Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow/deny remote(_json) authorizers depending response content #1125

Closed
5 of 6 tasks
David-Wobrock opened this issue Jul 28, 2023 · 2 comments
Closed
5 of 6 tasks

Allow/deny remote(_json) authorizers depending response content #1125

David-Wobrock opened this issue Jul 28, 2023 · 2 comments
Labels
feat New feature or request. stale Feedback from one or more authors is required to proceed.

Comments

@David-Wobrock
Copy link
Contributor

David-Wobrock commented Jul 28, 2023
edited
Loading

Preflight checklist

Describe your problem

We've set up Oathkeeper to query OPA for authorization through a remote_json handler.

To allow or deny a request, Oathkeeper requires the remote to return the correct HTTP code.

The remote authorizer is expected to return either "200 OK" or "403 Forbidden" to allow/deny access.

Source: https://www.ory.sh/docs/oathkeeper/pipeline/authz#remote_json-configuration

However, evaluating rules in OPA will always return 200 (if the rule evaluation itself worked), but the content of the response will contain the result of the evaluation.
Therefore it's in the response body that we have a JSON containing a key with a boolean.

Describe your ideal solution

One solution would be to specify in the authorization handler configuration the JSON path to follow in the response body that should contain a boolean value.
If it's set, then we can ignore the HTTP response code for allow/deny, but rather use the value of this boolean.

The handler could raise an error if the response is not JSON, the path does not exist, or the value found is not a boolean 🙂

I'm not sure how to configure the JSON path, it could use the jq syntax.

For instance:

        remote_json:
          enabled: true
          config:
            remote: http://127.0.0.1:4242/opa-proxy
            payload: |
              {
                "input": {
                  "sub": "{{ print .Subject }}",
                  "http": {
                    "url": "{{ print .MatchContext.URL }}",
                    "method": "{{ print .MatchContext.Method }}"
                  }
                }
              }
            json_response_path: ".result"

Which would extract the boolean from a JSON response body:

{
  "result": true
}

Workarounds or alternatives

Our current workaround is to have a tiny proxy service between Oathkeeper and OPA.
It forwards requests from Oathkeeper to OPA, and returns the expected HTTP code to Oathkeeper depending on the OPA response body.

It works, but it would be great if Oathkeeper could talk directly to OPA.

Version

v0.40.6

Additional Context

Once the design is validated, we would be able to give some time to implement the feature if necessary :)

On a side note, it was also discussed on OPA side if this couldn't be handled by OPA directly: open-policy-agent/opa#3539. But the discussions point to an OPA plugin/contrib which was never implemented I reckon.
@David-Wobrock David-Wobrock added the feat New feature or request. label Jul 28, 2023
@jaspeen jaspeen mentioned this issue Jun 15, 2024
Open
5 tasks
@github-actions GitHub Actions
Copy link

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

  • open a PR referencing and resolving the issue;
  • leave a comment on it and discuss ideas on how you could contribute towards resolving it;
  • leave a comment and describe in detail why this issue is critical for your use case;
  • open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

@github-actions github-actions bot added the stale Feedback from one or more authors is required to proceed. label Jul 28, 2024
@David-Wobrock
Copy link
Contributor Author

There's an open PR for this #1169 😇
Perhaps we can keep the issue for now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request. stale Feedback from one or more authors is required to proceed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@David-Wobrock