Multiple oauth2_introspection authenticators for same access rule

[PeteMac88]

Hey there,
as described in the docu (https://www.ory.sh/oathkeeper/docs/pipeline/authn) we can add multiple authenticators to an access rule. We have to different auth server where tokens are evaluated through the introspection endpoint.

[
    {
        "id": "test",
        "upstream": {
          "url": "http://mock-api:8888"
        },
        "match": {
            "url": "http://<.*>/apis",
            "methods": [
                "GET"
            ]
        },
        "authenticators": [
          {
            "handler": "oauth2_introspection",
            "config": {
              "introspection_url": "http://keycloak:8080/auth/realms/test/protocol/openid-connect/token/introspect",
            }
          },
          {
            "handler": "oauth2_introspection",
            "config": {
              "introspection_url": "http://hydra:4445/oauth2/introspect"
            }
          }
        ],
        "authorizer": { "handler": "allow" },
        "mutators": [{ "handler": "header" }]
    }
]

The problem is that when the first introspection response is invalid the whole request is answered with a 401 error. Is this correct?

The only possible solution would be that I need to use different access rules with modified match urls but this seems to be a bit ugly.

[
    {
        "id": "test",
        "upstream": {
          "url": "http://mock-api:8888"
        },
        "match": {
            "url": "http://<.*>/apis",
            "methods": [
                "GET"
            ]
        },
        "authenticators": [
          {
            "handler": "oauth2_introspection",
            "config": {
              "introspection_url": "http://hydra:4445/oauth2/introspect"
            }
          }
        ],
        "authorizer": { "handler": "allow" },
        "mutators": [{ "handler": "header" }]
    },
    {
        "id": "test2",
        "upstream": {
          "url": "http://mock-api:8888"
        },
        "match": {
             "url": "http://<.*>/apis2",
            "methods": [
                "GET"
            ]
        },
        "authenticators": [
          {
            "handler": "oauth2_introspection",
            "config": {
              "introspection_url": "http://keycloak:8080/auth/realms/test/protocol/openid-connect/token/introspect",
            }
          }
        ],
        "authorizer": { "handler": "allow" },
        "mutators": [{ "handler": "header" }]
    }
]

Is there another way?

[Demonsthere]

Hello there!
You may have missed this part of the docs:

If handler a is able to handle the provided credentials, then handler b and c will be ignored. If handler a can not handle the provided credentials but handler b can, then handler a and c will be ignored. Handling the provided credentials means that the authenticator knows how to handle, for example, the Authorization: basic header. It does not mean that the credentials are valid! If a handler encounters invalid credentials, then other handlers will be ignored too.

In your case I think you would need to have different configs for both introspections, so oathkeeper can pick the correct one to use.

[vinckr]

Hey @PeteMac88 , just checking in if your problem still persists.
I will mark this as answered for now, but feel free to come back to the discussion any time.
Thanks a ton 🐝