Is it possible to add the ory session id to the query string parameters of the url redirect from the account experience flow? We cannot retrieve the session id from the cookie on the other side because our domain does not match the domain of the cookie issuer.

our domain does not match the domain of the cookie issuer.

Why is that the case? The domains need to match I think

It would be a huge security risk. One option for cross-domain communication is this: https://www.ory.sh/docs/identities/session-to-jwt-cors

We are trying to integrate ory with weweb. In production, the domains will match. In development, however, we will be in the weweb editor (editor.weweb.io) and we don’t control the weweb.io domain so we cannot add it as a custom domain to ory.

https://www.ory.sh/docs/identities/session-to-jwt-cors

is this new??

Yes, fairly new

oh.... I missed that, nice.

@famous-nightfall-97614 I don't fully understand your setup. What app do you have on which domain in which setup?

editor.weweb.io is a wysiwyg editor which we are building internal tools on top of. When published, the app we are building there will be available at internaltools.plantbid.com We want to use ory to handle auth for this app. So, our app has a ‘login’ button which forwards the user to the auth flow at ory. Here is the actual url we forward to: https://agitated-khayyam-rqo27d4a5x.projects.oryapis.com/ui/login?return_to=https://editor.weweb.io/c[…]db65ede/4d16b9c0-492c-4864-9537-22d2dee61399 You will notice the return to is the weweb editor because, in development, we are inside the weweb editor. Again, in production this return to would be set to internaltools.plantbid.com When a user completes the flow it forwards them back to the editor correctly however we cannot access the session id because it is in a cookie for the wrong domain. Further, when we attempt to a get on https://agitated-khayyam-rqo27d4a5x.projects.oryapis.com/sessions/whoami to retrieve the session id (or to tokenize it) we get a 401, which makes sense because we can’t hand the cookie off to it.

Hi @famous-nightfall-97614 Since the domains will match in production, it will work fine with just a cookie set to the top-level domain. But in development, you are probably developing a tool on localhost and want to retrieve the session in an external environment such as editor.weweb.io. In this case you would need to tunnel everything behind the same domain on localhost. https://github.com/ory/cli/issues/188#issuecomment-1209653055

Reminder for myself to add the above issue comment to the tunnel docs

@proud-plumber-24205 I think there might be a misunderstanding. We aren’t developing locally. Weweb is a wysiwyg editor which is itself what we are developing on top of. editor.weweb.io is the domain of the editor, and we have no control over anything on their servers. For example, we cannot manipulate their host file (as is required for the workaround you linked).

yes i understand, you don't control the domain. But you can use the Ory tunnel to develop on your own "localhost" domain or any local domain pointing to localhost. the you can add editor.weweb.io as an upstream service that is also served under the ory tunnel.

@proud-plumber-24205 Thanks for linking this. We’re going to try it and get back here!

another possibility is exchanging the session on localhost https://www.ory.sh/docs/identities/session-to-jwt-cors

We considered basically wrapping ory in an api so we can provide weweb the interace it needs more easily and this is what we were going to do for that