Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(oathkeeper): Document remote_json authorizer #289

Merged
merged 1 commit into from
Mar 29, 2020
Merged

docs(oathkeeper): Document remote_json authorizer #289

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions docs/oathkeeper/pipeline/authz.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,3 +268,88 @@ $ cat ./rules.json
]
}]
```

## `remote_json`

This authorizer performs authorization using a remote authorizer. The authorizer
makes an HTTP POST request to a remote endpoint with a JSON body. If the
endpoint returns a 200 OK response code, the access is allowed, if it returns a
403 Forbidden response code, the access is denied.

### Configuration

- `remote` (string, required) - The URL of the remote authorizer. The remote
authorizer is expected to return either 200 OK or 403 Forbidden to allow/deny
access.
- `payload` (string, required) - The JSON payload of the request sent to the
remote authorizer. The string will be parsed by the Go
[`text/template`](https://golang.org/pkg/text/template/) package and applied
to an
[`AuthenticationSession`](https://github.com/ory/oathkeeper/blob/master/pipeline/authn/authenticator.go#L40)
object. See [Session](index.md#session) for more details.

#### Example

```yaml
# Global configuration file oathkeeper.yml
authorizers:
remote_json:
# Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
enabled: true

config:
remote: http://my-remote-authorizer/authorize
payload: |
{
"subject": "{{ print .Subject }}",
"resource": "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}"
}
```

```yaml
# Some Access Rule: access-rule-1.yaml
id: access-rule-1
# match: ...
# upstream: ...
authorizers:
- handler: remote_json
config:
remote: http://my-remote-authorizer/authorize
payload: |
{
"subject": "{{ print .Subject }}",
"resource": "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}"
}
```

### Access Rule Example

```shell
{
"id": "some-id",
"upstream": {
"url": "http://my-backend-service"
},
"match": {
"url": "http://my-app/api/<.*>",
"methods": ["GET"]
},
"authenticators": [
{
"handler": "anonymous"
}
],
"authorizer": {
"handler": "remote_json",
"config": {
"remote": "http://my-remote-authorizer/authorize",
"payload": "{\"subject\": \"{{ print .Subject }}\", \"resource\": \"{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}\"}"
}
}
"mutators": [
{
"handler": "noop"
}
]
}
```