Allow the use of unix sockets for URLs

[nlachfr]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] This issue affects my Ory Cloud project.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

Currently, it is not possible to use unix sockets for URLs

- id: some-id
  upstream:
    url: http://127.0.0.1:8080/bbb          # Only http(s)://.... is supported
  match:
    url: http://127.0.0.1:4455/<.*>
    methods:
      - GET
      - POST
  authenticators:
    - handler: cookie_session
      config:
        check_session_url: http://127.0.0.1:8081/aaa          # Only http(s)://.... is supported
  authorizer:
    handler: allow
  mutators:
    - handler: noop
  errors:
    - handler: json

Describe your ideal solution

One solution could be to use the unix:// scheme, allowing distinction between tcp and unix connections.

Workarounds or alternatives

I have found this related discussion : Addressing HTTP servers over Unix domain sockets.

Here is an example of what could be used :

- id: some-id
  upstream:
    url: unix:///path/to/unix.sock?path=/bbb
  match:
    url: http://127.0.0.1:4455/<.*>
    methods:
      - GET
      - POST
  authenticators:
    - handler: cookie_session
      config:
        check_session_url: unix:///path/to/another/unix.sock?path=/aaa
  authorizer:
    handler: allow
  mutators:
    - handler: noop
  errors:
    - handler: json

Version

v0.38.16-beta.1

Additional Context

No response

[a-manraj-pvotal]

Protocol definition isn't even well defined in your post reference from the IETF. As the post mentions, URL definition is required for oathkeeper evaluation. Standard headers or cookies don't exist in a socket communication. I would advise to look into https://man7.org/linux/man-pages/man7/unix.7.html SCM_SECURITY instead of trying to use a network authentication service for local only sockets who don't use network based structure.

[kmherrmann]

Closing as out of scope for Oathkeeper, unless there's a strong use case and community contribution.