nexus/oathkeeper/config/oathkeeper.yml

serve:
  proxy:
    port: 7200
    trust_forwarded_headers: true
    cors:
      enabled: true
      allowed_origins:
        - "https://account.example.com"
        - "https://auth.example.com"
        - "https://app.example.com"
        - "https://admin.example.com"
        - "https://api.example.com"
        - "http://localhost:5000"
        - "http://localhost:5173"
        - "http://localhost:7200"
        - "https://local.example.com:5173"
      allowed_methods:
        - GET
        - POST
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Content-Type
        - X-Session-Token
        - Cookie
        - Accept
      exposed_headers:
        - Content-Type
        - Set-Cookie
      allow_credentials: true
      debug: false

  api:
    port: 7250

access_rules:
  matching_strategy: glob
  repositories:
    - file:///etc/oathkeeper/rules/nexus.yml
    - file:///etc/oathkeeper/rules/kratos.yml
    - file:///etc/oathkeeper/rules/django.yml

authenticators:
  cookie_session:
    enabled: true
    config:
      check_session_url: http://127.0.0.1:6000/sessions/whoami
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      only:
        - ory_kratos_session

  bearer_token:
    enabled: true
    config:
      check_session_url: http://127.0.0.1:6000/sessions/whoami
      token_from:
        header: Authorization
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"

  noop:
    enabled: true

  anonymous:
    enabled: true
    config:
      subject: guest

authorizers:
  allow:
    enabled: true

  deny:
    enabled: true

mutators:
  noop:
    enabled: true

  header:
    enabled: true
    config:
      headers:
        # Security: Shared secret for Django backend
        X-Oathkeeper-Secret: "${OATHKEEPER_SECRET}"
        X-User-ID: "{{ print .Subject }}"
        X-User-Email: "{{ print .Extra.identity.traits.email }}"
        X-User-First-Name: "{{ print .Extra.identity.traits.name.first }}"
        X-User-Last-Name: "{{ print .Extra.identity.traits.name.last }}"
        X-User-Phone: "{{ print .Extra.identity.traits.phone }}"
        X-User-Profile-Type: "{{ print .Extra.identity.traits.profile_type }}"
        # Django uses X-Django-Profile-ID, Rust uses X-Profile-ID
        X-Profile-ID: "{{ with .Extra.identity.metadata_public }}{{ with .django_profile_id }}{{ . }}{{ end }}{{ end }}"
        X-Django-Profile-ID: "{{ with .Extra.identity.metadata_public }}{{ with .django_profile_id }}{{ . }}{{ end }}{{ end }}"

  cookie:
    enabled: true
    config:
      cookies:
        user_id: "{{ print .Subject }}"

errors:
  fallback:
    - json
  handlers:
    json:
      enabled: true
      config:
        verbose: true

    redirect:
      enabled: true
      config:
        to: https://account.example.com/login
        when:
          - error:
              - unauthorized
              - forbidden
            request:
              header:
                accept:
                  - text/html

log:
  level: info
  format: text