Additional information from client credentials authenticator

[leivd]

Hello Ory Community!

We are having a bit of trouble with the oauth2_clients_credentials Authenticator limitation that no extra metadata about the client is available for the header Mutator.

Situation
We want to pass an extra piece of information to the servers behind Oathkeepers, this works fine with oauth2_introspection by adding the information to the access token using custom claims at refresh.
We would like to pass the same piece of information with oauth2_client_credentials.

Flow with oauth2_introspection

• Service fetches auth token from Ory Hydra.
  • auth token is patched with a webhook sent by Ory Hydra. (custom claims at refresh)
• Service sends request to oathkeeper protected service with the auth token.
• Ory Oathkeeper oauth2_introspection fetches the information from the Ory Hydra introspect endpoint.
• Header Mutator sets our header to .Extra.piece.of.information

oauth2_client_credentials does not have any extra information, this is a problem for us.
A Hydrator Mutator could be used to add the required data, but we would like to avoid another round trip.

I hope to find a workaround that does not involve a request to yet another server. And I hope the Ory Community can help me find it!

[vinckr]

Hello @leivd

As you noted, you might be able to use the hydrator mutator to fetch additional data from external APIs, which can then be used by other mutators. This mutator works by making an upstream HTTP call to an API specified in the Per-Rule Configuration section. The request is a POST request and it contains a JSON representation of the AuthenticationSession struct in the body. As a response, the mutator expects a similar JSON object, but with extra or header fields modified.
Here is an example of the request/response payload:

{  
 "subject": "anonymous",  
 "extra": {  
 "foo": "bar"  
 },  
 "header": {  
 "foo": ["bar1", "bar2"]  
 },  
 "match_context": {  
 "regexp_capture_groups": ["http", "foo"],  
 "url": "http://domain.com/foo"  
 }  
}

But you mentioned that you would like to avoid another round trip.

In that case, you could try storing custom data in the client that can be retrieved along with the login request using the request url. Both Login and Consent Requests have a request url which contains the original OAuth2 Authorize URL.

RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It's the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters.

Please note that these are suggestions based on the information you provided and might not fully solve your problem. I recommended to thoroughly test these solutions in your environment.

[leivd]

Thank you for the answer

Unfortunately I don't think the request url will be useful. The oauth2_clients_credentials is configured with a single token url, I don't understand how I would send different query data for different clients.
Furthermore I don't want the user to send the custom data themselves. It is stored on the hydra server as metadata in the client. (Note: It does not need to be secure, the user can know the data).
And finally it seems to me that the oauth2_clients_credentials authenticator does not modify the AuthenticationSession beyond setting session.Subject the the client id as parsed from the Basic auth header.