-
-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: match_json_field in remote_json authorizer (#1164) #1170
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your contributino and work on this feature! Unfortunately, I feel that the work can not be merged to upstream. I think there are two topics at play here:
- Oathkeeper assumes that the upstream gives the correct response it expects (versus it must interpret the response)
- We have an explicit contract that says "yes ok" or "no not ok". As soon as we go into dynamic parsing this becomes muddied
- In general I think that the evaluation logic is thin. It probably would make more sense to use Google CEL or something like that. But that again is absolute overkill in my view.
Honestly, I don't see a clear way forward with this PR because I don't really think that we should allow dynamic matching here as it is - in my view - easy to misconfigure.
@aeneasr Thank's for your review. I also understand why RP's like envoy or nginx don't bother with authorization response checks - they focused on other things. But for oathkeeper as auth decision engine i see it quite natural. We can minimize flexibility of this and just check a top level boolean JSON field with specified name in response - e.g. What do you think? |
To be honest, I'm undecided on this topic.
To me, right now, |
Not exactly. We have a request payload transformation using jsonnet for Regarding more 'general' solution for matching i think JSON will cover most of the cases with modern software which accessible via HTTP REST (gRPC and so on are currently out of scope anyway for all rules). And we can also use Anyway when you get any certain idea how to do this properly i will be glad to adopt this solution. |
Implements response content match in remote_json authorizer as described in rfc #1169
Related issue(s)
#1169
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
[email protected]) from the maintainers to push
the changes.
works.
Further Comments