I have been using Ory Oathkeeper for a little while, about 2 months ago I had everything working, but now since taking a break and coming back, nothing seems to be working correctly.
I have 3 files, oathkeeper.yml,kratos.json and rules.json. The oathkeeper config has both the kratos and rules files specified correctly, the rule specified in kratos.json appears to work correctly, but what's bizarre is that the access rule specified in rules.json doesn't work at all. I have confirmed that the access rules for both are being picked up by oatheeper using the CLI command oathkeeper rules list.
This leads me to believe that the issue isn't with the rules themselves but with the regex. However, posting the regex rule to an online regex tester like regexr shows me that it works correctly. My guess is maybe the .go library used by Oathkeeper could be broken somehow, or that maybe I am doing something wrong in the JSON.
Below are my rules:
// kratos.json
[
{
"id": "ory:kratos:public",
"upstream": {
"preserve_host": true,
"url": "http://kratos:4433",
"strip_path": "/.ory/kratos/public"
},
"match": {
"url": "<(http|https):\\/\\/([\\w-]+(\\.[\\w-]+)*|[\\d.]+)(:\\d+)?\\/\\.ory\\/kratos\\/public(\\/.*)?>",
"methods": ["GET", "POST" ,"PUT", "DELETE", "PATCH"]
},
"authenticators": [{
"handler": "noop"
}],
"authorizer": {
"handler": "allow"
},
"mutators": [{
"handler": "noop"
}]
}
]
// rules.json
[
{
"id": "fusion:account:protected",
"upstream": {
"preserve_host": true,
"url": "http://host.docker.internal:80",
"strip_path": "/api/account"
},
"match": {
"url": "<(http|https):\\/\\/([\\w-]+(\\.[\\w-]+)*|[\\d.]+)(:\\d+)?\\/api\\/account(\\/.*)?>",
"methods": ["GET", "POST" ,"PUT", "DELETE", "PATCH"]
},
"authenticators": [{
"handler": "cookie_session"
}, {
"handler": "oauth2_introspection"
}, {
"handler": "anonymous"
}],
"authorizer": {
"handler": "allow"
},
"mutators": [{
"handler": "id_token"
}],
"errors": [{
"handler": "json"
}]
}
]
// oathkeeper.yml
serve:
proxy:
port: 4455 # run the proxy at port 4455
api:
port: 4456 # run the api at port 4456
access_rules:
matching_strategy: regexp
repositories:
- file:///etc/config/oathkeeper/rules.json
- file:///etc/config/oathkeeper/kratos.json
log:
level: debug
format: text
leak_sensitive_values: true
errors:
fallback:
- json
handlers:
json:
enabled: true
config:
verbose: true
redirect:
enabled: true
config:
to: https://www.ory.sh/docs
mutators:
header:
enabled: true
config:
headers:
X-User: "{{ print .Subject }}"
noop:
enabled: true
id_token:
enabled: true
config:
issuer_url: http://localhost:4455/
jwks_url: file:///etc/config/oathkeeper/jwks.json
claims: '{"scope":"{{ .Extra.scope }}"}'
authorizers:
allow:
enabled: true
deny:
enabled: true
remote_json:
# remote_json documentation: https://www.ory.sh/oathkeeper/docs/pipeline/authz#remote_json
enabled: true
config:
remote: http://keto:4466/check
# must be set explicitly, otherwise: https://github.com/ory/oathkeeper/issues/797
forward_response_headers_to_upstream: []
payload: |
{
"namespace": "...",
"subject": "...",
"object": "...",
"relation": "..."
}
authenticators:
noop:
enabled: true
cookie_session:
enabled: true
config:
check_session_url: http://kratos:4433/sessions/whoami
preserve_path: true
extra_from: "@this"
subject_from: "identity.id"
only:
- ory_kratos_session
anonymous:
enabled: true
config:
subject: guest
oauth2_introspection:
enabled: true
config:
introspection_url: http://hydra:4445/oauth2/introspect
I have tried to hardcode URLs into the config, but they don't appear to work either. If I use something like http://localhost:4455/test and I go to this URL in my browser, I get the same error.
The error response I get is provided below:
{
"error": {
"code": 404,
"status": "Not Found",
"message": "Requested url does not match any rules"
}
}
