oathkeeper
oathkeeper copied to clipboard
ory
Multiple authenticators in oathkeeper
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] This issue affects my Ory Cloud project.
- [ ] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
We are trying to authorize a request either based on Authorization header, or based on the cookie (ory_session_XXX) from ory cloud.
The authentication via Authorization header already works, but cookie_session is given us issues as all requests end up in:
{"error":{"code":401,"status":"Unauthorized","message":"Access credentials are invalid"}}
Reproducing the bug
Here is my oauthkeeper configuration:
authenticators:
anonymous:
enabled: true
config:
subject: guest
cookie_session:
enabled: true
config:
check_session_url: https://custom.domain/sessions/whoami
preserve_path: true
# extra_from: '@this'
subject_from: '@this.identity.traits.username'
# only:
# - ory_kratos_session
# - ory_session_keenmeninskyblk98bepad
bearer_token:
enabled: true
config:
check_session_url: https://custom.domain/sessions/whoami
preserve_path: true
# extra_from: '@this'
subject_from: '@this.identity.traits.username'
token_from:
header: Authorization
noop:
enabled: true
Then we have rules in place (for the our API):
- id: ory:protected-api
upstream:
preserve_host: false
url: https://api.internal-host
match:
url: https://api.public-host/v2/<{,apps,apps/**,certs,certs/**,keys/**,users,admin/**,auth/whoami/}>
methods:
- GET
- POST
- DELETE
authenticators:
- handler: bearer_token
- handler: cookie_session
authorizer:
handler: allow
mutators:
- handler: header
errors:
- handler: json
I also tested this against the domain /session/whoami — it works (in the browser). I am logged in, etc..
Relevant log output
time=2022-06-23T12:03:36Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding:gzip, deflate, br accept-language:en-GB,en-US;q=0.9,en;q=0.8,de;q=0.7 cache-control:no-cache cookie:csrf_token_XXX=redacted; csrf_token_XXX=redacted; ory_session_XXX=redacted user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36 x-forwarded-for:a.b.c.d x-forwarded-proto:https] host:api.public-host method:GET path:/v2/apps query:<nil> remote:10.0.0.4:44420 scheme:http]
time=2022-06-23T12:03:36Z level=warning msg=No authentication handler was responsible for handling the authentication request audience=application error=map[debug: message:Access credentials are invalid reason: status:Unauthorized status_code:401] granted=false http_host=api.public-host http_method=GET http_url=https://api.public-host/v2/apps http_user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36 reason_id=authentication_handler_no_match rule_id=ory:protected-api service_name=ORY Oathkeeper service_version=v0.38.19-beta.1-18-g73f455b
time=2022-06-23T12:03:36Z level=warning msg=Access request denied audience=application error=map[debug: message:Access credentials are invalid reason: status:Unauthorized status_code:401] granted=false http_host=api.public-domain http_method=GET http_url=https://api.public-domain/v2/apps http_user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36 service_name=ORY Oathkeeper service_version=v0.38.19-beta.1-18-g73f455b
time=2022-06-23T12:03:36Z level=error msg=An error occurred while handling a request code=401 debug= details=map[] error=Access credentials are invalid reason= request-id= status=401 writer=JSON
Relevant configuration
No response
Version
v0.38.19-beta.1-18-g73f455b
On which operating system are you observing this issue?
Ory Cloud
In which environment are you deploying?
Ory Cloud
Additional Context
On our custom domain (which points to ory cloud), I can check if I am logged in and it works. It responds with the following:
{"id":"XXX","active":true,"expires_at":"2022-07-07T11:44:13.421165Z","authenticated_at":"2022-06-23T11:44:13.421165Z","authenticator_assurance_level":"aal1","authentication_methods":[{"method":"password","aal":"aal1","completed_at":"2022-06-23T11:44:13.421159708Z"}],"issued_at":"2022-06-23T11:44:13.421165Z","identity":{"id":"XXX","schema_id":"861170f00f38e5f1e6c6c72c6bd30142f2560b111bb40b86c4206aad4afa48ee2e628913b990356dc46b21c624e6611887d4ded353eebb3c2b0fe503e0fe2179","schema_url":"https://custom-dmain/schemas/ODYxMTcwZjAwZjM4ZTVmMWU2YzZjNzJjNmJkMzAxNDJmMjU2MGIxMTFiYjQwYjg2YzQyMDZhYWQ0YWZhNDhlZTJlNjI4OTEzYjk5MDM1NmRjNDZiMjFjNjI0ZTY2MTE4ODdkNGRlZDM1M2VlYmIzYzJiMGZlNTAzZTBmZTIxNzk","state":"active","state_changed_at":"2022-02-18T15:33:17.738463Z","traits":{"email":"YYY","name":{"first":"Till","last":""},"username":"till"},"verifiable_addresses":[{"id":"f4915db2-8d21-4108-8061-c4bba14b2a0c","value":"YYY","verified":true,"via":"email","status":"completed","verified_at":"2022-05-12T15:56:56.262091Z","created_at":"2022-02-18T15:33:17.760236Z","updated_at":"2022-05-12T15:57:06.924588Z"}],"recovery_addresses":[{"id":"83bf8650-455a-49c3-8ed9-b25a14fa01fb","value":"YYY","via":"email","created_at":"2022-02-18T15:33:17.778398Z","updated_at":"2022-05-12T15:57:06.931455Z"}],"metadata_public":null,"created_at":"2022-02-18T15:33:17.752954Z","updated_at":"2022-02-18T15:33:17.752954Z"}}
Cookies seem to be shared, we point auth.some-domain.etc to you and the cookies are all set for .some-domain.etc. Nothing obvious. I am running oathkeeper with TRACE, but there is nothing that pops up yet.
It seems like I am hitting this error: https://github.com/ory/oathkeeper/blob/bfde9dfc6ef71762ab25289a0afbe6793899f312/proxy/request_handler.go#L252-L260
But why wouldn't the cookie_session handler match?
I added a log statement to the loop to figure out if maybe the "not responsible error" would have more details, re-deployed oathkeeper and it started working again. I'll keep an eye on it if it comes up again.
I hit this issue with oathkeeper v0.40.0 and kratos v0.11.0 today. In my case, there's an issue with redirects and an external proxy.
My setup works perfectly on my localhost, but fails into this on the cloud deployment.
The cloud deployment implements https termination and reverse proxy with header forwarding.
[cors] 2022/12/12 14:21:32 Handler: Actual request
[cors] 2022/12/12 14:21:32 Actual request no headers added: missing origin
time=2022-12-12T14:21:32Z level=warning msg=No authentication handler was responsible for handling the authentication request audience=application error=map[d
ebug: message:Access credentials are invalid reason: stack_trace:
Rule:
- id: app-protected
version: v0.40.0
upstream:
url: http://ddev:9000
match:
url: http://<iam|localhost>:8000/art/<.*>
methods:
- GET
- POST
authenticators:
- handler: cookie_session
authorizer:
handler: allow
mutators:
- handler: header
errors:
- handler: redirect
config:
to: https://<id-host>/login?return_to=https://<app-host>/art/home
Oathkeeper.yml
authenticators:
anonymous:
enabled: true
config:
subject: guest
cookie_session:
enabled: true
config:
check_session_url: https://<id-host>/api/sessions/whoami
preserve_path: true
extra_from: "@this"
subject_from: "identity.id"
only:
- ory_kratos_session
errors:
fallback:
- json
handlers:
redirect:
enabled: true
config:
to: https://<id-host>/login?return_to=https://<app-host>/art/home
when:
- error:
- unauthorized
- forbidden
request:
header:
accept:
- text/html
json:
enabled: true
config:
verbose: true
