Oathkeeper access rules appear to be missing paths to get the UI working with quickstart-oathkeeper

[theotherian]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

The configuration at

kratos/contrib/quickstart/oathkeeper/access-rules.yml

Line 29 in 0b426d2

url: "http://127.0.0.1:4455/<{error,recovery,verify,auth/*,**.css,**.js}{/,}>"

seems to exclude paths that are used by the UI when using quickstart-oathkeeper.

I believe this:

id: "ory:kratos-selfservice-ui-node:anonymous"
  upstream:
    preserve_host: true
    url: "http://kratos-selfservice-ui-node:4435"
  match:
    url: "http://127.0.0.1:4455/<{error,recovery,verify,auth/*,**.css,**.js}{/,}>"
    methods:
      - GET

Should have the following value for url:

id: "ory:kratos-selfservice-ui-node:anonymous"
  upstream:
    preserve_host: true
    url: "http://kratos-selfservice-ui-node:4435"
  match:
    url: "http://127.0.0.1:4455/<{welcome,registration,login,verification,error,recovery,verify,auth/*,**.css,**.js,**.png}{/,}>"
    methods:
      - GET

Adding those paths locally allows me to hit the http://127.0.0.1:4455/welcome resource specified in https://www.ory.sh/kratos/docs/guides/zero-trust-iap-proxy-identity-access-proxy/

Reproducing the bug

I literally just used the steps in https://www.ory.sh/kratos/docs/guides/zero-trust-iap-proxy-identity-access-proxy/ and the UI wasn't working for paths like http://127.0.0.1:4455/welcome which returned a 404

git clone https://github.com/ory/kratos.git
cd kratos
git checkout v0.8.0-alpha.3
docker-compose \
  -f quickstart.yml \
  -f quickstart-oathkeeper.yml \
  up --build --force-recreate

Relevant log output

oathkeeper_1                  | {"audience":"application","error":{"debug":"","message":"Requested url does not match any rules","reason":"","status":"Not Found","status_code":404},"granted":false,"http_host":"127.0.0.1:4455","http_method":"GET","http_url":"http://127.0.0.1:4455/welcome","http_user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36","level":"warning","msg":"Access request denied","service_name":"ORY Oathkeeper","service_version":"v0.38.15-beta.1","time":"2021-12-09T21:43:40Z"}
oathkeeper_1                  | {"code":404,"debug":"","details":{},"error":"Requested url does not match any rules","level":"error","msg":"An error occurred while handling a request","reason":"","request-id":"","status":404,"time":"2021-12-09T21:43:40Z","writer":"JSON"}

### Relevant configuration

```yml
I'm using the defaults from the linked quickstart page.

Version

v0.8.0-alpha.3

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

No response

[aeneasr]

Thank you for the report! I think you are right here indeed! Would you mind opening a PR for this? :)

[theotherian]

@aeneasr happy to; I'll get one open in a little while and link it to this.

[theotherian]

Opened #2058