Closed marcinfigiel closed 11 months ago
Have you tried the introspection_request_headers
config option?
We've just tried that approach and it works!
We just had to figure out how to inject the API key from our Bitbucket Pipelines variables into Oathkeeper configuration, which expects it to be an object, but we made it.
For future reference, in case someone else has the same problem: you pass the value by helm's --set-json
parameter and escape the internal quotes, e.g.:
helm install ... --set-json oathkeeper.config.authenticators.oauth2_introspection.config.introspection_request_headers="{\"Authorization\": \"Bearer ${API_KEY}\"}"
.
Variable interpolation requires the external quotes to be ", that's why we must escape the internal ones.
Thanks for your help @alnr! Closing the ticket now :)
Preflight checklist
Describe your problem
We are trying to migrate our project from self-hosted to managed Hydra, but it seems it's currently impossible due to a missing feature in Oathkeeper _outh2introspection authenticator. Our auth flow includes Oathkeeper running as a sidecar to our API gateway which authenticates requests using the _oauth2introspection authenticator. It works perfectly fine in self-hosted environment, but in case of managed Hydra the
/introspect
endpoint is an administrative one (which makes sense), so it requires authorization. The way to authorize such requests is with an API key, but it's impossible to configure Oathkeeper to use one. There is apre_authorization
configuration section, but in only allows specyfying a client credentials, not an API key.Describe your ideal solution
Refactor the
pre_authorization
section of _oauth2introspection authenticator so it allows either client credentials or an API key as a way to authorize the requests to introspection endpoint.Workarounds or alternatives
A way to work around this would be to implement a simple proxy service working in between Oathkeeper and managed Hydra and use it to inject the bearer token. It introduces an additional hop though, which would increase latency. Beside that, the API key functionality seems like an obvious option which should be available in Oathkeeper, especially as Ory offers a managed Hydra.
Version
0.39.4
Additional Context
No response