Default Rule for unmatched routes

[adamstrawson]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] This issue affects my Ory Cloud project.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

We run oathkeeper with Istio, and filter all inbound requests via an EnvoyFilter to oathkeeper.

Endpoints that don't have a rule result in the end user receiving a 404 status and error Requested url does not match any rules. (We can of course customise this error to be more meaningful.)

As we can't setup rules that match a URL twice, we're required to setup rules for every endpoint across our services to avoid the no rule match error.

Describe your ideal solution

The ability to create a default rule that is actioned should no other rules match.

Workarounds or alternatives

An alternative approach, but more complex, is being able to have the same URL match in multiple rules, and include a concept of rule priority.

We could than have a rule that contains a match url: <.*> that will catch all requests. And then a follow up rule of url: foo with a higher priority score.

When rules are loaded at startup, they should be ordered by priority, and highest priority wins when it comes to the match evaluation.

Version

v0.38.19-beta.1

Additional Context

No response

[aeneasr]

Hey there, thank you for the report! Is the problem that envoy handles 404 responses differently from e.g. 401 for this endpoint?

I also think that having a default "base" rule might be a very good idea. So far we've kept out priority matching as it can be quite complicated and error prone, which is not what we usually want in security software :)

[a-manraj-pvotal]

You are allowed to define regex in oathkeeper rules : But you are describing an anti security pattern for API you are supposed to define oathkeeper rule updates with all new services deployments via manifest updates (with for example Oathkeeper maester). For example a very open rule allowing only options on all internal services :

authenticators:
  - handler: anonymous
  authorizer:
    handler: allow
  match:
    methods:
    - OPTIONS
    url: <https>://<.*>
  mutators:
  - handler: noop