Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cookie_session authenticator does not extract subject when method is HEAD #1172

Open
5 tasks done
DrDobbY opened this issue Jul 8, 2024 · 0 comments
Open
5 tasks done

cookie_session authenticator does not extract subject when method is HEAD #1172

DrDobbY opened this issue Jul 8, 2024 · 0 comments
Labels
bug Something is not working.

Comments

@DrDobbY
Copy link

DrDobbY commented Jul 8, 2024

Preflight checklist

Ory Network Project

goofy-varahamihira-0cacga6s4t

Describe the bug

The cookie_session authenticator is not able to extract subject id if method is HEAD

Reproducing the bug

I have following configuration for cookie_session

cookie_session:
enabled: true
config:
preserve_path: true
extra_from: "@this"
additional_headers:
accept: application/json
check_session_url: https://goofy-varahamihira-0cacga6s4t.projects.oryapis.com/sessions/whoami
subject_from: identity.id

And this is my rule

  • id: "test-head"
    match:
    url: http://<127.0.0.1|localhost>:4456/test
    methods: ["HEAD", "GET"]
    authenticators:
    • handler: cookie_session
      authorizer:
      handler: remote_json
      mutators:
    • handler: noop

my remote json payload configuration is:
payload: |
{
"subject": "{{ print .Subject }}",
"resource": "{{ print .MatchContext.URL }}",
"token": "{{ .MatchContext.Header.Get "X-Api-Key" }}"
}

My remote_json endpoint expect subject to be not null, but when i send head request to this endpoint, i am getting 400 from remote_json service, because oathkeeper does not extracted the id

Send head request to this url localhost:4456/decisions/test with valid cookie. When i chagne my request from HEAD to GET. I ve got expected 200 result

Relevant log output

This is stacktrace from oathkeeper
time=2024-07-08T08:29:55+02:00 level=info msg=started handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip connection:keep-alive cookie:[ory_session_goofyvarahamihira0cacga6s4t=MTcyMDQxODAyM3wwU1U4VmNfNDZ3V0
FWOV9aQ3pKTWdMYmVfX21lU0thZGtPOEFmMjRPaWdGQlByb2JBVEJlQldLQU1zeUtnX1RnaXVBbHRZYU9nbnpGWF9ZWEZ5RVU3dnJMXzRZQTRNYmxEcExLMHFlTTVwd25kOXBJbHIwR0NOal9pcnU5QzlHeVNBT1JjS1BWSXZNQ0VrUVpkR0xMSG1uWnNzZmtvTUlRQjVuRGptR0NQNFlWMldsZWVUY0l6ZlJyZl
9SSjZpSnhZOVhFNHRlejZaU2xDOXpUVWVjd25Rd0xMaFpQU2Y3RTRpeXhOZzlJNjU4OHFqaWNMTTZwVW5ZWHJDV0lscTRrbDNla084Um5RTU9QQXJRUUhod3l8e7WZrlqpqwa_6s00ravUU6FIX1pGiju33hqFnfwzhq8=; Path=/; Domain=goofy-varahamihira-0cacga6s4t.projects.oryapis.co
m; Secure; HttpOnly;] postman-token:2829183d-a6d8-4afe-bf6a-01e6b7463916 user-agent:PostmanRuntime/7.39.0] host:localhost:4456 method:HEAD path:/decisions/test query:<nil> remote:[::1]:60972 scheme:http]
time=2024-07-08T08:30:00+02:00 level=warning msg=The authorization handler encountered an error audience=application authorization_handler=remote_json error=map[message:expected status code 200 but got 400 stack_trace:
github.com/ory/oathkeeper/pipeline/authz.(*AuthorizerRemoteJSON).Authorize
        /project/pipeline/authz/remote_json.go:122
github.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest
        /project/proxy/request_handler.go:266
github.com/ory/oathkeeper/api.(*DecisionHandler).decisions
        /project/api/decision.go:96
github.com/ory/oathkeeper/api.(*DecisionHandler).ServeHTTP
        /project/api/decision.go:50
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/x/corsx.ContextualizedMiddleware.func1
        /go/pkg/mod/github.com/ory/[email protected]/corsx/middleware.go:26
github.com/urfave/negroni.HandlerFunc.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/x/reqlog.(*Middleware).ServeHTTP
        /go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:142
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP
        /project/metrics/middleware.go:103
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/x/metricsx.(*Service).ServeHTTP
        /go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:272
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/urfave/negroni.(*Negroni).ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:96
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*Handler).ServeHTTP
        /go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]/handler.go:204
net/http.serverHandler.ServeHTTP
        /usr/local/go/src/net/http/server.go:2936
net/http.(*conn).serve
        /usr/local/go/src/net/http/server.go:1995
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1598] granted=false http_host=localhost:4456 http_method=HEAD http_url=http://localhost:4456/test http_user_agent=PostmanRuntime/7.39.0 reason_id=authorization_handler_error rule_id=test
-head service_name=ORY Oathkeeper service_version=v0.40.6 subject=
time=2024-07-08T08:30:00+02:00 level=info msg=Access request denied audience=application error=map[message:expected status code 200 but got 400 stack_trace:
github.com/ory/oathkeeper/pipeline/authz.(*AuthorizerRemoteJSON).Authorize
        /project/pipeline/authz/remote_json.go:122
github.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest
        /project/proxy/request_handler.go:266
github.com/ory/oathkeeper/api.(*DecisionHandler).decisions
        /project/api/decision.go:96
github.com/ory/oathkeeper/api.(*DecisionHandler).ServeHTTP
        /project/api/decision.go:50
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/x/corsx.ContextualizedMiddleware.func1
        /go/pkg/mod/github.com/ory/[email protected]/corsx/middleware.go:26
github.com/urfave/negroni.HandlerFunc.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/x/reqlog.(*Middleware).ServeHTTP
        /go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:142
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP
        /project/metrics/middleware.go:103
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/x/metricsx.(*Service).ServeHTTP
        /go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:272
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/urfave/negroni.(*Negroni).ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:96
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*Handler).ServeHTTP
        /go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]/handler.go:204
net/http.serverHandler.ServeHTTP
        /usr/local/go/src/net/http/server.go:2936
net/http.(*conn).serve
        /usr/local/go/src/net/http/server.go:1995
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1598] granted=false http_host=localhost:4456 http_method=HEAD http_url=http://localhost:4456/test http_user_agent=PostmanRuntime/7.39.0 service_name=ORY Oathkeeper service_version=v0.40.
6
time=2024-07-08T08:30:00+02:00 level=error msg=An error occurred while handling a request audience=application error=map[debug: message:An internal server error occurred, please contact the system administrator reason: stack_trace: 
github.com/ory/herodot.(*DefaultError).WithTrace
        /go/pkg/mod/github.com/ory/[email protected]/error_default.go:102
github.com/ory/oathkeeper/pipeline/errors.(*ErrorJSON).Handle
        /project/pipeline/errors/error_json.go:65
github.com/ory/oathkeeper/proxy.(*requestHandler).HandleError
        /project/proxy/request_handler.go:151
github.com/ory/oathkeeper/api.(*DecisionHandler).decisions
        /project/api/decision.go:102
github.com/ory/oathkeeper/api.(*DecisionHandler).ServeHTTP
        /project/api/decision.go:50
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/x/corsx.ContextualizedMiddleware.func1
        /go/pkg/mod/github.com/ory/[email protected]/corsx/middleware.go:26
github.com/urfave/negroni.HandlerFunc.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/x/reqlog.(*Middleware).ServeHTTP
        /go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:142
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP
        /project/metrics/middleware.go:103
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/x/metricsx.(*Service).ServeHTTP
        /go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:272
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/urfave/negroni.(*Negroni).ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:96
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*Handler).ServeHTTP
        /go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]/handler.go:204
net/http.serverHandler.ServeHTTP
        /usr/local/go/src/net/http/server.go:2936
net/http.(*conn).serve
        /usr/local/go/src/net/http/server.go:1995
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1598 status:Internal Server Error status_code:500] http_request=map[headers:map[accept:*/* accept-encoding:gzip connection:keep-alive cookie:[ory_session_goofyvarahamihira0cacga6s4t=MTcy
MDQxODAyM3wwU1U4VmNfNDZ3V0FWOV9aQ3pKTWdMYmVfX21lU0thZGtPOEFmMjRPaWdGQlByb2JBVEJlQldLQU1zeUtnX1RnaXVBbHRZYU9nbnpGWF9ZWEZ5RVU3dnJMXzRZQTRNYmxEcExLMHFlTTVwd25kOXBJbHIwR0NOal9pcnU5QzlHeVNBT1JjS1BWSXZNQ0VrUVpkR0xMSG1uWnNzZmtvTUlRQjVuRGpt
R0NQNFlWMldsZWVUY0l6ZlJyZl9SSjZpSnhZOVhFNHRlejZaU2xDOXpUVWVjd25Rd0xMaFpQU2Y3RTRpeXhOZzlJNjU4OHFqaWNMTTZwVW5ZWHJDV0lscTRrbDNla084Um5RTU9QQXJRUUhod3l8e7WZrlqpqwa_6s00ravUU6FIX1pGiju33hqFnfwzhq8=; Path=/; Domain=goofy-varahamihira-0cac
ga6s4t.projects.oryapis.com; Secure; HttpOnly;] postman-token:2829183d-a6d8-4afe-bf6a-01e6b7463916 user-agent:PostmanRuntime/7.39.0] host:localhost:4456 method:HEAD path:/test query:<nil> remote:[::1]:60972 scheme:http] http_respons
e=map[status_code:500] service_name=ORY Oathkeeper service_version=v0.40.6
time=2024-07-08T08:30:00+02:00 level=info msg=completed handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip connection:keep-alive cookie:[ory_session_goofyvarahamihira0cacga6s4t=MTcyMDQxODAyM3wwU1U4VmNfNDZ3
V0FWOV9aQ3pKTWdMYmVfX21lU0thZGtPOEFmMjRPaWdGQlByb2JBVEJlQldLQU1zeUtnX1RnaXVBbHRZYU9nbnpGWF9ZWEZ5RVU3dnJMXzRZQTRNYmxEcExLMHFlTTVwd25kOXBJbHIwR0NOal9pcnU5QzlHeVNBT1JjS1BWSXZNQ0VrUVpkR0xMSG1uWnNzZmtvTUlRQjVuRGptR0NQNFlWMldsZWVUY0l6ZlJy
Zl9SSjZpSnhZOVhFNHRlejZaU2xDOXpUVWVjd25Rd0xMaFpQU2Y3RTRpeXhOZzlJNjU4OHFqaWNMTTZwVW5ZWHJDV0lscTRrbDNla084Um5RTU9QQXJRUUhod3l8e7WZrlqpqwa_6s00ravUU6FIX1pGiju33hqFnfwzhq8=; Path=/; Domain=goofy-varahamihira-0cacga6s4t.projects.oryapis.
com; Secure; HttpOnly;] postman-token:2829183d-a6d8-4afe-bf6a-01e6b7463916 user-agent:PostmanRuntime/7.39.0] host:localhost:4456 method:HEAD path:/test query:<nil> remote:[::1]:60972 scheme:http] http_response=map[headers:map[conten
t-type:application/json] size:143 status:500 text_status:Internal Server Error took:5.2060312s]

Relevant configuration

## Rules
- id: "test-head"
  match:
    url: http://<127.0.0.1|localhost>:4456/test
    methods: ["HEAD", "GET"]
  authenticators:
    - handler: cookie_session
  authorizer:
    handler: remote_json
  mutators:
    - handler: noop

## config.yaml
authenticators:
  cookie_session:
    enabled: true
    config:
      preserve_path: true
      extra_from: "@this"
      additional_headers:
        accept: application/json
      check_session_url: https://goofy-varahamihira-0cacga6s4t.projects.oryapis.com/sessions/whoami
      subject_from: identity.id

authorizers:
  remote_json:
    enabled: true
    config:
      remote: http://localhost:8239/api/v1/authorizer/remote_json
      forward_response_headers_to_upstream: [ "roles", "companyId", "siteId", "apartmentId" ]
      payload: |
        {
         "subject": "{{ print .Subject }}"
        }

Version

0.40.6

On which operating system are you observing this issue?

Windows

In which environment are you deploying?

Binary

Additional Context

No response
@DrDobbY DrDobbY added the bug Something is not working. label Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DrDobbY