How does this work with fine-grained authz with protocol buffers and websockets?

[danielblignaut]

this works really well for restful applications where there’s hints of state accessible in the protocol (e.g. path routes with item ID). How would this work:

1. If you need fine-grained authorisers (e.g. can the user access the resource where the resource has an ID and we can pass this to keto as per usual) and you’re using a binary protocol? (GRPC with protocol buffers). Would you have to use a remote json authorizor?
2. If you’re performing a client side stream over grpc and need to authorize not just the initial http connection but the application level messages?

Both of these could be addressed by making oathkeeper more of an application level frame work and proxy or having custom authorisers per framework? (E.g. grpc, etc.) - this seems like we have this already for REST but it’s just not labelled a “REST authoriser”

[vinckr]

Hello Daniel,
I dont think Oathkeeper supports binary protocols or grpc/websocket style connections right now.

It would probably be a some good input for a feature request or the
Lessons learned & ORY Oathkeeper NextGen issue.