Integrate with Traefik, Nginx, Ambassador, Envoy

[mvanderlee]

Is your feature request related to a problem? Please describe.

I'd like to use Ory Oathkeeper with:

• Traefik Forward Auth: (example)
  • Implementation is required
  • Document set up (with example config) in Oathkeeper -> Scenarios (new section!) ->Nginx ForwardAuth
• Nginx Subrequest:
  • Implementation should already work with the existing decisions endpoint
  • Document set up (with example config) in Oathkeeper -> Scenarios (new section!) ->Nginx ForwardAuth
• Ambassador Ambassador AuthService Plugin:
  • Implementation should already work with the existing decisions endpoint
  • Document set up (with example config) in Oathkeeper -> Scenarios (new section!) ->Ambassador AuthService Plugin
• Envoy External Authorization
  • Research is needed to decide if a custom endpoint is required or not
  • Document set up (with example config) in Oathkeeper -> Scenarios (new section!) -> Envoy External Authorization

Additional info

As per my comment #265 (comment) we would like to offer one endpoint per service:

• /decisions/generic/... (this is currently /decisions)
• /decisions/traefik/...
• ...

For backwards compatibility ideas see https://github.com/ory/oathkeeper/pull/265/files#r329310302

For implementation ideas see this PR: #265

Context

See comment #263 (comment)

[piotrmsc]

AFAIR oathkeeper already has solution for that, I've been thinking about a similar thing in istio using mixer adapter. Oathkeeper decision API https://www.ory.sh/docs/oathkeeper/sdk/api#access-control-decision-api is what you could use in the middleware. It gives you more less "ok"/ "not ok" responses.
@aeneasr correct me if I'm wrong 👍

[mvanderlee]

For traefik I'd have to either create a wrapper service to call in the middleware, modify traefik, or modify oathkeeper.

Modifying oathkeeper was the easiest.

Instead of adding a new endpoint, as I've done in the PR, we could make the decision source comfortable for a single endpoint?
I.e. in oathkeeper.yml:
decision:
source: request_path or headers
proto_header: X-Forwarded-Proto
host_header: X-Forwarded-Host
Etc.

[aeneasr]

As per my comment #265 (comment) we would like to offer one endpoint per service. So moving the Decisions API in general to /decisions/generic. For backwards compatibility ideas see https://github.com/ory/oathkeeper/pull/265/files#r329310302

For implementation ideas see this PR: #265

Additionally, we should document the set up for the different systems. Let's start with

• Traefik
• Nginx
• Ambassador

in ORY Docs in a new section (e.g. Scenarios -> Using with Traefik / Using with Nginx / ...).

[rdehouss]

Hi! I see 0.38 is moving forward with beta.2, will this feature be done by the time 0.38 is released?
We're using traefik for our API in docker and we'd like to protect them with Oathkeeper, that would be awesome!
Thanks a lot for all your efforts!

[aeneasr]

As soon as the PR is finished (contributions welcomed) this will be merged and released!

[SvenDowideit]

Any chance of adding @mholt's https://caddyserver.com/ to this list? (very much looking forward to trying ory out with Traefik on Docker Swarm - currently using Keycloak :)

[tomiles]

I would love to use the changes part of #486. It has been merged in the next-gen branch.
But its unclear when this might find its way in the master or next release, any updates on that?
As a workaround untill then I can probably apply that PR onto the current master and build it myself?

[aeneasr]

We're currently looking for maintainers (as a full time job) for Ory Oathkeeper because we currently lack resources to implement these things internally.