https://www.ory.sh/ logo
Join Slack
Powered by
Hi all. We are trying to use ORY as an OAUTH prov...
# ory-network
n
Hi all. We are trying to use ORY as an OAUTH provider for our web app but running into an error that we cant seem to debug/understand. Can anyone guide or tell us what could be the fix? Hitting the auth url (https://compassionate-keldysh-s2hawo75ll.projects.oryapis.com/oauth2/auth?response_type=code&amp;client_id=<clientId>&redirect_uri=localhost:8080&state=123456789&scope=openid) takes us to the login page. Once we enter the id and pass, we get the following error in the network tab: Any idea what the flow cookie is? And what needs to fixed?
p
Hi @nice-baker-74785 I can't see the domains of the first two requests, but I assume they are on your project slug domain. Are you implementing a custom consent page? or what is your setup? This error is usually related to cookies that cannot be set properly due to the domain differences. The flow needs to go through a domain that you own, and usually you would need to setup the Ory tunnel on your local machine to make this work properly https://www.ory.sh/docs/guides/cli/proxy-and-tunnel
n
Hi @proud-plumber-24205. Thank you for the response. Once you put the auth url in the browser, it redirects to a different domain which is set in the custom domain settings of the ory instance. Do we need to do additional config on our custom domain?
p
The custom domain should be fine, but I see you are redirected to localhost:8080, are you initiating the Oauth flow from localhost?
could you maybe give me a brief understanding of which application is initiating the OAuth request?
and on which domain they are running. You can of course give example domains.
n
Yes. redirecting to localhost:8080 for testing purposes. This would ofc be replaced by the app url when deployed on production
The front end is initiating the oAuth request. Our web app workflow for OAuth is something like this: 1. FE shows the available auth providers to sign in with. 2. User clicks on "Sign in With ORY" and FE redirects the user to the auth url () 3. Lets say the app(FE) is runnign at www.prod-example-app.com. It redirects the user to the auth url which in turn redirects them to the custom domain self service login flow ( www.custom-domain.com/ui/login) 4. Once the user signs in on the custom domain, the error occurs.
p
Is the frontend only doing an OAuth request to Ory directly? or are you using Ory Identities to submit which provider you'd like to sign in with?
Since the first request in your screenshot has a flow=<id> parameter, I'm guessing you are using Ory identities as well.
If the FE is creating the flow on a domain other than the TLD of your custom domain linked to the project, then the csrf cookies cannot be set correctly. This is most likely why it fails.
👍 1
n
I think that might be the problem ( the difference in domains ). IF i want to test on localhost though, then i have to setup an ory tunnel as u mentioned before right?
p
Yes
n
ok. One last question, from the above discussion I understood that the domain which points to the FE app ( lets say https://www.fe-app.com ) is the same domain that should be registered as a custom domain on the ORY project? OR else the cookies etc wont be set correctly adn this error would occur?
p
it needs to be the same top level domain, so the FE can be on example.com but the one added to the project will most likely be a sub-domain, such as auth.example.com
n
yes understood.
TLD needs to be thr same. SO we need to take care of that when deploying to production so that it works with the prod domain
BTW, is there a way to let ORY handle it all and not involve custom domains? As our usage it jsut for oAuth management?
p
sure, you could just redirect the user to Ory Account Experience and let the user complete the flow on the project domain / custom domain.
in an OAuth flow you can have the client initialize to Ory directly and from there it will go through the login / registration flow through the Account Expereience. In the end the user will be taken back to the client with an access token.
💯 1
👍 1
n
Perfect. Now it all makes sense. That is all we wanted to do in the first place. Some one else from my team ( who set up the project in the first place ) added custom domains. Thats why it is causing unexpected problems.
I will remove the custom domains and try it out. Hopefully it works then
p
there's nothing wrong with having a custom domain. But it depends on how you initiate the login flow: 1. initiate an OAuth login flow -> Account Experience (third party SSO) 2. initiate a login flow -> Account Experience (first party) 3. initiate a login flow -> Account Experience -> initiate OAuth flow -> Account Experience (here you let ory identities manage the session after getting the access token)
n
Understood.
Thanks a lot for the help, clarity and your time. Much much appreciated. I will do the necessary config changes .
p
It's no problem 🙂 Let me know if you run into more issues
👍 1
n
HI, @proud-plumber-24205. I was able to get almost everything working after your help. Just one thing that i could not get to work is the refresh token. I do not receive it in response to the /token endpoint even though I have allowed offline_access scope in the oauth client. ANy idea what is missing?
Never mind. I added the refresh_token option in the oAuth client and was able to get it working. Thanks for all your help
p
Hey Abdul, that's great to hear! 🙂
5 Views
Open in Slack
PreviousNext
Powered by