Hello community, I have a question. We've successfully setup self-hosted Kratos + Oathkeeper and it works on staging environment with Google login. However, we couldn't make proxy work from local. We are providing kratos URL to CLI and starting the proxy, start the login flow, it all goes well. In the end, google redirects to

remote ratosurl/...oidc/callback

endpoint, I can see there are session cookies in the request and that's redirected to localhost:4000 with 303 status code. The problem is, redirected request only have CSRF token in the request headers, not the other session related cookies. Can anyone help?

Hi @melodic-thailand-6910 So if I understand you correctly Google successfully redirects back to Ory Kratos but Ory Kratos does not issue a session? just a note: the Ory CLI proxy/tunnel was written for the Ory Network and i'm not sure if fully supports flows like OIDC for self-host.

From what we see, when we ues Ory Network, there are 2 redirects, first to the network, then localhost:4000/.ory/xxx. Since remote domain is different than localhost, it can't write cookie to localhost, after redirect, we are authorized at our remote staging URL. We are guessing that network has a proxy which accepts request, rewrites domain and sends same cookies, trying to figure out how we can do the same.

Hey @proud-plumber-24205, I understand that Ory CLI was developed for Network and it works great with Network. Would someone be able to briefly explain how the "ory-base-url-rewrite" header is handled in Ory Network? If we can make progress here, we want to do the issue found at https://github.com/ory/docs/issues/673 🙂