Comments (15)
Incorrect stalebot detection - this was assigned a milestone.
from oathkeeper.
Would it be possible to give more context on this? I've never used grpc myself, so I lack some background. Is grpc running over HTTP(s)? Are the same headers used and do they represent the same things? If grpc runs as a (binary) format over HTTP, why do we even care here? We're not transforming/modifying the payload, right?
from oathkeeper.
Yes gRPC runs over HTTP/2. The headers are more or less the same as in HTTP/1 /w Authorization headers etc (read more here https://apievangelist.com/2018/02/05/headers-used-for-grpc-over-http2/). But gRPC have some addtitional headers as well. gRPC client except "binary" payload back, whenever a json payload is returned it will not be recognized but the grpc client, like a auth failure from oathkeeper.
Empty body response would be fine but with the grpc-status and grpc-message header with the error.
But your are totally right whenever the request is granted
by oathkeeper everything works as excepted.
This fix would make the gRPC client act accordingly if we get a auth failure for instance.
some more info here:
https://www.d3void.net/post/grpc-with-http/
from oathkeeper.
Ok, I think this requires a bit more thinking around gRPC in general:
- Do we provide gRPC APIs alongside REST ones?
- How do we document, generate, and publish gRPC APIs?
- What security mechanisms of gRPC (if any) can we use or enhance?
I think this will be a longer discussion, but it will be a good one!
from oathkeeper.
A quick fix which works sufficient is to do something like this:
from previously getting this reponse:
rpc error: code = Internal desc = transport: received the unexpected content-type "application/json"
and now getting:
rpc error: code = Unauthenticated desc = Unauthorized
from oathkeeper.
probably would be enough to implement the content type in https://github.com/ory/herodot
this workaround is ok for me now.
from oathkeeper.
Yeah, I think it makes sense to have the workaround in oathkeeper directly. We'll need a bit more work on herodot to support grpc properly. Feel free to PR!
from oathkeeper.
Looks like this issue still prevails. Any workaround in 2020?
from oathkeeper.
PRs and contributions are always welcome, so if you want to give this a shot @rverma-jm
from oathkeeper.
@lsjostro Are you please able to indicate where you would add this work around currently within the current release?
Would it be here:
https://github.com/ory/oathkeeper/blob/master/api/decision.go#L86
And would you completely replace the current function?
Thanks.
from oathkeeper.
We are also interested in this feature.
Is there any progress on this? If not, is there anything we still need to discuss before changes can be made?
I could look into this and try to contribute this feature, if there are no blockers.
from oathkeeper.
from oathkeeper.
I am marking this issue as stale as it has not received any engagement from the community or maintainers in over half a year. That does not imply that the issue has no merit! If you feel strongly about this issue
- open a PR referencing and resolving the issue;
- leave a comment on it and discuss ideas how you could contribute towards resolving it;
- open a new issue with updated details and a plan on resolving the issue.
We are cleaning up issues every now and then, primarily to keep the 4000+ issues in our backlog in check and to prevent maintainer burnout. Burnout in open source maintainership is a widespread and serious issue. It can lead to severe personal and health issues as well as enabling catastrophic attack vectors.
Thank you for your understanding and to anyone who participated in the issue! 🙏✌️
If you feel strongly about this issues and have ideas on resolving it, please comment. Otherwise it will be closed in 30 days!
from oathkeeper.
Hello contributors!
I am marking this issue as stale as it has not received any engagement from the community or maintainers a year. That does not imply that the issue has no merit! If you feel strongly about this issue
- open a PR referencing and resolving the issue;
- leave a comment on it and discuss ideas how you could contribute towards resolving it;
- leave a comment and describe in detail why this issue is critical for your use case;
- open a new issue with updated details and a plan on resolving the issue.
Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.
Unfortunately, burnout has become a topic of concern amongst open-source projects.
It can lead to severe personal and health issues as well as opening catastrophic attack vectors.
The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.
If this issue was marked as stale erroneous you can exempt it by adding the backlog
label, assigning someone, or setting a milestone for it.
Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!
Thank you 🙏✌️
from oathkeeper.
This is still an issue in 2024
from oathkeeper.
Related Issues (20)
- X-Forwarded headers missing from oauth2-client-credentials authenticator request on v.0.40.3, breaking hydra TLS termination HOT 1
- Authenticator: Bearer_token w. "query_parameter" selector consumes request body
- Observed memory leak in v0.40.3 HOT 4
- Configure JWT authenticator not to logging sensitive data
- Allow/deny `remote(_json)` authorizers depending response content
- Allow API key pre-authorization in oauth2_introspection authenticator HOT 2
- "any" matching option for "required_scope" in JWT authenticator HOT 1
- Docs wrong for `bearer_token` Subject default location
- upstream reference closed: github.com/GoogleContainerTools/distroless/issues/1342
- Authorizer "remote" throws exception "invalid Read on closed Body" if request body is present in request HOT 13
- Basic Authorization header result in Unauthorized when using `anonymous` authenticator handler
- Oathkeeper does not support X-Forwarded headers properly HOT 2
- Reference to .MatchContext.RegexpCaptureGroups doesn't render in access rules authenticator config
- Decision API is not respecting the token_from config
- Outdated OTEL dependencies prevent import
- None of the provided URLs returned a valid JSON Web Key Set HOT 1
- Implement a `delegate` authenticator
- Git as a repository for access rules & granularity: check against specific ingress against specific accessrule files HOT 1
- Duplicate requests using decisions endpoint via NGINX
- Oathkeeper returns encoded cookie
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oathkeeper.