Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add bearer_token authenticator #613

Merged
merged 10 commits into from
Dec 15, 2020
Merged

feat: add bearer_token authenticator #613

merged 10 commits into from
Dec 15, 2020

Conversation

wezzle
Copy link
Contributor

@wezzle wezzle commented Dec 10, 2020
edited
Loading

Related issue

https://community.ory.sh/t/oathkeeper-example-with-kratos-api-session-token/2373

Proposed changes

Adds a new authenticator to work with Kratos' new API token.
Works the same as the cookie_session authenticator but checks for a bearer token in the Authorization header (unless overwritten by token_from)

Checklist

  • I have read the contributing guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further comments

If this is the way to go I can add this to the docs as well, just let me know.

@wezzle
feat: add simple bearer authenticator
9a044f9 
Adds a new authenticator to work with Kratos' new API token.
Works the same as the cookie_session authenticator but checks for a
bearer token in the Authorization header (unless overwritten by
token_from)
@wezzle
fix: correct linting and gofmt
357cb6c
aeneasr
aeneasr requested changes Dec 11, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, thank you! Could you please add some documentation as well? A good place would be around here, probably: https://github.com/ory/oathkeeper/blob/master/docs/docs/pipeline/authn.md#cookie_session

@wezzle
Copy link
Contributor Author

wezzle commented Dec 11, 2020
edited
Loading

@aeneasr yes, I'll get right on that.

Is the naming correct btw? Simple bearer seemed most logical but perhaps you know of a better name?

@aeneasr
Copy link
Member

aeneasr commented Dec 11, 2020

Hm yeah maybe just call it bearer_token?

@wezzle
Copy link
Contributor Author

wezzle commented Dec 11, 2020

Ok, i'll rename it and add it to the docs

@wezzle wezzle changed the title feat: add simple bearer authenticator feat: add bearer_token authenticator Dec 11, 2020
@wezzle
Copy link
Contributor Author

wezzle commented Dec 11, 2020

@aeneasr the authenticator has been renamed and docs have been added. Please let me know if anything else is needed.

aeneasr
aeneasr requested changes Dec 15, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! Just one more little change :)

pipeline/authn/authenticator_bearer_token.go Outdated
}

if len(c.SubjectFrom) == 0 {
c.SubjectFrom = "subject"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OAuth2 uses the shorthand sub - I think we should use sub per default also:

Suggested change
c.SubjectFrom = "subject"
c.SubjectFrom = "sub"

docs/docs/pipeline/authn.md Outdated
`{ "subject": "...", "session": { "foo": {"bar": "whatever"} } }`, and so on.
- `subject_from` (string, optional - defaults to `subject`) - A
[GJSON Path](https://github.com/tidwall/gjson/blob/master/SYNTAX.md) pointing
to the `subject` field. This defaults to `subject`. Example: `identity.id` for
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
to the `subject` field. This defaults to `subject`. Example: `identity.id` for
to the `subject` field. This defaults to `sub`. Example: `identity.id` for

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just sent in the change. This does make it diverge from the cookie_session configuration, but perhaps that will get the change sometime in the future as well?

aeneasr
aeneasr reviewed Dec 15, 2020
View reviewed changes
.schema/config.schema.json Outdated Show resolved Hide resolved
docs/docs/pipeline/authn.md Outdated Show resolved Hide resolved
docs/docs/pipeline/authn.md Outdated Show resolved Hide resolved
@aeneasr aeneasr merged commit b623ae7 into ory:master Dec 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wezzle @aeneasr