cookie_session authenticator does not extract subject when method is HEAD

[DrDobbY]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

goofy-varahamihira-0cacga6s4t

Describe the bug

The cookie_session authenticator is not able to extract subject id if method is HEAD

Reproducing the bug

I have following configuration for cookie_session

cookie_session:
enabled: true
config:
preserve_path: true
extra_from: "@this"
additional_headers:
accept: application/json
check_session_url: https://goofy-varahamihira-0cacga6s4t.projects.oryapis.com/sessions/whoami
subject_from: identity.id

And this is my rule

• id: "test-head"
  match:
  url: http://<127.0.0.1|localhost>:4456/test
  methods: ["HEAD", "GET"]
  authenticators:
  • handler: cookie_session
    authorizer:
    handler: remote_json
    mutators:
  • handler: noop

my remote json payload configuration is:
payload: |
{
"subject": "{{ print .Subject }}",
"resource": "{{ print .MatchContext.URL }}",
"token": "{{ .MatchContext.Header.Get "X-Api-Key" }}"
}

My remote_json endpoint expect subject to be not null, but when i send head request to this endpoint, i am getting 400 from remote_json service, because oathkeeper does not extracted the id

Send head request to this url localhost:4456/decisions/test with valid cookie. When i chagne my request from HEAD to GET. I ve got expected 200 result

Relevant log output

This is stacktrace from oathkeeper
time=2024-07-08T08:29:55+02:00 level=info msg=started handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip connection:keep-alive cookie:[ory_session_goofyvarahamihira0cacga6s4t=MTcyMDQxODAyM3wwU1U4VmNfNDZ3V0
FWOV9aQ3pKTWdMYmVfX21lU0thZGtPOEFmMjRPaWdGQlByb2JBVEJlQldLQU1zeUtnX1RnaXVBbHRZYU9nbnpGWF9ZWEZ5RVU3dnJMXzRZQTRNYmxEcExLMHFlTTVwd25kOXBJbHIwR0NOal9pcnU5QzlHeVNBT1JjS1BWSXZNQ0VrUVpkR0xMSG1uWnNzZmtvTUlRQjVuRGptR0NQNFlWMldsZWVUY0l6ZlJyZl
9SSjZpSnhZOVhFNHRlejZaU2xDOXpUVWVjd25Rd0xMaFpQU2Y3RTRpeXhOZzlJNjU4OHFqaWNMTTZwVW5ZWHJDV0lscTRrbDNla084Um5RTU9QQXJRUUhod3l8e7WZrlqpqwa_6s00ravUU6FIX1pGiju33hqFnfwzhq8=; Path=/; Domain=goofy-varahamihira-0cacga6s4t.projects.oryapis.co
m; Secure; HttpOnly;] postman-token:2829183d-a6d8-4afe-bf6a-01e6b7463916 user-agent:PostmanRuntime/7.39.0] host:localhost:4456 method:HEAD path:/decisions/test query:<nil> remote:[::1]:60972 scheme:http]
time=2024-07-08T08:30:00+02:00 level=warning msg=The authorization handler encountered an error audience=application authorization_handler=remote_json error=map[message:expected status code 200 but got 400 stack_trace:
github.com/ory/oathkeeper/pipeline/authz.(*AuthorizerRemoteJSON).Authorize
        /project/pipeline/authz/remote_json.go:122
github.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest
        /project/proxy/request_handler.go:266
github.com/ory/oathkeeper/api.(*DecisionHandler).decisions
        /project/api/decision.go:96
github.com/ory/oathkeeper/api.(*DecisionHandler).ServeHTTP
        /project/api/decision.go:50
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/x/corsx.ContextualizedMiddleware.func1
        /go/pkg/mod/github.com/ory/x@v0.0.565/corsx/middleware.go:26
github.com/urfave/negroni.HandlerFunc.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/x/reqlog.(*Middleware).ServeHTTP
        /go/pkg/mod/github.com/ory/x@v0.0.565/reqlog/middleware.go:142
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP
        /project/metrics/middleware.go:103
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/x/metricsx.(*Service).ServeHTTP
        /go/pkg/mod/github.com/ory/x@v0.0.565/metricsx/middleware.go:272
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/urfave/negroni.(*Negroni).ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*Handler).ServeHTTP
        /go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.36.4/handler.go:204
net/http.serverHandler.ServeHTTP
        /usr/local/go/src/net/http/server.go:2936
net/http.(*conn).serve
        /usr/local/go/src/net/http/server.go:1995
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1598] granted=false http_host=localhost:4456 http_method=HEAD http_url=http://localhost:4456/test http_user_agent=PostmanRuntime/7.39.0 reason_id=authorization_handler_error rule_id=test
-head service_name=ORY Oathkeeper service_version=v0.40.6 subject=
time=2024-07-08T08:30:00+02:00 level=info msg=Access request denied audience=application error=map[message:expected status code 200 but got 400 stack_trace:
github.com/ory/oathkeeper/pipeline/authz.(*AuthorizerRemoteJSON).Authorize
        /project/pipeline/authz/remote_json.go:122
github.com/ory/oathkeeper/proxy.(*requestHandler).HandleRequest
        /project/proxy/request_handler.go:266
github.com/ory/oathkeeper/api.(*DecisionHandler).decisions
        /project/api/decision.go:96
github.com/ory/oathkeeper/api.(*DecisionHandler).ServeHTTP
        /project/api/decision.go:50
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/x/corsx.ContextualizedMiddleware.func1
        /go/pkg/mod/github.com/ory/x@v0.0.565/corsx/middleware.go:26
github.com/urfave/negroni.HandlerFunc.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/x/reqlog.(*Middleware).ServeHTTP
        /go/pkg/mod/github.com/ory/x@v0.0.565/reqlog/middleware.go:142
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP
        /project/metrics/middleware.go:103
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/x/metricsx.(*Service).ServeHTTP
        /go/pkg/mod/github.com/ory/x@v0.0.565/metricsx/middleware.go:272
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/urfave/negroni.(*Negroni).ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*Handler).ServeHTTP
        /go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.36.4/handler.go:204
net/http.serverHandler.ServeHTTP
        /usr/local/go/src/net/http/server.go:2936
net/http.(*conn).serve
        /usr/local/go/src/net/http/server.go:1995
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1598] granted=false http_host=localhost:4456 http_method=HEAD http_url=http://localhost:4456/test http_user_agent=PostmanRuntime/7.39.0 service_name=ORY Oathkeeper service_version=v0.40.
6
time=2024-07-08T08:30:00+02:00 level=error msg=An error occurred while handling a request audience=application error=map[debug: message:An internal server error occurred, please contact the system administrator reason: stack_trace: 
github.com/ory/herodot.(*DefaultError).WithTrace
        /go/pkg/mod/github.com/ory/herodot@v0.9.13/error_default.go:102
github.com/ory/oathkeeper/pipeline/errors.(*ErrorJSON).Handle
        /project/pipeline/errors/error_json.go:65
github.com/ory/oathkeeper/proxy.(*requestHandler).HandleError
        /project/proxy/request_handler.go:151
github.com/ory/oathkeeper/api.(*DecisionHandler).decisions
        /project/api/decision.go:102
github.com/ory/oathkeeper/api.(*DecisionHandler).ServeHTTP
        /project/api/decision.go:50
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/x/corsx.ContextualizedMiddleware.func1
        /go/pkg/mod/github.com/ory/x@v0.0.565/corsx/middleware.go:26
github.com/urfave/negroni.HandlerFunc.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/x/reqlog.(*Middleware).ServeHTTP
        /go/pkg/mod/github.com/ory/x@v0.0.565/reqlog/middleware.go:142
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP
        /project/metrics/middleware.go:103
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/x/metricsx.(*Service).ServeHTTP
        /go/pkg/mod/github.com/ory/x@v0.0.565/metricsx/middleware.go:272
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/urfave/negroni.(*Negroni).ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*Handler).ServeHTTP
        /go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.36.4/handler.go:204
net/http.serverHandler.ServeHTTP
        /usr/local/go/src/net/http/server.go:2936
net/http.(*conn).serve
        /usr/local/go/src/net/http/server.go:1995
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1598 status:Internal Server Error status_code:500] http_request=map[headers:map[accept:*/* accept-encoding:gzip connection:keep-alive cookie:[ory_session_goofyvarahamihira0cacga6s4t=MTcy
MDQxODAyM3wwU1U4VmNfNDZ3V0FWOV9aQ3pKTWdMYmVfX21lU0thZGtPOEFmMjRPaWdGQlByb2JBVEJlQldLQU1zeUtnX1RnaXVBbHRZYU9nbnpGWF9ZWEZ5RVU3dnJMXzRZQTRNYmxEcExLMHFlTTVwd25kOXBJbHIwR0NOal9pcnU5QzlHeVNBT1JjS1BWSXZNQ0VrUVpkR0xMSG1uWnNzZmtvTUlRQjVuRGpt
R0NQNFlWMldsZWVUY0l6ZlJyZl9SSjZpSnhZOVhFNHRlejZaU2xDOXpUVWVjd25Rd0xMaFpQU2Y3RTRpeXhOZzlJNjU4OHFqaWNMTTZwVW5ZWHJDV0lscTRrbDNla084Um5RTU9QQXJRUUhod3l8e7WZrlqpqwa_6s00ravUU6FIX1pGiju33hqFnfwzhq8=; Path=/; Domain=goofy-varahamihira-0cac
ga6s4t.projects.oryapis.com; Secure; HttpOnly;] postman-token:2829183d-a6d8-4afe-bf6a-01e6b7463916 user-agent:PostmanRuntime/7.39.0] host:localhost:4456 method:HEAD path:/test query:<nil> remote:[::1]:60972 scheme:http] http_respons
e=map[status_code:500] service_name=ORY Oathkeeper service_version=v0.40.6
time=2024-07-08T08:30:00+02:00 level=info msg=completed handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip connection:keep-alive cookie:[ory_session_goofyvarahamihira0cacga6s4t=MTcyMDQxODAyM3wwU1U4VmNfNDZ3
V0FWOV9aQ3pKTWdMYmVfX21lU0thZGtPOEFmMjRPaWdGQlByb2JBVEJlQldLQU1zeUtnX1RnaXVBbHRZYU9nbnpGWF9ZWEZ5RVU3dnJMXzRZQTRNYmxEcExLMHFlTTVwd25kOXBJbHIwR0NOal9pcnU5QzlHeVNBT1JjS1BWSXZNQ0VrUVpkR0xMSG1uWnNzZmtvTUlRQjVuRGptR0NQNFlWMldsZWVUY0l6ZlJy
Zl9SSjZpSnhZOVhFNHRlejZaU2xDOXpUVWVjd25Rd0xMaFpQU2Y3RTRpeXhOZzlJNjU4OHFqaWNMTTZwVW5ZWHJDV0lscTRrbDNla084Um5RTU9QQXJRUUhod3l8e7WZrlqpqwa_6s00ravUU6FIX1pGiju33hqFnfwzhq8=; Path=/; Domain=goofy-varahamihira-0cacga6s4t.projects.oryapis.
com; Secure; HttpOnly;] postman-token:2829183d-a6d8-4afe-bf6a-01e6b7463916 user-agent:PostmanRuntime/7.39.0] host:localhost:4456 method:HEAD path:/test query:<nil> remote:[::1]:60972 scheme:http] http_response=map[headers:map[conten
t-type:application/json] size:143 status:500 text_status:Internal Server Error took:5.2060312s]

Relevant configuration

## Rules
- id: "test-head"
  match:
    url: http://<127.0.0.1|localhost>:4456/test
    methods: ["HEAD", "GET"]
  authenticators:
    - handler: cookie_session
  authorizer:
    handler: remote_json
  mutators:
    - handler: noop

## config.yaml
authenticators:
  cookie_session:
    enabled: true
    config:
      preserve_path: true
      extra_from: "@this"
      additional_headers:
        accept: application/json
      check_session_url: https://goofy-varahamihira-0cacga6s4t.projects.oryapis.com/sessions/whoami
      subject_from: identity.id

authorizers:
  remote_json:
    enabled: true
    config:
      remote: http://localhost:8239/api/v1/authorizer/remote_json
      forward_response_headers_to_upstream: [ "roles", "companyId", "siteId", "apartmentId" ]
      payload: |
        {
         "subject": "{{ print .Subject }}"
        }

Version

0.40.6

On which operating system are you observing this issue?

Windows

In which environment are you deploying?

Binary

Additional Context

No response