a pull request for?

[Benehiko]

I think if you would like to work on something like this then I would first advise you to create an Issue explaining what you would like to implement and then take it from there.

Thank you! :)