Endpoint rules with oathkeeper

[Sasha32003]

Hi guys,

I apologize if this was asked before and I did spend some 3 days on your docs and demos - everything works, except I can't understand how do I define endpoint access rules outside of auth.

So I've got auth with auth0 and I configured jwt handler just to verify the token. And now I want those authenticated endpoints to also have additional rules for some of them only for some users to be able to use / execute. So what would the rule look like if a user john from group admins is allowed to view http://localhost:3000/my-service/cat-videos (assuming they are already authenticated) ?

Or do I need keto package for that as well ?

[vinckr]

Hello @Sasha32003
I transferred this to ory/oathkeeper, since it seems to be a question specific to selfhosted Ory Oathkeeper.

I am not entirely sure if you can add this functionality just with Oathkeeper alone, but Ory Keto is the right project for more complex authorization rules - and I think it makes sense to have a separate service for this.
pinging @gen1us2k for comment, he has more oathkeeper experience 😉

[Sasha32003]

Cool, thanks @vinckr

I'm thinking the same, but just want to make sure not to overdevelop this thing. And @gen1us2k opinion will be much appreciated.
Oh and just to clarify - oathkeeper alone currently serves no purpose because auth is handled by auth0 in this case does it make sense and possible at all to JUST have keto manage rest / more complex authorization ?

Thanks a million!

[gen1us2k]

Hello. Unfortunately, you can't achieve this by using Oathkeeper only. You need to use Keto+Oathkeeper setup for your case. Keto handles access control and oathkeeper can be used as reverse proxy or policy decision point (in case you use nginx/envoy/istio or something else as ingress load balancer).

You can achieve it with Ory keto alone because as I can see it's an access control issue and Ory keto suits best for this case. You need oathkeeper for additional security in a microservice architecture. I can give you an example. You have two microservices. Both microservices do not work with authentication/identity/user details, but all requests to these microservices should be authenticated. In that case, oathkeeper can save you time because you don't need to write custom middleware to check authentication. Oathkeeper will check it for you (e.g Cookies authenticator example that we have in the documentation)

[quizmoon]

@gen1us2k I am getting lost a bit with guide you have mentioned. It is presented there as Zero Trust example, but what I can see there on the diagram with routes config, that "SecureApp" have access to Kratos Admin API without any authentication check. Looks as it is "Typical service-based application in a private infrastructure", but not "A zero-trust system with trust checks at every service boundary". (Used terms from Identity in Modern Applications Maintaining and Validating Trust in Enterprise Identity Management. Figures 17, 18)

[gen1us2k]

@quizmoon This guide gives a simple and easy-to-start explanation of zero-trust architecture. One can easily secure Kratos Admin API inside a private network by using oathkeeper. It requires writing additional access rules and a little bit change for the configuration. We have some plans to provide more advanced examples but advanced examples can make it complex and harder to understand.

To achieve "A zero-trust system with trust checks at every service boundary" it needs to change writing a couple of access rules with sane checks for Ory Kratos API and change the KRATOS_PUBLIC_API variable to point to Oathkeeper.

[quizmoon]

@gen1us2k Thank you for the answer.

Please correct me if I am wrong, the idea is to continue have Oathkeeper as a IAP Proxy in DMZ: continue to handle requests from Public Internet by it (it is already done on the example), but additionally configure it to handle all of intranet request between micro-services? As example, for SecureApp to access to Kratos Admin API, SecureApp will have to make request to Oathkeeper DMZ and it will forward to Kratos Admin API based on config / rules?

If so, is not better, to replace Oathkeeper in DMZ by some "public" proxy (Nginx, Envoy or Traefik) and put Oathkeeper to Intranet to be as decision point for "public" proxy and being the IAP for Intranet's services?

Thank you.

[gen1us2k]

Please correct me if I am wrong, the idea is to continue have Oathkeeper as a IAP Proxy in DMZ: continue to handle requests from Public Internet by it (it is already done on the example), but additionally configure it to handle all of intranet request between micro-services? As example, for SecureApp to access to Kratos Admin API, SecureApp will have to make request to Oathkeeper DMZ and it will forward to Kratos Admin API based on config / rules?

Yes, that's right.

If so, is not better, to replace Oathkeeper in DMZ by some "public" proxy (Nginx, Envoy or Traefik) and put Oathkeeper to Intranet to be as decision point for "public" proxy and being the IAP for Intranet's services?

I agree. Basically, it depends on what you want to achieve. For most use-cases, without solving additional issues like scaling/loadbalancing oathkeeper is enough. But in advanced setups when we need to load balance traffic inside DMZ I prefer to have Nginx as a load balancer with subrequest authentication.

You can check the example by using Nginx with Oathkeeper and Hydrator. It's still very basic but gives an explanation of how to setup nginx with oathkeeper decision API.

[quizmoon]

@gen1us2k Great, thank you so much!