default_rule:
execute:
- authenticator: session_cookie_from_kratos_authn
- authenticator: oauth2_introspect_token_from_keycloak_authn
- authorizer: deny_all_requests_authz
- finalizer: create_jwt
on_error:
- error_handler: authenticate_with_kratos_eh
if: |
type(Error) == authentication_error && Error.Source == "session_cookie_from_kratos_authn"
This example defines a default rule, with the authentication 6 authorization pipeline consisting of two authenticators, with session_cookie_from_kratos_authn
being the first and oauth2_introspect_token_from_keycloak_authn
being the fallback one (if the first one fails), a deny_all_requests_authz
authorizer and the create_jwt
finalizer. The error pipeline is configured to execute only the authenticate_with_kratos_eh
error handler.
Obviously, the authentication & authorization pipeline (defined in the execute
property) of this default rule will always result in an error due to deny_all_requests_authz
. This way it is thought to provide secure defaults and let the upstream specific (regular) rules override at least the part dealing with authorization. Such an upstream specific rule could then look like follows:
id: rule:my-service:protected-api
match:
routes:
- path: /foo
execute:
- authorizer: allow_all_requests_authz
Take a look at how on_error
, as well as the authenticators and finalizers from the execute
definition of the default rule are reused. Easy, no?