Feature/global auth session #358
Conversation
|
Hey, I haven't missed this - just a lot to do at the moment. Will review this in the next days! |
There was a problem hiding this comment.
Great job! This looks really solid! Before merging we need to update the docs also and (if I'm correct) and there's a breaking change update the rule migrator as well.
The docs should probably receive updates:
- https://www.ory.sh/docs/oathkeeper/pipeline/authz#configuration-2
- https://www.ory.sh/docs/oathkeeper/pipeline/mutator#claims
- https://www.ory.sh/docs/oathkeeper/pipeline/mutator#cookies
- https://www.ory.sh/docs/oathkeeper/pipeline/mutator#headers (might make sense to merge these into one section and just link to it)
| @@ -135,6 +143,7 @@ func TestMutatorHydrator(t *testing.T) { | |||
| "foo": "hello", | |||
| "bar": 3.14, | |||
| } | |||
| sampleCaptureGroups := []string{"resource", "context"} | |||
There was a problem hiding this comment.
I don't believe these are actually used in this test?
There was a problem hiding this comment.
I only use it in the "No Changes" test to validate that we don't lose this part in the serialization/deserialization step.
"No Changes": {
Setup: defaultRouterSetup(),
Session: newAuthenticationSession(setExtra(sampleKey, sampleValue), setMatchContext(sampleCaptureGroups)),
Rule: &rule.Rule{ID: "test-rule"},
Config: defaultConfigForMutator(),
Request: &http.Request{},
Match: newAuthenticationSession(setExtra(sampleKey, sampleValue), setMatchContext(sampleCaptureGroups)),
Err: nil,
},
|
The version this will be released (after merge) as is v0.37.0+oryOS.18 |
Sbou
force-pushed
the
feature/global-auth-session
branch
2 times, most recently
from
67215a1 to
230d9fe
Compare
There was a problem hiding this comment.
Thank you so much for your hard work (and sorry for my late review) - this looks perfect!
One thing is left before this can be merged, we need to update the documentation here:
- https://www.ory.sh/docs/oathkeeper/pipeline/authz#configuration-2
- https://www.ory.sh/docs/oathkeeper/pipeline/mutator#claims
- https://www.ory.sh/docs/oathkeeper/pipeline/mutator#cookies
- https://www.ory.sh/docs/oathkeeper/pipeline/mutator#headers (might make sense to merge these into one section and just link to it)
It would also be cool to have the new capabilities documented somewhere, maybe as a new section below here ( https://github.com/ory/docs/blob/master/docs/oathkeeper/api-access-rules.md#scoped-credentials )?
|
I’m sorry, I merged another PR which now gives a conflict here. As I don’t habe access to a PC right now, could you rebase/merge with master? Thank you for your hard work! |
Sbou
force-pushed
the
feature/global-auth-session
branch
from
230d9fe to
fd16ceb
Compare
|
@aeneasr I rebased the Pull Request. |
Related issue
#292Discussed with @aeneasr
Proposed changes
The AuthenticationSession is now global to all the life of the request handler.
The signature changes to:
So it's now possible to use it in all authorizers or mutators.
For example with mutator_id_token
{"claims": "{\"custom-claim\": \"{{ print .Extra.abc }}\", \"custom-claim2\": \"{{ index .MatchContext.RegexpCaptureGroups 0 }}\", \"aud\": [\"foo\", \"bar\"]}"}Checklist
vulnerability, I confirm that I got green light (please contact [email protected]) from the maintainers to push the changes.
Further comments
Should we keep compatibility with the ReplaceAllString syntax in the config of the keto_engine_acp_ory authorizer?
New syntax
{ "handler": "keto_engine_acp_ory", "config": { "required_action": "my:action:{{ index .MatchContext.RegexpCaptureGroups 0 }}", "required_resource": "my:resource:{{ index .MatchContext.RegexpCaptureGroups 1 }}:foo:{{ index .MatchContext.RegexpCaptureGroups 0 }}" } }