Keto authorization with Oathkeeper

[t03r1cht]

Hi all,
after many failed attempts at debugging this problem I'm trying my luck here. My use case is fairly simple. Authentication with Oathkeeper + Kratos works great, now I just want to delegate authorization to Keto.

Oathkeeper sits in front of one simple API. Authentication is done using Ory Cloud. Thanks to intense debugging from @zepatrik we were able to find out that the remote_json authorizer does not send the subject to Keto in its authorization request.

The configs are as follows

oathkeeper.yml

log:
  level: debug        
  format: json        

serve:
  proxy:
    cors:
      enabled: true   
      allowed_origins:
        - "*"
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Content-Type
      exposed_headers:
        - Content-Type
      allow_credentials: true
      debug: true

errors:
  fallback:
    - json

  handlers:
    redirect:
      enabled: true
      config:
        to: https://ory.domain.com/ui/login
        when:
          - error:
              - unauthorized
              - forbidden
            request:
              header:
                accept:
                  - text/html
    json:
      enabled: true
      config:
        verbose: true

access_rules:
  matching_strategy: glob
  repositories:
    - file:///etc/config/oathkeeper/access-rules.yml

authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest

  cookie_session:
    enabled: true
    config:
      check_session_url: https://ory.domain.com/sessions/whoami
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      preserve_host: true
      additional_headers:
        accept: application/json

  noop:
    enabled: true

authorizers:
  allow:
    enabled: true

  remote_json:
    enabled: true
    config:
      remote: http://keto:4466/check
      payload: |
        { }
      forward_response_headers_to_upstream:
        - X-Foo
      retry:
        max_delay: 1s
        give_up_after: 1s

mutators:
  noop:
    enabled: true

access-rules.yml

- id: "api:other-world-protected"
  upstream:
    preserve_host: true
    url: "http://other-world:8090"
  match:
    url: "http://oathkeeper:4455/otherworld"
    methods:
      - GET
  authenticators:
    - handler: cookie_session

  mutators:
    - handler: noop
  authorizer:
    handler: remote_json
    config:
      remote: http://keto:4466/check
      payload: |
        {
          // this doesn't get filled with a value at runtime apparently
          "subject_id": "{{ print .Subject }}",
          "relation": "access",
          "namespace": "services",
          "object": "protected-service"
        }
  errors:
    - handler: redirect
      config:
        to: https://ory.domain.com/ui/login

With a patched version for Keto (thanks to @zepatrik ) the incoming authorization request from Oathkeeper is logged in the trace stream and looks like this

time=2022-05-06T13:41:13Z level=trace msg=checking relation tuple audience=application namespace=services object=protected-service relation=access service_name=Ory Keto service_version=master subject=

As you can see, subject= is empty.

At this point I'm not sure if it's a fairly easy or a hard problem. I've looked into so many sample configs/issues I can't tell anymore.

Thanks in advance!

[t03r1cht]

Thanks to @gen1us2k which found a workaround for this problem.
This problem only seems to happen when using Ory Cloud for authentication. More details on this topic can be found at #952

For the workaround you extend the cookie_session config to include the following headers:

  cookie_session:
    enabled: true
    config:
      check_session_url: http://host.docker.internal:4000/.ory/sessions/whoami
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      additional_headers:
        accept: application/json
        accept-encoding: identity

Oathkeeper will now successfully populate the Keto authorization request when using {{ print .Subject }}