Reference to .MatchContext.RegexpCaptureGroups doesn't render in access rules authenticator config
sunnyyip opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
https://naughty-tesla-4oqisau3a4.projects.oryapis.com
Describe the bug
I have an access rule aiming to enforce JWT audience to match the requested domain. However .MatchContext.RegexpCaptureGroups reference, defined in the audience field, didn’t render (cause of the error) and get printed out literally in the log.
{ "id": "protected_resources", "version": "v0.40.6", "match": { "url": "<http|https>://<.*>/<playground|query|anything/header>", "methods": [ "GET", "POST" ] }, "authenticators": [ { "handler": "jwt", "config": { "target_audience": [ "{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}://{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}" ] } } ],
Reproducing the bug
- include an url with regex match group
- reference the match group in JWT authenticator config - e.g. audience
- make a request to oathkeeper
- observe errors in logs due to .MatchContext.RegexpCaptureGroups being treated as string literally
Relevant log output
"reason": "id=\nrid=\nerror=The request could not be authorized\nreason=Token audience [https://my.domain.com] is not intended for target audience {{ printIndex .MatchContext.RegexpCaptureGroups 0 }}://{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}
Relevant configuration
{
"id": "protected_resources",
"version": "v0.40.6",
"match": {
"url": "<http|https>://<.*>/<playground|query|anything/header>",
"methods": [
"GET",
"POST"
]
},
"authenticators": [
{
"handler": "jwt",
"config": {
"target_audience": [
"{{ printIndex .MatchContext.RegexpCaptureGroups 0 }}://{{ printIndex .MatchContext.RegexpCaptureGroups 1 }}"
]
}
}
],
Version
v0.40.6
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
No response