Working with NGINX auth_request

[ecktom]

NGINX is able to do authentication based on subrequest results using the auth_request directive. We're using this heavily with Oathkeeper as backing service.

NGINX however expects the subrequest to return either 200, 401 oder 403 as response code. If we're forwarding a request to Oathkeeper for which no rules are defined 404 is returned. For the NGINX this looks like the auth backend is not available. Thus the incoming request get's responded with 500.

Easiest fix for this might be making the response status code for the no rules available case configurable. Would you be up for a PR to implement this behavior?

[aeneasr]

I think responding with a 403 when no rule matches is probably generally more in line with what would be expected? For me this is a go. Since the next version will include several breaking changes, I think we can add this as well.

[lanphan]

Hi @ecktom ,
We're trying ory ecosystem with setting oathkeeper + kratos behind nginx. I did 1 example about that here https://github.com/lanphan/example-oathkeeper, but seems it doesn't work correctly:

• open login page --> lots of are generated and stored in selfservice_login_flows
• cannot register new user

Would you please help me to take a look and give me some advice?
Thanks so much.

[ecktom]

Hi @lanphan,
I just had a quick look on your repo. The NGINX configuration for auth_request does look sufficient and should work. You could easily verify this by adjusting the Oathkeeper rules to something like:

  authenticators:
    - handler: noop
  authorizer:
    handler: allow
  mutators:
    - handler: noop

which should let any request through. I think your issues are at the misconfigured cookie_session authentication handler which I however cannot help with. I would suggest you pop up at the Ory Slack and try to get some help from people which have used kratos before

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan on resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneous you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️