Error Handlers
A error handler is responsible for executing logic after, for example, authentication or authorization failed. Ory Oathkeeper supports different error handlers and we will add more as the project progresses.
A error handler can be configured to match on certain conditions, for example,
it's possible to configure the json
error handler to only be executed if the
HTTP Header Accept
contains application/json
.
Each error handler has two keys:
handler
(string, required): Defines the handler (for examplenoop
) to be used.config
(object, optional): Configures the handler. Configuration keys vary per handler. The configuration can be defined in the global configuration file, or per access rule.
Example
{
"errors": [
{
"handler": "json",
"config": {}
}
]
}
You can define more than one error handler in the Access Rule. Depending on their matching conditions (see next chapter), the appropriate error handler will be chosen.
Please be aware that defining error handlers with overlapping matching conditions will cause errors, because Ory Oathkeeper won't know which error handler to execute!
Error Matching
You can configure the error handlers in such a way, that - for example - Ory Oathkeeper responds, in the case of an error, with
- a JSON response, such as
{"error":{"code":403,"status":"Forbidden","message":"Access credentials aren't sufficient to access this resource"}}
, when the client that expects JSON (Accept: application/json
); - an XML response when the API Client expects XML (
Accept: application/xml
); - a HTTP Redirect (HTTP Status Found - 302) to
/login
when the endpoint is directly (no AJAX) accessed from a browser (Accept: text/html,application/xhtml+xml
).
There are also other possible matching strategies - such as defining a response
per error type (unauthorized, forbidden, internal_server_error, ...) , per HTTP
Content-Type
Header (similar to Accept
), or based on the Remote IP Address.
All match definitions are set in the handler's config, using the when
key.
This is the same for all handlers!
{
handler: 'json', // or redirect, www_authenticate, ...
config: {
when: [
{
error: ['unauthorized', '...', '...']
}
]
}
}
If when
is empty, then no conditions are applied and the error handler is
always matching! In fact, this is also true for all subkeys. If left empty, the
matching condition won't be applied and is thus always true!
Fallback
Error handling can be set globally and per access rule. Ory Oathkeeper will first check for any access rule specific error handling before falling back to the globally defined error handling.
Similar to other pipeline handlers (authentication, authorization, mutation),
you must enable the error handlers in the global Ory Oathkeeper config, except
for the json
error handler which is always enabled by default:
# .oathkeeper.yaml
errors:
handlers:
json:
enabled: true # this is true by default
# config:
# when: ...
redirect:
enabled: true # this is false by default
# config:
# when: ...
As discussed in the previous section, when config.when
is empty, the error
handler will always match. This of course is a problem because Ory Oathkeeper
now doesn't know if it should redirect or send a JSON error!
Therefore, an additional configuration - called fallback
- is available:
# .oathkeeper.yaml
errors:
# `["json"]` is the default!
fallback:
- json
handlers:
json:
enabled: true # this is true by default
# config:
# when: ...
redirect:
enabled: true # this is false by default
config:
to: http://mywebsite/login
# when: ...
This feature tells Ory Oathkeeper that the json
error handler should be used
as fallback. You could also define multiple fallback handlers - the first
matching handler will be the one and only executed! This makes sense if you
configure the when
section as well:
# .oathkeeper.yaml
errors:
fallback:
- redirect
- json
handlers:
json:
enabled: true
redirect:
enabled: true
config:
when:
- request:
header:
accept:
- text/*
In this configuration example, Ory Oathkeeper would first check if the HTTP
Request Header contains Accept: text/html
(or text/xhtml
, text/text
, ...)
and if not, would return a JSON Error Message.
Matchers
All matchers are defined under the config.when
key of the error handler, both
in the global config and in the access rule:
// access-rule.json
{
handler: 'json',
config: {
when: [
{
error: ['unauthorized', '...', '...']
}
]
}
}
# .oathkeeper.yaml
errors:
handlers:
redirect:
enabled: true
config:
when:
- error:
- unauthorized
- ...
- ...
You can define multiple when clauses which allows you to differentiate between
error types and HTTP Requests. The when sections are combined with OR
while
the subkeys (error
, request.header.accept
, request.header.content_type
,
...) are matched with AND
. Keys that have arrays as values (error
,
request.header.accept
, request.header.content_type
, ...) are usually matched
with OR
:
# .oathkeeper.yaml
errors:
handlers:
redirect:
enabled: true
config:
when:
- error:
- unauthorized
# OR
- internal_server_error
# AND
request:
remote_ip:
match:
- 192.168.1.0/24
# OR
- 192.178.1.0/24
# OR
- error:
- forbidden
# OR
- not_found
# AND
request:
header:
accept:
- text/html
# OR
- text/xhtml
# AND
content_type:
- application/x-www-form-urlencoded
# OR
- multipart/form-data
Error
The config.when.#.error
key may contain zero, one, or multiple error names
that must match for this matching condition to be true. The error names are
derived (lowercase and whitespaces replaced with _
) from the well-defined
HTTP Status messages
such as Not Found
, Forbidden
, Internal Server Error
, and so on.
Here are some examples:
Internal Server Error
(500) ->{"errors": ["internal_server_error"]}
Forbidden
(403) ->{"errors": ["forbidden"]}
Not Found
(404) ->{"errors": ["not_found"]}
Bad Request
(400) ->{"errors": ["bad_request"]}
Keep in mind that these errors must be emitted by Ory Oathkeeper itself, not by the upstream API. Therefore, most HTTP Status Codes won't have any effect because Ory Oathkeeper - as of now - mostly returns 401, 403, 500 error codes.
As discussed previously, if this configuration key is left empty, then all error types will match!
HTTP Request: Remote IP
The HTTP Remote IP is the IP of the Client that initially made the request. The Remote Address is matched using CIDR Notation:
config:
when:
- request:
remote_ip:
match:
- 192.168.1.0/24
This configuration would match a HTTP Request coming directly from
192.168.1.1
, 192.168.1.2
, and so on.
If Ory Oathkeeper runs behind a Load Balancer or any other type of Reverse
Proxy, you can configure Ory Oathkeeper to check the
X-Forwarded-For
HTTP Header
header as well:
config:
when:
- request:
remote_ip:
respect_forwarded_for_header: true # defaults to false
match:
- 192.168.1.0/24
As discussed previously, if this configuration key is left empty, then all remote IPs will match!
HTTP Requests that include one of the matching IP Addresses in the
X-Forwarded-For
HTTP Header, for example
X-Forwarded-For: 123.123.123.123, ..., 192.168.1.1, ...
, now match this error
handler.
HTTP Request Header: Accept
The HTTP Accept
Header is the most common way to tell an HTTP API what MIME
content type is expected. For example, FireFox sends
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
for
all regular requests for example when opening www.ory.sh.
And a REST API Client usually sends Accept: application/json
.
Therefore, using the Accept
header is one of the most common ways to
distinguish between "regular" browser traffic, REST API traffic, and other types
of HTTP traffic.
In Ory Oathkeeper, you can specify the matching conditions for the Accept header as follows:
config:
when:
- request:
header:
accept:
- text/html
- text/*
The defined matching condition would apply if a client sends one of the
following Accept
headers:
Accept: text/html
Accept: text/xhtml
Accept: text/xhtml+xml
Accept: text/...
Accept: text/*
Most browsers (see the FireFox example) also send wildcard Accept
headers such
as */*
. To prevent multiple conditions to match, HTTP Accept Headers from the
client are interpreted literally, meaning that wildcards aren't interpreted.
Assuming the client sends Accept: */*
and the error condition is set to
accept: ["text/text"]
, the error condition would not match. If however the
client sends Accept: text/text
and the error condition is set to
accept: ["*/*"]
, then the condition would match.
To match against wildcards in the Accept
header, you have to explicitly define
them in the error condition. Setting the configuration to accept: ["*/*"]
will
match Accept: */*
and of course any other type such as Accept: text/*
Accept: text/html
, and so on.
As discussed previously, if this configuration key is left empty, then all
Accept
headers will match!
HTTP Request Header: Content-Type
The
HTTP Content Type
matcher works similar to the Accept
header. The HTTP Content Type Header
however is much less common, as it's only used in POST, PUT, PATCH requests (or
any other requests that send a HTTP Body).
The main difference however is that the client never (unless it sends malformed
data) sends wildcard MIME types, as the MIME type needs to be deterministic.
It's typically something like multipart/form-data
,
application/x-www-form-urlencoded
, or application/json
.
In Ory Oathkeeper, you can specify the matching conditions for the
Content-Type
header as follows:
config:
when:
- request:
header:
content_type:
- multipart/form-data
# OR
- application/x-www-form-urlencoded
# OR
- application/json
As discussed previously, if this configuration key is left empty, then all
Content-Type
headers will match!
Error Handlers
json
The json
Error Handler returns an application/json
response type. Per
default, error messages are stripped of their details to reduce OSINT attack
surface. You can enable more detailed error messages by setting verbose
to
true
. As discussed in the previous section, you can define error matching
conditions under the when
key.
json
Example
// access-rule.json
{
handler: 'json',
config: {
verbose: true, // defaults to false
when: [
// ...
]
}
}
redirect
The redirect
Error Handler returns a HTTP 302/301 response with a Location
Header. As discussed in the previous section, you can define error matching
conditions under the when
key.
If you want to append the current url (where the error happened) to address
redirected to, You can specify return_to_query_param
to set the name of
parameter that will hold the url. The information about the current url is taken
either from the URL, or from the X-Forwarded-Method
, X-Forwarded-Proto
,
X-Forwarded-Host
, X-Forwarded-Uri
headers (if present) of the incoming
request.
redirect
Example
// access-rule.json
{
handler: 'json',
config: {
to: 'http://my-website/login', // required!!
return_to_query_param: 'return_to',
code: 301, // defaults to 302 - only 301 and 302 are supported.
when: [
// ...
]
}
}
When the user accesses a protected url http://my-website/settings
, they will
be redirected to
http://my-website/login?return_to=http%3A%2F%2Fmy-website%2Fsettings
. The
login page can use the return_to
paramter to return user to intended page
after a successful login.
www_authenticate
The www_authenticate
Error Handler responds with HTTP 401 and a
WWW-Authenticate
HTTP Header.
You can configure the realm
the browser will display. The realm
is a message
that will be displayed by the browser. Most browsers show a message like "The
website says: <realm>
". Using a real message is thus more appropriate than a
Realm identifier.
This error handler is "exotic" as WWW-Authenticate isn't a common pattern in
today's web. As discussed in the previous section, you can define error matching
conditions under the when
key.
www_authenticate
Example
// access-rule.json
{
handler: 'json',
config: {
realm: 'Please enter your username and password', // Defaults to `Please authenticate.`
when: [
// ...
]
}
}