ory / oathkeeper

A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
3.25k stars 359 forks source link

oathkeeper Authorizers handler can not receiving values from the AuthenticationSession Header #512

Closed wangxulong closed 3 years ago

wangxulong commented 4 years ago

"authorizer": { "handler": "remote_json", "config": { "remote": "http://192.168.124.18:4000/authz/permission/allow", "payload": "{\"subject\": \"{{ print .Subject }}\", \"url\": \"{{ print .MatchContext.URL}}\",\"clientId\": \"{{ print .Extra.client_id }}\",\"method\": \"{{ print .Header }}\" }" } },

payload : subject ,url, clientId,is ok, but the method value from Header is empty .

aeneasr commented 4 years ago

Thank you for contributing to this repository by creating an issue!

Unfortunately, your issue lacks vital information, such as log files, the error message, the software version, your configuration or other pieces of the puzzle.

Please also ensure that your issue is appropriately formatted. If you do not know how to write markdown, you can find help here.

Helping you with your problem is only possible if you share this information, and it will save a lot of time of back and forth on your as well as our end!

For this reason, this repository uses issue templates which you can select when pressing "New issue". Please use one of those issue templates to fill in the required information. You can either create a new issue for this purpose and close this one, or leave a comment.

Do not edit the original post as we will not be notified when you do so.

If you do not provide the requested information, this issue will be closed.

github-actions[bot] commented 4 years ago

Thank you for opening this issue. It appears that the request for more information (e.g. providing the software version, providing logs, ...) has not yet been completed. Therefore this issue will be automatically closed in 7 days, assuming that the issue has been resolved.

k9ert commented 3 years ago

I can reproduce the issue:

Version:    v0.38.6-beta.1
Git Hash:   a0c4d7fc46151000b4ae9db5a958b94611c9cd58
Build Time: 2021-01-27T09:26:59Z

oathkeeper config like this:

serve:
  proxy:
    port: 4455 # run the proxy at port 4455
  api:
    port: 4456 # run the api at port 4456

access_rules:
  repositories:
    - file://./rules_authorizer-remote-json.yaml

errors:
  fallback:
    - json
  handlers:
    json:
      enabled: true
      config:
        verbose: true
    redirect:
      enabled: true
      config:
        to: https://www.ory.sh/docs

mutators:
  noop:
    enabled: true

authorizers:
  remote_json:
    enabled: true
    config:
      remote: http://localhost:5000/oathkeeper_authorizer/remote_json
      payload: |
        {
          "subject": "{{ print .Subject }}", 
          "url": "{{ print .MatchContext.URL}}",
          "clientId": "{{ print .Extra.client_id }}",
          "header": "{{ print .Header }}"  
        }

authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest
  noop:
    enabled: true

This is the application:

from flask import Flask, request, redirect, render_template, make_response, Response, url_for
import requests
#from flask_wtf.csrf import CSRFProtect
import json

app = Flask(__name__)

@app.route('/test/oathkeeper_authorizer/remote_json')
def test_oathkeeper_authorizer_remote_json():
    ''' This enpoint is just here to test the remote_json oathkeeper authorizer '''
    return "If you can access this content via port 4455, remote_json authorizer might work",200

@app.route('/oathkeeper_authorizer/remote_json', methods=['POST'])
def oathkeeper_authorizer_remote_json():
    ''' This enpoint is a mock-endpoint in order to test the remote_json authorizer in oathkeeper  
        Simply dumps the payload and returns 200
    '''
    print(request.json)
    # gives an output like this:
    # { 
    #   'subject': '', 
    #   'url': 'http://127.0.0.1:4455/test/oathkeeper_authorizer/remote_json', 
    #   'clientId': '', 
    #   'method': 'map[]'
    # }
    return "ok",200

@app.route('/dead/end')
def dead_end():
    return "this is a dead end!", 200

if __name__ == "__main__":
    # With oathkeeper
    app.run(debug=True)
    # Without Oathkeeper taking over the original oathkeeper-port
    app.run(debug=True, port=4455)

As i've remoted kratos here in this example it's fine that subject and probably clientID is empty but header should be filled. I've explicitely tested like this:

curl 127.0.0.1:4455/test/oathkeeper_authorizer/remote_json -H "Bla:Blub"

Bla:Blub should be in {{ print .Header }}" ... right?!

schreddies commented 3 years ago

@k9ert That's my understanding as well. I've checked it as well, and when trying to use the {{print . Header}} in all possible authorisers, and mutators, it does not work. Calling the authorizer remote_json with config like that:

    enabled: true
    config:
      remote: http://192.168.0.241:8001/authz
      payload: |
        {
          "one": "{{ print .Subject }}",
          "two":"{{ print .Header }}"
        }

Gives following results:

POST /whatever HTTP/1.1
Host: <redacted>
User-Agent: Go-http-client/1.1
Content-Length: 
Content-Type: application/json
Accept-Encoding: gzip

{
  "one": "anonymous",
  "two":""
}
aeneasr commented 3 years ago

Hm, I think header is a map string interface, so maybe you have to do some printf?

k9ert commented 3 years ago

I did something like this:

"header2": "{{ printf "%#v" .Header  }}"

receiving:

'header2': 'http.Header(nil)'
github-actions[bot] commented 3 years ago

Thank you for opening this issue. It appears that the request for more information (e.g. providing the software version, providing logs, ...) has not yet been completed. Therefore this issue will be automatically closed in 7 days, assuming that the issue has been resolved.

aeneasr commented 3 years ago

https://github.com/ory/oathkeeper/pull/718#pullrequestreview-651927273