Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow/deny remote(_json) authorizers depending response content #1125

Open
5 of 6 tasks
David-Wobrock opened this issue Jul 28, 2023 · 0 comments
Open
5 of 6 tasks

Allow/deny remote(_json) authorizers depending response content #1125

David-Wobrock opened this issue Jul 28, 2023 · 0 comments
Labels
feat New feature or request.

Comments

@David-Wobrock
Copy link
Contributor

David-Wobrock commented Jul 28, 2023
edited

Preflight checklist

Describe your problem

We've set up Oathkeeper to query OPA for authorization through a remote_json handler.

To allow or deny a request, Oathkeeper requires the remote to return the correct HTTP code.

The remote authorizer is expected to return either "200 OK" or "403 Forbidden" to allow/deny access.

Source: https://www.ory.sh/docs/oathkeeper/pipeline/authz#remote_json-configuration

However, evaluating rules in OPA will always return 200 (if the rule evaluation itself worked), but the content of the response will contain the result of the evaluation.
Therefore it's in the response body that we have a JSON containing a key with a boolean.

Describe your ideal solution

One solution would be to specify in the authorization handler configuration the JSON path to follow in the response body that should contain a boolean value.
If it's set, then we can ignore the HTTP response code for allow/deny, but rather use the value of this boolean.

The handler could raise an error if the response is not JSON, the path does not exist, or the value found is not a boolean 🙂

I'm not sure how to configure the JSON path, it could use the jq syntax.

For instance:

        remote_json:
          enabled: true
          config:
            remote: http://127.0.0.1:4242/opa-proxy
            payload: |
              {
                "input": {
                  "sub": "{{ print .Subject }}",
                  "http": {
                    "url": "{{ print .MatchContext.URL }}",
                    "method": "{{ print .MatchContext.Method }}"
                  }
                }
              }
            json_response_path: ".result"

Which would extract the boolean from a JSON response body:

{
  "result": true
}

Workarounds or alternatives

Our current workaround is to have a tiny proxy service between Oathkeeper and OPA.
It forwards requests from Oathkeeper to OPA, and returns the expected HTTP code to Oathkeeper depending on the OPA response body.

It works, but it would be great if Oathkeeper could talk directly to OPA.

Version

v0.40.6

Additional Context

Once the design is validated, we would be able to give some time to implement the feature if necessary :)

On a side note, it was also discussed on OPA side if this couldn't be handled by OPA directly: open-policy-agent/opa#3539. But the discussions point to an OPA plugin/contrib which was never implemented I reckon.
@David-Wobrock David-Wobrock added the feat New feature or request. label Jul 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@David-Wobrock