Loading ENV vars still not working

[pike1212]

Describe the bug

Setting env var of say AUTHENTICATORS_OAUTH2_INTROSPECTION_CONFIG_PRE_AUTHORIZATION_CLIENT_ID doesn't load the config

I think the ory/x dependency just needs updated to 0.0.85

[aeneasr]

Did you set the enabled flag to true?

[aeneasr]

Version 0.0.80 includes the changes required. There might still be a bug somewhere, but it should work. Maybe double check that enabled flag is set to true (for both the authentiactor and pre auth) and also post the log message you're seeing here!

[pike1212]

export AUTHENTICATORS_OAUTH2_INTROSPECTION_CONFIG_PRE_AUTHORIZATION_CLIENT_ID=myclientid

INFO[0000] Config file loaded successfully. path=../../security/oathkeeper/config.yaml
FATA[0000] The configuration is invalid and could not be loaded. error="must validate one and only one schema (oneOf)" validation_error[0]="authenticators.oauth2_introspection: Must validate one and only one schema (oneOf)" validation_error[1]="authenticators.oauth2_introspection.config.pre_authorization: Must validate one and only one schema (oneOf)" validation_error[2]="authenticators.oauth2_introspection.config.pre_authorization.client_id: client_id is required"

[pike1212]

Using ory/x 0.0.82 seems to get rid of that error

[pike1212]

Also, regardless of what version of ory/x, if I set the env var

AUTHENTICATORS_OAUTH2_INTROSPECTION_CONFIG_INTROSPECTION_URL

it is still using the value from the config.yaml

[aeneasr]

Using ory/x 0.0.82 seems to get rid of that error

Let's bump ory/x then :) Would you be up for a PR?

[pike1212]

Yes, but I still can't get the INTROSPECTION_URL env var to work

[aeneasr]

Could you provide a reproducible case & configuration? That would help a lot!

[pike1212]

config.yaml

  oauth2_introspection:
    enabled: true
    config:
      introspection_url: http://badurl

rules.json

      "authenticators": [
        {
          "handler": "jwt"
        },
        {
          "handler": "oauth2_introspection"
        },
        {
          "handler": "anonymous"
        }
      ]

Run the following commands

export AUTHENTICATORS_OAUTH2_INTROSPECTION_CONFIG_INTROSPECTION_URL=http://goodurl
./oathkeeper serve -c config.yaml

Error I get when calling the proxy

{
    "error": {
        "code": 500,
        "message": "Post https://badurl: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
    }
}

[aeneasr]

Ok thanks, I'll look into it

[aeneasr]

Is it a workaround for you to remove the setting from the config.yaml for now?

[pike1212]

I think issue may be that GetStringMap doesn't replace the values with the env vars here

https://github.com/ory/oathkeeper/blob/master/driver/configuration/provider_viper.go#L188

[aeneasr]

So I checked the code and as far as I can tell, it's set up correctly: https://github.com/ory/x/blob/master/viperx/bind_env.go#L37-L39

Basically, we're using BindEnv to bind env vars. It does seem however that GetStringMap doesn't use these env vars if they're already defined.

I was under the impression that env vars take precedence over config file values. Reading through the viper code, it also appears that that's the case: https://github.com/ory/viper/blob/master/viper.go#L1148-L1176

Basically GetStringMap boils down to the referenced lines.

I'm really not sure what's causing this, it would be awesome if you could help debug this! I'm unfortunately very busy with other porojects atm :/

[pike1212]

I've been looking into this...

GetStringMap is passed authenticators.oauth2_introspection.config and I don't see where in viper it would look for all the sub keys env vars (i.e. authenticators.oauth2_introspection.config.introspection_url)

[aeneasr]

We're extracting all of the configuration keys from the configuration json schema and then do some transformation to add them to viper as env vars. You can find the code here: https://github.com/ory/x/blob/master/viperx/bind_env.go#L19-L51

[pike1212]

The extracting works fine, so viper.GetString("authenticators.oauth2_introspection.config.introspection_url") will work, but viper.GetStringMap("authenticators.oauth2_introspection.config") isn't going to iterate through the schema of config and do GetString on everything it finds.

[aeneasr]

Ah I see - nice find! I also saw the PR. I think we can solve it a bit more generic so that this also works on other levels and with over keys not named config!

[pike1212]

Good call, PR is updated