Skip to content

Commit

Permalink
Add Oathkeeper
Browse files Browse the repository at this point in the history
  • Loading branch information
@justmangoou
justmangoou authored Jul 13, 2024
1 parent 0129b38 commit 484140c
Show file tree
Hide file tree
Showing 3 changed files with 166 additions and 5 deletions.
10 changes: 5 additions & 5 deletions config/kratos/kratos-dev.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@ version: v0.13.0
dsn: memory
dev: true

log:
level: debug
format: text
leak_sensitive_values: true

serve:
public:
base_url: http://127.0.0.1:4433/
Expand Down Expand Up @@ -122,11 +127,6 @@ selfservice:
# value: OVERWRITE_ME
# in: header

log:
level: debug
format: text
leak_sensitive_values: true

secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
Expand Down
106 changes: 106 additions & 0 deletions config/oathkeeper/oathkeeper-dev.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
log:
level: debug
format: text
leak_sensitive_values: true

serve:
proxy:
port: 4455 # run the proxy at port 4455
cors:
enabled: true
allowed_origins:
- "*"
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Content-Type
exposed_headers:
- Content-Type
allow_credentials: true
debug: true
api:
port: 4456 # run the api at port 4456

errors:
fallback:
- json
handlers:
json:
enabled: true
config:
verbose: true
redirect:
enabled: true
config:
to: http://127.0.0.1:4455/login
when:
- error:
- unauthorized
- forbidden
request:
header:
accept:
- text/html


access_rules:
repositories:
- file:///etc/config/oathkeeper/rules/vocolo.json

authenticators:
anonymous:
enabled: true
config:
subject: guest
cookie_session:
enabled: true
config:
check_session_url: http://127.0.0.1:4433/sessions/whoami
preserve_path: true
extra_from: "@this"
subject_from: "identity.id"
only:
- ory_kratos_session

authorizers:
remote_json:
enabled: true
config:
base_url: http://127.0.0.1:4466/
payload: |
{ }
# forward_response_headers_to_upstream:
# - X-
retry:
max_delay: 1s
give_up_after: 1s
allow:
enabled: true
deny:
enabled: true

mutators:
noop:
enabled: true
header:
enabled: true
config:
headers:
X-User: "{{ print .Subject }}"
# You could add some other headers, for example with data from the
# session.
# X-Some-Arbitrary-Data: "{{ print .Extra.some.arbitrary.data }}"
id_token:
enabled: true
config:
issuer_url: http://127.0.0.1:4455/
jwks_url: file:///etc/config/oathkeeper/jwks.json
claims: |
{
"session": {{ .Extra | toJson }}
}
55 changes: 55 additions & 0 deletions config/oathkeeper/rules/vocolo.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
- id "vocolo-api-v1:create"
upstream:
preserve_host: true
url: "http://127.0.0.1:8080"
match

- id "vocolo-api-v1:view"
upstream:
preserve_host: true
url: "http://127.0.0.1:8080"
match:
url: "http://127.0.0.1:8080/<osu>/<tournaments|mappools|matches>/<**>"
methods:
- GET
authenticators:
- handler: cookie_session
- handler: anonymous
mutators:
- handler: header
authorizer:
- handler: remote_json
config:
payload: |
{
"subject_id": "{{ print .Subject }}",
"relation": "view",
"namespace": "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}",
"object": "{{ printIndex .MatchContext.RegexpCaptureGroups 2 }}"
}
- id "vocolo-api-v1:edit"
upstream:
preserve_host: true
url: "http://127.0.0.1:8080"
match:
url: "http://127.0.0.1:8080/<osu>/<tournaments|mappools|matches>/<**>"
methods:
- POST
- PUT
- PATCH
- DELETE
authenticators:
- handler: cookie_session
- handler: anonymous
mutators:
- handler: header
authorizer:
- handler: remote_json
config:
payload: |
{
"subject_id": "{{ print .Subject }}",
"relation": "editors",
"namespace": "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}",
"object": "{{ printIndex .MatchContext.RegexpCaptureGroups 2 }}"
}

0 comments on commit 484140c

Please sign in to comment.