Accessing SelfServiceSettingsFlowWithoutBrowser using id_token mutator in Oathkeeper

[viters]

Hey,

I am working on a microservice, where one of it's responsibilities will be updating user's identity on behalf of a user. In other words, user calls this microservice when he is logged in, and it performs update on his identity using SelfServiceSettingsFlowWithoutBrowser API.

What should I send as xSessionToken to authorize request on behalf of the user?

My oathkeeper config:

mutators:
  id_token:
    enabled: true
    config:
      claims: |
        {
          "session": {{ .Extra | toJson }}
        }

authenticators:
  cookie_session:
    enabled: true
    config:
      preserve_path: true
      extra_from: '@this'
      subject_from: 'identity.id'
      only:
        - ory_kratos_session

[viters]

Is it even possible? I know I can use Kratos Admin API, but using SelfServiceSettingsFlowWithoutBrowser feels more secure. By the way, admin API identity update does not change updated_at.

[aeneasr]

Oh feel free to report this as a bug!

Regarding your question, you should forward the user’s token (if a mobile app) or the user’s cookie (if a browser app) :)

For Oathkeeper this would probably be the noop authenticator

[viters]

@aeneasr

Oh feel free to report this as a bug!

Okay, I will 👍

Regarding your question, you should forward the user’s token (if a mobile app) or the user’s cookie (if a browser app) :) For Oathkeeper this would probably be the noop authenticator.

Hmmm, gotcha. So is X-Session-Token just the content of Kratos cookie? I am asking, because I suppose that I should call SelfServiceSettingsFlowWithoutBrowser on server-side, but when browser-client calls this API - I will have no token, but cookie.