Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: ensure bearer_token respects token_from #1189

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: ensure bearer_token respects token_from #1189

wants to merge 2 commits into from

Conversation

TamerShlash
Copy link

@TamerShlash TamerShlash commented Sep 20, 2024
edited
Loading

The Problem

The bearer_token authenticator always returns 401 when providing any token_from option. The reason is because the token is indeed detected, and therefore the authenticator is deemed responsible, but the token is not actually passed forward to the session store in the Authorization header as the instructions here and here say should be done.

The only exception when it does work is when using the default Authorization: bearer <session-token> option (i.e, not specifying token_from at all), because the Authorization header is forwarded anyways as you can see here:

oathkeeper/pipeline/authn/authenticator_bearer_token.go

Line 124 in acb2584

c.ForwardHTTPHeaders = append(c.ForwardHTTPHeaders, []string{header.Authorization}...)

This PR fixes that by making sure to set Authorization: bearer <token> for the request going to the sessions store if a token is detected.

Is It Breaking?

No, it should not be.

Related issue(s)

#1144

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

@TamerShlash TamerShlash changed the title Ensure bearer_token Respects token_from fix: Ensure bearer_token Respects token_from Sep 20, 2024
@TamerShlash TamerShlash changed the title fix: Ensure bearer_token Respects token_from fix: ensure bearer_token respects token_from Sep 20, 2024
@TamerShlash
Copy link
Author

Hello @aeneasr 👋 can you take a look at this?

zepatrik
zepatrik reviewed Oct 14, 2024
View reviewed changes
Copy link
Member

@zepatrik zepatrik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for chiming in here! However, I'm not quite sure if this is the correct way to solve the problem.
The basic problem is that the bearer authenticator handles token_from in an unexpected way: the token is forwarded, but with the same method as defined in token_from.
Your fix adds the token to the forwarded request in the authorization header, however the original header is also forwarded. This fixes where the session store expects a Authorization: bearer <token>, however it does not solve other cases.
What do you think of adding a new config option to the authenticator, basically forward_token_as that is the inverse of token_from. With this approach we can ensure that we don't break anyone relying on the current behavior, but also don't forward the token twice.

I would not want to forward the token twice, as the token store might not correctly strip the token from logs etc. when it receives "just another extra header".

WDYT?

@TamerShlash
Copy link
Author

Hi @zepatrik! thank you for taking a look at this.

I think the main misunderstanding here is that in my mind a session store was equal to Ory Kratos, which expects the session token exclusively in the Authorization header.
What I'm understanding from you now is that this PR might break solutions where the sesison store was something other than Ory Kratos, and those solutions have been able to expect the token in other headers and thus forwarding worked fine for them.

If that's what you mean, that seems totally reasonable, and the fix you suggested with forward_token_as seems like a pretty reasonable fix.

My only take on this is that Oathkeeper authenticators configuration has already been quite confusing to understand to begin with (maybe just for us), so I think we need to properly document how this new forward_token_as option works especially with Ory Kratos as a session store since I'm assuming it's a major use case.

How do you want to go forward with this? I'm happy to update this PR with that suggestion if but can't tell how soon it will be since it's a bit busy for me this period and this is my first time working with Go ever 😄 Otherwise of course it's great if you want to take care of it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zepatrik zepatrik zepatrik left review comments

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TamerShlash @zepatrik @jonas-jonas