Endpoint rules with oathkeeper #939
-
Hi guys, I apologize if this was asked before and I did spend some 3 days on your docs and demos - everything works, except I can't understand how do I define endpoint access rules outside of auth. So I've got auth with auth0 and I configured jwt handler just to verify the token. And now I want those authenticated endpoints to also have additional rules for some of them only for some users to be able to use / execute. So what would the rule look like if a user john from group admins is allowed to view http://localhost:3000/my-service/cat-videos (assuming they are already authenticated) ? Or do I need keto package for that as well ? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 9 replies
-
Hello @Sasha32003 I am not entirely sure if you can add this functionality just with Oathkeeper alone, but Ory Keto is the right project for more complex authorization rules - and I think it makes sense to have a separate service for this. |
Beta Was this translation helpful? Give feedback.
-
Hello. Unfortunately, you can't achieve this by using Oathkeeper only. You need to use Keto+Oathkeeper setup for your case. Keto handles access control and oathkeeper can be used as reverse proxy or policy decision point (in case you use nginx/envoy/istio or something else as ingress load balancer). You can achieve it with Ory keto alone because as I can see it's an access control issue and Ory keto suits best for this case. You need oathkeeper for additional security in a microservice architecture. I can give you an example. You have two microservices. Both microservices do not work with authentication/identity/user details, but all requests to these microservices should be authenticated. In that case, oathkeeper can save you time because you don't need to write custom middleware to check authentication. Oathkeeper will check it for you (e.g Cookies authenticator example that we have in the documentation) |
Beta Was this translation helpful? Give feedback.
Hello. Unfortunately, you can't achieve this by using Oathkeeper only. You need to use Keto+Oathkeeper setup for your case. Keto handles access control and oathkeeper can be used as reverse proxy or policy decision point (in case you use nginx/envoy/istio or something else as ingress load balancer).
You can achieve it with Ory keto alone because as I can see it's an access control issue and Ory keto suits best for this case. You need oathkeeper for additional security in a microservice architecture. I can give you an example. You have two microservices. Both microservices do not work with authentication/identity/user details, but all requests to these microservices should be authenticated…