Closed wangxulong closed 3 years ago
Thank you for contributing to this repository by creating an issue!
Unfortunately, your issue lacks vital information, such as log files, the error message, the software version, your configuration or other pieces of the puzzle.
Please also ensure that your issue is appropriately formatted. If you do not know how to write markdown, you can find help here.
Helping you with your problem is only possible if you share this information, and it will save a lot of time of back and forth on your as well as our end!
For this reason, this repository uses issue templates which you can select when pressing "New issue". Please use one of those issue templates to fill in the required information. You can either create a new issue for this purpose and close this one, or leave a comment.
Do not edit the original post as we will not be notified when you do so.
If you do not provide the requested information, this issue will be closed.
Thank you for opening this issue. It appears that the request for more information (e.g. providing the software version, providing logs, ...) has not yet been completed. Therefore this issue will be automatically closed in 7 days, assuming that the issue has been resolved.
I can reproduce the issue:
Version: v0.38.6-beta.1
Git Hash: a0c4d7fc46151000b4ae9db5a958b94611c9cd58
Build Time: 2021-01-27T09:26:59Z
oathkeeper config like this:
serve:
proxy:
port: 4455 # run the proxy at port 4455
api:
port: 4456 # run the api at port 4456
access_rules:
repositories:
- file://./rules_authorizer-remote-json.yaml
errors:
fallback:
- json
handlers:
json:
enabled: true
config:
verbose: true
redirect:
enabled: true
config:
to: https://www.ory.sh/docs
mutators:
noop:
enabled: true
authorizers:
remote_json:
enabled: true
config:
remote: http://localhost:5000/oathkeeper_authorizer/remote_json
payload: |
{
"subject": "{{ print .Subject }}",
"url": "{{ print .MatchContext.URL}}",
"clientId": "{{ print .Extra.client_id }}",
"header": "{{ print .Header }}"
}
authenticators:
anonymous:
enabled: true
config:
subject: guest
noop:
enabled: true
This is the application:
from flask import Flask, request, redirect, render_template, make_response, Response, url_for
import requests
#from flask_wtf.csrf import CSRFProtect
import json
app = Flask(__name__)
@app.route('/test/oathkeeper_authorizer/remote_json')
def test_oathkeeper_authorizer_remote_json():
''' This enpoint is just here to test the remote_json oathkeeper authorizer '''
return "If you can access this content via port 4455, remote_json authorizer might work",200
@app.route('/oathkeeper_authorizer/remote_json', methods=['POST'])
def oathkeeper_authorizer_remote_json():
''' This enpoint is a mock-endpoint in order to test the remote_json authorizer in oathkeeper
Simply dumps the payload and returns 200
'''
print(request.json)
# gives an output like this:
# {
# 'subject': '',
# 'url': 'http://127.0.0.1:4455/test/oathkeeper_authorizer/remote_json',
# 'clientId': '',
# 'method': 'map[]'
# }
return "ok",200
@app.route('/dead/end')
def dead_end():
return "this is a dead end!", 200
if __name__ == "__main__":
# With oathkeeper
app.run(debug=True)
# Without Oathkeeper taking over the original oathkeeper-port
app.run(debug=True, port=4455)
As i've remoted kratos here in this example it's fine that subject and probably clientID is empty but header should be filled. I've explicitely tested like this:
curl 127.0.0.1:4455/test/oathkeeper_authorizer/remote_json -H "Bla:Blub"
Bla:Blub
should be in {{ print .Header }}" ... right?!
@k9ert That's my understanding as well. I've checked it as well, and when trying to use the {{print . Header}}
in all possible authorisers, and mutators, it does not work. Calling the authorizer remote_json
with config like that:
enabled: true
config:
remote: http://192.168.0.241:8001/authz
payload: |
{
"one": "{{ print .Subject }}",
"two":"{{ print .Header }}"
}
Gives following results:
POST /whatever HTTP/1.1
Host: <redacted>
User-Agent: Go-http-client/1.1
Content-Length:
Content-Type: application/json
Accept-Encoding: gzip
{
"one": "anonymous",
"two":""
}
Hm, I think header is a map string interface, so maybe you have to do some printf?
I did something like this:
"header2": "{{ printf "%#v" .Header }}"
receiving:
'header2': 'http.Header(nil)'
Thank you for opening this issue. It appears that the request for more information (e.g. providing the software version, providing logs, ...) has not yet been completed. Therefore this issue will be automatically closed in 7 days, assuming that the issue has been resolved.
"authorizer": { "handler": "remote_json", "config": { "remote": "http://192.168.124.18:4000/authz/permission/allow", "payload": "{\"subject\": \"{{ print .Subject }}\", \"url\": \"{{ print .MatchContext.URL}}\",\"clientId\": \"{{ print .Extra.client_id }}\",\"method\": \"{{ print .Header }}\" }" } },
payload : subject ,url, clientId,is ok, but the method value from Header is empty .