Comments (6)
Good point. We haven't covered how this works internally yet. I think with the beta.8
release of ORY Hydra this will get easier because we separate admin and public endpoints. You could probably run admin port with HTTP (no TLS termination) as it's inwards facing and talk to it directly.
Faking the proto header in Oathkeeper is also an option, although it sort of defeats the purpose of the header. We'll try to come up with a solution in case the admin/public port doesn't suit you.
from oathkeeper.
In fact, traefik is the TLS termination edge, right? So that should set the X-Forwarded-Proto
header, not this proxy (unless oathkeeper is the TLS edge). Since Oathkeeper forwards all headers - except sensitives one that are filtered like Authorization
- that should work out of the box. I'm closing this, but let me know if I missed a spot.
from oathkeeper.
Im not sure, but usually if a request run behind the LB / traefik proxy, it will direct talk to hydra, instead of go thought traefik and go back to hydra again
like my case, im using k8s Service Endpoint for the introspection_url of oathkeeper , turn out k8s will not include any extra header "X-Forwarded-Proto", as it havent go to the ingress controller or traefik controller; that means your application needed to add it, but as i go thought the source code you wrote
it has not include "X-Forwarded-Proto" in the header, those hydra will reject it , even you include your internal IP in allow_termination_from setting
from oathkeeper.
Yeah, I can see that! Reopening.
from oathkeeper.
serve hydra admin and hydra public into 2 dockers, it is one of the solution too (as you mentioned, but im not sure what is the impact), at least it cant use memory database for testing purpose ^^
from oathkeeper.
Resolved via: https://github.com/ory/oathkeeper/blob/master/pipeline/authn/authenticator_oauth2_introspection.go#L30
from oathkeeper.
Related Issues (20)
- Authenticator: Bearer_token w. "query_parameter" selector consumes request body
- Observed memory leak in v0.40.3 HOT 4
- Configure JWT authenticator not to logging sensitive data
- Allow/deny `remote(_json)` authorizers depending response content
- Allow API key pre-authorization in oauth2_introspection authenticator HOT 2
- "any" matching option for "required_scope" in JWT authenticator HOT 1
- Docs wrong for `bearer_token` Subject default location
- upstream reference closed: github.com/GoogleContainerTools/distroless/issues/1342
- Authorizer "remote" throws exception "invalid Read on closed Body" if request body is present in request HOT 13
- Basic Authorization header result in Unauthorized when using `anonymous` authenticator handler
- Oathkeeper does not support X-Forwarded headers properly HOT 3
- Reference to .MatchContext.RegexpCaptureGroups doesn't render in access rules authenticator config
- Decision API is not respecting the token_from config
- Outdated OTEL dependencies prevent import
- None of the provided URLs returned a valid JSON Web Key Set HOT 1
- Implement a `delegate` authenticator
- Git as a repository for access rules & granularity: check against specific ingress against specific accessrule files HOT 1
- Duplicate requests using decisions endpoint via NGINX
- Oathkeeper returns encoded cookie
- Oathkeeper bombards Ory Network with requests after upgrade to 40.x HOT 14
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oathkeeper.