Can I use kratos as an authenticator?

[cameron-martin]

I am trying to set up oathkeeper to protect an API that is on the same domain as kratos. It seems that oathkeeper should be able to check the session that kratos generates, but this isn't immediately obvious how to do this from the oathkeeper documentation. The closest thing that I can find is using the session_cookie authenticator, but it's not obvious how to configure this correctly with kratos.

Is what I'm trying to do possible currently?

[cameron-martin]

An example of how to do this is in the repo: https://github.com/ory/kratos/blob/7a5143c46a5a1546685490799baec0c00e3b177c/contrib/quickstart/oathkeeper/oathkeeper.yml#L59-L67

It would be useful to have this information in the docs, however.

[vinckr]

True, do you have an idea how we can improve the docs in that point?
It seems to me the difference in those configs is marginal

cookie_session:
  enabled: true
  config:
    check_session_url: http://kratos:4433/sessions/whoami
    preserve_path: true
    extra_from: "@this"
    subject_from: "identity.id"
    only:
      - ory_kratos_session

  - handler: cookie_session
    config:
      check_session_url: https://session-store-host/check-session
      only:
        - sessionid
      preserve_path: true

So I dont feel this needs to be added to concepts, but could be a guide
"How to connect Kratos to Oathkeeper" maybe?

What do you think we should put in there except the config?

[cameron-martin]

A guide would work well, considering there is already one on how to connect Oathkeeper to Hydra. I'm not sure much else is needed, since I believe everything else is application-specific.