Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decision API is not respecting the token_from config #1144

Open
3 of 5 tasks
osbornk opened this issue Dec 13, 2023 · 1 comment
Open
3 of 5 tasks

Decision API is not respecting the token_from config #1144

osbornk opened this issue Dec 13, 2023 · 1 comment
Labels
bug Something is not working.

Comments

@osbornk
Copy link

osbornk commented Dec 13, 2023

Preflight checklist

Ory Network Project

No response

Describe the bug

I am trying to send a custom token header to the Oathkeeper API for token auth. But it seems to not pass a custom token header to the check_session_url. Instead, it does not send a token at all.

Oathkeeper does check the token. If I don't include the token, Oathkeeper immediately returns a 401. But it never gets passed onto the check_session_url.

Reproducing the bug

Here is my command:

curl -H "X-Forwarded-Method: GET" -H "X-Forwarded-Proto: http" -H "X-Forwarded-Host: myhost" -H "X-Forwarded-Uri: /xyz" -H "xyz: sometoken" -X GET http://oathkeeper-api:4456/decisions -v

From my logs, my request makes it to Kratos, but without the token, so it produces a 401.

My expectation is for Oathkeeper to read the header xxx and send Authorization: Bearer sometoken to Kratos.

If I remove the token_from section from the config and use the default values, this works.

curl -H "X-Forwarded-Method: GET" -H "X-Forwarded-Proto: http" -H "X-Forwarded-Host: myhost" -H "X-Forwarded-Uri: /xyz" -H "Authorization: Bearer sometoken" -X GET http://oathkeeper-api:4456/decisions -v

Relevant log output

No response

Relevant configuration

config:
    access_rules:
      repositories:
        - file:///etc/rules/access-rules.json
    authenticators:
      bearer_token:
        enabled: true
        config:
          check_session_url: http://kratos-public/sessions/whoami
          preserve_path: true
          token_from:
            header: xxx
          extra_from: "@this"
          subject_from: "identity.traits.my_id"
    authorizers:
      allow:
        enabled: true
    mutators:
      header:
        enabled: true
        config:
          headers:
            X-User: "{{ print .Subject }}"

Version

0.40.6

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

@osbornk osbornk added the bug Something is not working. label Dec 13, 2023
@TamerShlash
Copy link

Having this issue as well, the only thing that works is the default i.e not providing any token_from value at all. If you provide anything else, you get 401.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something is not working.
Projects
None yet
Development

No branches or pull requests

2 participants