Skip to content

Commit

Permalink
feat: add docs for delegate authenticator
Browse files Browse the repository at this point in the history
ory/oathkeeper#1153 implements
a new authenticator to allow authn/authz delegation
to upstream services.

Relates to ory/oathkeeper#1152
  • Loading branch information
yunier-rojas committed Mar 7, 2024
1 parent 42e3d07 commit bd26183
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 5 deletions.
3 changes: 3 additions & 0 deletions code-examples/oathkeeper/oathkeeper/oathkeeper.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,9 @@ authenticators:
noop:
enabled: true

delegate:
enabled: true

authorizers:
allow:
enabled: true
Expand Down
57 changes: 52 additions & 5 deletions docs/oathkeeper/pipeline/authn.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,12 +54,9 @@ are valid! If a handler encounters invalid credentials, then other handlers will

## `noop`

The `noop` handler tells Ory Oathkeeper to bypass authentication, authorization, and mutation. This implies that no authorization
will be executed and no credentials will be issued. It's basically a pass-all authenticator that allows any request to be
forwarded to the upstream URL.
The `noop` handler always authenticate the user, no questions asked. It applies authorization, and mutation.

> Using this handler is basically an allow-all configuration. It makes sense when the upstream handles access control itself or
> doesn't need any type of access control.
> Using this handler is basically an allow-all configuration.
### `noop` configuration

Expand Down Expand Up @@ -215,6 +212,56 @@ The request isn't authorized because credentials have been provided but only the
authenticator is enabled for this URL.
```

## `delegate`

The `delegate` handler tells Ory Oathkeeper to bypass authentication, authorization, and mutation. This implies that no authorization
will be executed and no credentials will be issued. It's basically a pass-all authenticator that allows any request to be
forwarded to the upstream URL.

> Using this handler is basically an allow-all configuration. It makes sense when the upstream handles access control itself or
> doesn't need any type of access control.

### `delegate` configuration

This handler isn't configurable.

To enable this handler, set:

```yaml
# Global configuration file oathkeeper.yml
authenticators:
delegate:
# Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
enabled: true
```

### `delegate` access rule example

```sh
cat ./rules.json
[{
"id": "some-id",
"upstream": {
"url": "http://my-backend-service"
},
"match": {
"url": "http://my-app/some-route",
"methods": [
"GET"
]
},
"authenticators": [{
"handler": "delegate"
}]
}]
curl -X GET http://my-app/some-route
HTTP/1.0 200 Status OK
The request has been allowed!
```

## `cookie_session`

The `cookie_session` authenticator will forward the request method, path and headers to a session store. If the session store
Expand Down

0 comments on commit bd26183

Please sign in to comment.