https://www.ory.sh/ logo
Join Slack
Powered by
What's the correct way to develop a local (Ory Net...
# talk-oathkeeper
j
What's the correct way to develop a local (Ory Network) application against a Oathkeeper protected endpoints? When we use ory tunnel the cookies are all scoped to localhost so we can't use them in our requests, I've tried running ory tunnel with 
--cookie-domain
set but locally it returns 
The browser does not contain the necessary cookie to resume the session.
from the ory api endpoints.
s
Is oathkeeper running on some remote domain? you need to have them on the same domain...
j
Yeah oathkeeper is remote. To dev locally would we have to run oathkeeper locally with our application too?
s
or point the tunnel to the remote URL?
not sure if that works...
but I guess it should
j
How does one do that?
s
ah sorry, I think you'd have to use the proxy for that https://www.ory.sh/docs/guides/cli/proxy-and-tunnel#ory-proxy
j
That's what I'm playing with as well, do I have to set the cookie-domain to my remote too?
s
no, I'd try to get all cookies working on localhost, but also expose the remote oathkeeper under localhost
then it should all work together
j
which bit of the ory proxy config lets us point at the oathkeeper?
s
ory proxy <https://your-remote-url>
should be enough
j
Cheers, I'll give it a go! I've just been wrapped up in circles with proxy and tunnel that I can't remember what I've tried that hasn't worked!
That looks like it's got me 80% there, I'm still not sending my 
ory_session
cookie for some reason
s
to oathkeeper? or to the app behind it?
j
to oathkeeper I'm sending another cookie but not the ory cookie
s
hm could be anything really... are you using 
withCredentials
? or is it a secure cookie, but you are using http?
j
the cookie is still bound to localhost, I'm using 
--dev
so it's HttpOnly and SameSite Lax
s
yes, but you also have to call oathkeeper on localhost now
j
Oh wait you mean my "remote-url" above is my oathkeeper service itself? Which is on kubernetes deployed via a helm chart so I'll have to be in the cluster and call it with 
ory proxy <http://oathkeeper-api.oathkeeper:4456>
?
s
yes
you can use 
kubectl port-forward
j
The rules in that oathkeeper are all bound to match hosts on an ingress though, how do we hit them directly from local? Do we have to add another set of matchers?
s
or adjust the current ones to also match localhost
with regexp or glob, whatever you're usin
you can theoretically also deploy the ory tunnel or proxy in your cluster
j
Sure that makes sense, and then is it 
oathkeeper-proxy
or `oathkeeper-api`that I actually want to target?
s
yes, the cluster internal URL
but actually easiest in that case is to use a custom domain
j
This mostly worked until we enabled cors on the Oathkeeper Proxy. Ory Proxy also adds it's own set of headers so we end up with a duplicate set of cors headers (i.e. 
Access-Control-Allow-Origin
) Is there any way to strip the headers from the proxied server or not add them from Ory Proxy?
fyi @quiet-holiday-22170
5 Views
Open in Slack
PreviousNext
Powered by