diff options
Diffstat (limited to 'includes/oathkeeper.jsonnet')
-rw-r--r-- | includes/oathkeeper.jsonnet | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/includes/oathkeeper.jsonnet b/includes/oathkeeper.jsonnet new file mode 100644 index 0000000..02db2b8 --- /dev/null +++ b/includes/oathkeeper.jsonnet @@ -0,0 +1,55 @@ +local main = import "main.jsonnet"; + +local cookieSessionAuthenticator = { + handler: "cookie_session" +}; +local oauth2ClientCredentialsAuthenticator = { + handler: "oauth2_client_credentials" +}; + +local allowAuthorizer = { + handler: "allow" +}; +local ketoAuthorizer(object) = { + handler: "remote_json", config: { + remote: "https://keto.sso.internal.random.sh/check", + payload: ||| + { + "namespace": "websites", + "subject": "{{ print .Subject }}", + "object": object, + "relation": "access" + } + |||} +}; + +local errorRedirectHandler = { + handler: "redirect", + config: { + to: main.sso.login_url, + return_to_query_param: "return_to" + } +}; + +local idTokenMutator = {handler: "id_token"}; + +local headerMutator = {handler: "header"}; + +{ + authenticators: { + cookieSession: cookieSessionAuthenticator, + oauth2ClientCredentials: oauth2ClientCredentialsAuthenticator, + }, + authorizers: { + keto: ketoAuthorizer, + allow: allowAuthorizer, + }, + errors: { + redirect: errorRedirectHandler, + }, + mutators: { + idToken: idTokenMutator, + header: headerMutator + }, + allHttpMethods: ["OPTIONS", "GET", "POST", "PUT", "PATCH", "DELETE"], +} |