A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
I have an access rule aiming to enforce JWT audience to match the requested domain. However .MatchContext.RegexpCaptureGroups reference, defined in the audience field, didn’t render (cause of the error) and get printed out literally in the log.
reference the match group in JWT authenticator config - e.g. audience
make a request to oathkeeper
observe errors in logs due to .MatchContext.RegexpCaptureGroups being treated as string literally
Relevant log output
"reason": "id=\nrid=\nerror=The request could not be authorized\nreason=Token audience [https://my.domain.com] is not intended for target audience {{ printIndex .MatchContext.RegexpCaptureGroups 0 }}://{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}
Preflight checklist
Ory Network Project
https://naughty-tesla-4oqisau3a4.projects.oryapis.com
Describe the bug
I have an access rule aiming to enforce JWT audience to match the requested domain. However .MatchContext.RegexpCaptureGroups reference, defined in the audience field, didn’t render (cause of the error) and get printed out literally in the log.
{ "id": "protected_resources", "version": "v0.40.6", "match": { "url": "<http|https>://<.*>/<playground|query|anything/header>", "methods": [ "GET", "POST" ] }, "authenticators": [ { "handler": "jwt", "config": { "target_audience": [ "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}://{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}" ] } } ],
Reproducing the bug
Relevant log output
Relevant configuration
Version
v0.40.6
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
No response