Decision API discards query string from X-Forwarded-Uri, breaking authenticators that read query parameters #1264
Description
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
When Oathkeeper is used in decision mode (e.g., as a forwardAuth backend for Traefik), query parameters from the original request URL are discarded. This breaks any authenticator configured with token_from.query_parameter, such as extracting a JWT from ?token=<jwt>.
Reproducing the bug
- Configure an access rule with a jwt authenticator using
token_from.query_parameter:
authenticators:
- handler: jwt
config:
token_from:
query_parameter: token
-
Send a request through the decision API with a signed JWT in the query string:
GET /decisions
X-Forwarded-Proto: https
X-Forwarded-Host: api.example.com
X-Forwarded-Uri: /api/resource?token=eyJhbGciOiJSUzI1NiIs...
X-Forwarded-Method: GET -
Oathkeeper returns 401 Unauthorized — no authenticator matches, because the jwt authenticator never sees the token query parameter.
Relevant log output
Relevant configuration
Version
v0.40.9
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm