Haya, so I have a scenario where I have created a session using the ory-client JS library on a React front-end, but now I need to read that same session and validate it using the ory_client Ruby gem. I am attaching a screenshot of the valid signed-in session, visible in the React app that is running on http://localhost:7777 I am also running the project via the tunnel on http://localhost:4000 The ruby project is running on http://localhost:3002, and all the cookies from the front-end app are available. Below is the Ruby code:

class OryTestController < ActionController::Base
  def index
    # Set the configuration parameters
    OryClient.configure do |configuration|
      configuration.host = '<http://localhost:4000>'
      configuration.debugging = true
    end

    # Initialize the client
    ory_api = OryClient::FrontendApi.new

    # Get the cookies
    cookie_string = cookies.to_h.map{|k,v| "#{k}=#{v}"}.join('; ')

    # Check the session
    begin
      session_response = ory_api.to_session({
        cookie: cookie_string
      })
    rescue => e
      session_response = JSON.parse(e.response_body)["error"]
    end

    session_response.deep_symbolize_keys!

    if session_response[:status] == "Success" # @TODO: This should work, need to chat with ORY team about why it's not picking up the session
      render json: session_response
    else
      redirect_to "<http://localhost:7777/sign-in>"
    end
  end
end

What am I doing wrong? I keep getting a

401 Unauthorized

response from the Kratos server, even though the session and cookies are valid?

@miniature-sunset-64101 - why don't you just call the Kratos public API of

/sessions/whoami

directly from your frontend?

Hi @miniature-memory-51394, it's sort of a microservice situation: I need to be able to create the session in a front-end application, currently using NextJS & React, and then read and validate that session on a different, back-end app that runs on Ruby on Rails. We have moved to ORY in our company so that we can unify our Auth system across various services on different code stacks. I'm realising that the Session Token is not saved to the cookies, do I need that token in order to validate the session? I'm hoping that I won't need to save the identifier and password in cookies...

did you consider using the Kratos admin API?

Thanks @miniature-memory-51394, I am open to any solution that would work the best. Provided I have an active session in my ORY project (Cloud-hosted), created using the ory-client JavaScript SDK on one service, how can I use the ory-client Ruby gem to access and validate that active session in another service running on the same FQDN, using the admin API or otherwise? Please provide a link to some docs on how to do that, or alternatively some kind of code example. If you're not sure about the ruby gem implementation specifically, just some bullet points on what I need to do would help a lot 🙏 I have an API Access key for the project, should that be needed to achieve this goal

you could try using the admin API (IdentitiyAPI): https://github.com/ory/sdk/blob/master/clients/client/ruby/docs/IdentityApi.md#get_session but I'm not sure if this is a viable solution for you. something else i've noticed, it looks like you don't send the correct structure of the options object to the

to_session

function. please look at this example: https://github.com/ory/sdk/blob/master/clients/client/ruby/docs/FrontendApi.md#to_session

hope it will help you 🙏

Thanks @miniature-memory-51394, I'm having a look now. I also asked a colleague who is working on the same issue to join this thread, he may have some insights / questions of his own

Hey, apologies for the late response @miniature-sunset-64101 Please make sure not to leak your Ory Access Key 😉 Best create a new one now.

Oh yes, I know, that one is temporary, already deleted

I am not super deep into your use case yet, but from

There are several apps that will need to access the session, some use React, some use Ruby on Rails, and then we have a React-native mobile application as well

This sounds like you could benefit from Ory Oathkeeper as an “identity gateway”

@magnificent-energy-493 we are in the process of setting up Oathkeeper, but this is not our primary concern at the moment, what we really need is to figure out how to get the ory-client Ruby SDK to obtain the session, specifically. Bearing in mind that we are working on integrating Oathkeeper, but setting that aside. Something isn't working with my implementation of the Ruby SDK (The front-end JS SDK works fine and can create / access sessions without issue) From what I can see in the docs, I am following the correct steps, but I'm getting a 403 response from the project, why is that?

Access credentials are not sufficient to access this resource

Why are the credentials not sufficient if I provide an

access_token

?

They should be sufficient 🤔 Can you try rotating the token and double-check that you are making the request to the correct associated Ory Network project please? Does the request work when you do it via cURL? Or can you make sure the request from Ruby middleware is correct with auth header?

@magnificent-energy-493, my colleague discovered that despite configuring the projects host to

localhost:4000

(where the ORY tunnel is running), the Ruby SDK always uses the default playground.projects.oryapis.com host, which is why we kept getting the

403

response. To fix this, they had to change the host in the gem to bypass the default. Perhaps this is some issue with the auto-generation? What language is the original SDK written in? I believe it's Go? The auto-generated SDKs might not all work the same way. I'm still trying to check if there is a way of doing configuration that will override the defaults as intended without editing the gem, but a chance remains that there is a bug in the gem itself.

Hey @miniature-sunset-64101 I think there is something wrong with how you initialize the SDK. If there is no valid host to point to it defaults to the playground. For example in my Typescript project, it looks like so: basePath is the Ory Network project slug, for example https://pensive-mirzakhani-l7secb9ytq.projects.oryapis.com or your CNAME if you have configured one.

const ory = new FrontendApi(
  new Configuration({
    basePath: basePath,
    baseOptions: {
      withCredentials: true,
    },
  })
);

There might be bugs/quirks in the Ruby SDK. They are all autogenerated using OpenAPIGenerator from the swagger spec, so I believe there is no “original” SDK.

if there is a way of doing configuration that will override the defaults as intended without editing the gem

There definitely should be! I have no experience in Ruby, but feel free to open a bug report in github.com/ory/sdk if you can not figure it out 🙏

Thank you @magnificent-energy-493. I've gotten the JS SDK to work without too many difficulties, but I also noticed that in the JS SDK there is no config for

host

, only

basePath

, which is sufficient to make it work. In the Ruby SDK, there is both

host

and

base_path

and I'm not sure if they are the same thing, or 2 parts of a full URL, or if they are unrelated. If we do find a bug and are sure about it, we'll log it on GitHub sure 🤘🖖

Oh I see, have not seen host before 🤔 So if you put your URL in base_path it does not work?

No it doesn't, but then again

host

doesn't quite work either additionally my colleague believes he may have found the source of our problem. I'll ask him to describe it here for you. We suspect it may be an artefact from the auto-generation

Hi @magnificent-energy-493, I've been assisting @miniature-sunset-64101 with setting up and using the Ory Ruby SDK. We've managed to find a simple solve for the issue Ulrich mentioned above, but before I mention the solution I'll just reiterate the problem: Despite configuring the

OryClient::FrontendApi

host the SDK will always revert to the default the default host, playground.projects.oryapis.com. The reason for this can be found in the

base_url

getter method within the Ory Ruby SDK

configuration.rb

def base_url(operation = nil)
  index = server_operation_index.fetch(operation, server_index)
  return "#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '') if index == nil

  server_url(index, server_operation_variables.fetch(operation, server_variables), operation_server_settings[operation])
end

which should early return

<http://localhost:4000>

from the configured

host

and

scheme

, however the early return is skipped due to

index

(in the above code snippet) returning the default

server_index

value of 0 instead of nil (Which we believe should be the default value). Therefore, the fix is relatively simple: We just overrode the default

server_index

value with nil. Either this should be stated in the documentation if it was intended or the default changed to nil. Hope this helps 🙂