Allow mulitple authenticators to work on same header

[pike1212]

Is your feature request related to a problem? Please describe.

I would like clients to be able to call my service using either OAuth tokens or JWTs and the same header ("Authorization"). Currently, if the first one fails, the next one is never tried.

Describe the solution you'd like

Maybe a flag in one of the authenticators that tells it not to error if it can't validate the token?

[aeneasr]

Yeah that sounds like a reasonable request. I'm not sure how we could address this properly. What we really need is an AND and OR logic I guess? That will be quite horrific to define in YAML though...

IMO this should be a part of #441

[pike1212]

What is time frame for next gen? We are currently running a custom branch to enable this functionality

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan on resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneous you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

[a-candiotti-pvotal]

We have a similar situation.

We are attributing rights and restricting access based on audiences, which lead us to have several JWT authenticators in our configuration.

The current implementation considers that if a token does not match a JWT authenticator's audiences, the authenticator should return an Unauthorized.
Which does not work in our case

Consider the following example:

authenticators:
  - config:
      allowed_algorithms:
        - RS256
      jwks_urls:
        - 'https://trusted.com/jwks.json'
      required_scope:
        - scope1
      target_audience:
        - 'https://audience1.com'
      trusted_issuers:
        - 'https://auth.com/'
    handler: jwt
  - config:
      allowed_algorithms:
        - RS256
      jwks_urls:
        - 'https://anothertrusteddomain.com/jwks.json'
      required_scope:
        - scope1
      target_audience:
        - 'https://audience2.com'
      trusted_issuers:
        - 'https://auth.com/'
    handler: jwt

For a JWT that has the 'https://audience2.com' audience, here is the behavior we thought would occur:

• the first authenticator refuses the token but passes the responsability to the second authenticator
• the second one accepts the token

What happened instead:

• the first authenticator refused the token as the audiences didn't match.

A flag in the config would indeed be a nice way to make an exception in the authenticator chain.

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️