Allow API key pre-authorization in oauth2_introspection authenticator

Question

Allow API key pre-authorization in oauth2_introspection authenticator

marcinfigiel opened this issue a year ago · comments

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
This issue affects my Ory Network project.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Describe your problem

We are trying to migrate our project from self-hosted to managed Hydra, but it seems it's currently impossible due to a missing feature in Oathkeeper outh2_introspection authenticator.
Our auth flow includes Oathkeeper running as a sidecar to our API gateway which authenticates requests using the oauth2_introspection authenticator. It works perfectly fine in self-hosted environment, but in case of managed Hydra the /introspect endpoint is an administrative one (which makes sense), so it requires authorization. The way to authorize such requests is with an API key, but it's impossible to configure Oathkeeper to use one. There is a pre_authorization configuration section, but in only allows specyfying a client credentials, not an API key.

Describe your ideal solution

Refactor the pre_authorization section of oauth2_introspection authenticator so it allows either client credentials or an API key as a way to authorize the requests to introspection endpoint.

Workarounds or alternatives

A way to work around this would be to implement a simple proxy service working in between Oathkeeper and managed Hydra and use it to inject the bearer token. It introduces an additional hop though, which would increase latency.
Beside that, the API key functionality seems like an obvious option which should be available in Oathkeeper, especially as Ory offers a managed Hydra.

Version

0.39.4

Additional Context

No response

Arne Luenser · Answer 1 · Wed Aug 09 2023 22:15:47 GMT+0800 (China Standard Time)

Have you tried the introspection_request_headers config option?

Marcin Figiel · Answer 2 · Thu Aug 10 2023 21:36:21 GMT+0800 (China Standard Time)

We've just tried that approach and it works!

We just had to figure out how to inject the API key from our Bitbucket Pipelines variables into Oathkeeper configuration, which expects it to be an object, but we made it.

For future reference, in case someone else has the same problem: you pass the value by helm's --set-json parameter and escape the internal quotes, e.g.:
helm install ... --set-json oathkeeper.config.authenticators.oauth2_introspection.config.introspection_request_headers="{\"Authorization\": \"Bearer ${API_KEY}\"}".
Variable interpolation requires the external quotes to be ", that's why we must escape the internal ones.

Thanks for your help @alnr! Closing the ticket now :)