bootstrap-python-fastapi/auth_volumes/oathkeeper/access-rules.yml at d52760ffe45161d36144e53bdcd829644943d376 · febus982/bootstrap-python-fastapi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# Kratos public API for authorized and unauthorized traffic
- id: "ory:kratos:public"
  upstream:
    preserve_host: true
    url: "http://kratos:4433"
    strip_path: /.ory/kratos/public
  match:
    # This URL has to match serve.public.base_url in kratos config
    # we'll probably want to remove references to ory and kratos
    url: "http://127.0.0.1:8080/.ory/kratos/public/<**>"
    methods:
      - GET
      - POST
      - PUT
      - DELETE
      - PATCH
  authenticators:
    - handler: noop
  authorizer:
    handler: allow
  mutators:
    - handler: noop

# UI Access for anonymous traffic (Home page)
- id: "ory:auth-ui:anonymous"
  upstream:
    preserve_host: true
    url: "http://auth-ui:3000"
  match:
    url: "http://127.0.0.1:8080/"
    methods:
      - GET
  authenticators:
    - handler: anonymous
  authorizer:
    handler: allow
  mutators:
    - handler: noop

# UI Access for anonymous traffic (Other pages)
- id: "ory:auth-ui-home:anonymous"
  upstream:
    preserve_host: true
    url: "http://auth-ui:3000"
  match:
    url: "http://127.0.0.1:8080/<{registration,welcome,recovery,verification,login,error,health/{alive,ready},**.css,**.js,**.png,**.svg,**.woff*}>"
    methods:
      - GET
  authenticators:
    - handler: anonymous
  authorizer:
    handler: allow
  mutators:
    - handler: noop

# UI Access for logged-in only pages
- id: "ory:kratos-selfservice-ui-node:protected"
  upstream:
    preserve_host: true
    url: "http://auth-ui:3000"
  match:
    url: "http://127.0.0.1:8080/<{sessions,settings}>"
    methods:
      - GET
  authenticators:
    - handler: cookie_session
  authorizer:
    handler: allow
  mutators:
    - handler: id_token
  errors:
    - handler: redirect
      config:
        to: http://127.0.0.1:8080/login

# Dev container access to protected /api/* endpoints, to the dev container
- id: "http_app:protected"
  upstream:
    preserve_host: true
    url: "http://dev:8000"
    strip_path: /api
  match:
    url: "http://127.0.0.1:8080/<{api/,api/**,openapi.json}>"
    methods:
      - GET
  authenticators:
    # Get opaque token from cookie
    - handler: cookie_session

    # Or from bearer token
    # Note this is not a secure way to do authentication but
    # but we can use it for local development (i.e. Postman)
    # Refer to: https://www.ory.sh/docs/kratos/self-service/flows/user-login#login-for-api-clients-and-clients-without-browsers
    - handler: bearer_token
  authorizer:
    handler: allow
  mutators:
    - handler: id_token
  errors:
    - handler: redirect
      config:
        to: http://127.0.0.1:8080/login