A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
However, evaluating rules in OPA will always return 200 (if the rule evaluation itself worked), but the content of the response will contain the result of the evaluation.
Therefore it's in the response body that we have a JSON containing a key with a boolean.
Describe your ideal solution
One solution would be to specify in the authorization handler configuration the JSON path to follow in the response body that should contain a boolean value.
If it's set, then we can ignore the HTTP response code for allow/deny, but rather use the value of this boolean.
The handler could raise an error if the response is not JSON, the path does not exist, or the value found is not a boolean 🙂
I'm not sure how to configure the JSON path, it could use the jq syntax.
Which would extract the boolean from a JSON response body:
{
"result": true
}
Workarounds or alternatives
Our current workaround is to have a tiny proxy service between Oathkeeper and OPA.
It forwards requests from Oathkeeper to OPA, and returns the expected HTTP code to Oathkeeper depending on the OPA response body.
It works, but it would be great if Oathkeeper could talk directly to OPA.
Version
v0.40.6
Additional Context
Once the design is validated, we would be able to give some time to implement the feature if necessary :)
On a side note, it was also discussed on OPA side if this couldn't be handled by OPA directly: https://github.com/open-policy-agent/opa/issues/3539. But the discussions point to an OPA plugin/contrib which was never implemented I reckon.
Preflight checklist
Describe your problem
We've set up Oathkeeper to query OPA for authorization through a
remote_jsonhandler.To allow or deny a request, Oathkeeper requires the remote to return the correct HTTP code.
Source: https://www.ory.sh/docs/oathkeeper/pipeline/authz#remote_json-configuration
However, evaluating rules in OPA will always return 200 (if the rule evaluation itself worked), but the content of the response will contain the result of the evaluation. Therefore it's in the response body that we have a JSON containing a key with a boolean.
Describe your ideal solution
One solution would be to specify in the authorization handler configuration the JSON path to follow in the response body that should contain a boolean value. If it's set, then we can ignore the HTTP response code for allow/deny, but rather use the value of this boolean.
The handler could raise an error if the response is not JSON, the path does not exist, or the value found is not a boolean 🙂
I'm not sure how to configure the JSON path, it could use the jq syntax.
For instance:
Which would extract the boolean from a JSON response body:
Workarounds or alternatives
Our current workaround is to have a tiny proxy service between Oathkeeper and OPA. It forwards requests from Oathkeeper to OPA, and returns the expected HTTP code to Oathkeeper depending on the OPA response body.
It works, but it would be great if Oathkeeper could talk directly to OPA.
Version
v0.40.6
Additional Context
Once the design is validated, we would be able to give some time to implement the feature if necessary :)
On a side note, it was also discussed on OPA side if this couldn't be handled by OPA directly: https://github.com/open-policy-agent/opa/issues/3539. But the discussions point to an OPA plugin/contrib which was never implemented I reckon.