https://www.ory.sh/ logo
Join Slack
Powered by
This message was deleted.
# general
m
This message was deleted.
šŸ‘€ 2
b
I believe you can request a client ID and secret via the API: https://boxyhq.com/docs/jackson/security#client-secret
b
Thanks @bland-eye-99092! However that doc states itā€™s a clientId and clientSecret for each customer. Ultimately I am hoping to not have to modify my kratos config to add an oidc for each customer šŸ¤” The NextAuth implementation allows you to pass the tenant/productId dynamically, been stumped on how we can apply this in the Ory ecosystemā€¦
I left more information about how Iā€™m stuck in the github issue but figured Iā€™d pass on some thoughts here too if you have a moment --- I guess the one thing Iā€™ll add to foster some conversation about one part im stuck on is the following... To redirect to the correct IdP, you must call the following endpoint with jackson:
Copy code
<https://localhost:5225/api/oauth/authorize>
  ?response_type=code&provider=saml
  &client_id=<clientID or tenant and product query params>
  &redirect_uri=<redirect URL>
  &state=<randomly generated state id>
This 
state
parameter is passed to the ory self sign in callback, which in our case would be to one of the oidc callback paths like 
http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<jackson?>
From what it looks like (and I am a total novice in golang) is that this state parameter isnā€™t something the user creates but occurs when the login flow is submitted. It seems like it is generated from the flowId and then some extra data, base64 encoded (split by a 
:
), and stored in the 
continuity_containers
database table...which happens here So my question is, how can I create this ā€œcustomā€ state that embeds this 
flowId
and 
data
before calling this 
authorize
endpoint since it seems like itā€™s important to have a reference to this when running through the callback flow?
b
Kratos already implements creating the correct URLs that the userā€™s device should visit. So you shouldnā€™t need to create the state parameter yourself. Just create a new login flow, click on the Jackson based OIDC provider and let the browser go through the redirects.
b
Hey Jonas - I think the confusion here is that the client Id and client secret are dynamic (since users can add their own sso connections for their business on the site on the fly), so I would be unable to allow Kratos to handle the whole flow since I wonā€™t be hard coding the generic provider into the configuration file. When you call the jackson 
authorize
endpoint this takes in the client Id and secret which are the tenant & product names. This resolves to a redirect url that knows which route to send the user to which starts the auth flow šŸ¤” does that make a bit more sense?
b
I see. I donā€™t think this is supported for now, because it makes the OIDC redirect flow hard to manage. We typically recommend using one provider per customer in these cases.
b
Ah manā€¦I guess Iā€™m confused now because Vincent has mentioned that this was how Ory manages connections for customers in Ory Network and they closed the SAML auth ticket based off the recommendation to use Jackson to cover these use cases šŸ˜• do you think I could get some more insight about this? I donā€™t want to ping vincent unnecessarily here but would love to get some clarity here. Reference to the ticket and my messages (my username there is ā€œuncvrdā€): https://github.com/ory/kratos/issues/275#issuecomment-1780638147
b
I think Vincent phrased that a bit poorly. The way we do this is in Ory Network is just singular OIDC connections. But we do manage all of the redirecting for you. So ideally you donā€™t have to implement the state stuff on your own.
How many connections are we talking about?
b
bummer. yea ultimately i would like for our customers to self serve their own connections which makes jackson so powerful since we wouldnt have to manually update the kratos config each time. this would be ~50 additional connections at the moment
b
yea, that would be too much, I agree. We do support an ā€œautomaticā€ privisioning system, where youā€™d be able to provision new providers programatically. But that would require some code and testing to get it right and youā€™d somehow need to know when a user creates a new provider in jackson. However, I do think we could work something out. Would you mind reaching out to @orange-book-3843 either here or via Email (tucker.ext@ory.sh)?
b
Thanks a lot Jonas - yes Iā€™ll reach out via email
a
Would it be possible to share the ā€œautomaticā€ provisioning system docs somewhere? šŸ™‚
b
there arenā€™t really any specific docs on that. You can automate a bunch of stuff using the CLI: https://www.ory.sh/docs/guides/cli/config-with-cli @average-iron-40995
b
reaching out to Tucker right now.. I sorta figured this was what you were mentioning. For context, automation via CLI is even tougher since I encrypt the kratos configuration using Hashicorp Vaultā€™s ā€œtransitā€ secrets since the config is littered with private info at varying config depths. Upon image build before deployment, thereā€™s a dockerfile step that decrypts the config and writes it to the docker image so dynamically writing to a config like this would be tough to work around ā€¦i guess just so you know some more background too haha
šŸ‘ 2
a
Btw, is there a limit on how many providers you can have in the oidc_providers array? I imagine that this array can become pretty big with one connection to Jackson per tenant šŸ™‚
b
Tucker is coordinating with the Jackson team, i am hoping their solution does not require manually updating the kratos config, but I cant imagine there is a limit currently
šŸ‘ 1
r
Very interested to get some insights on if / when the integration between Jackson and Kratos will be possible (even if it requires glue code), weā€™re currently evaluating Keycloack and Ory Kratos and the SAML support will be a decisive factor. Weā€™re using WorkOS right now for SAML support and we want to make sure we would have an ā€œescape pathā€ with the new solution we chose.
b
Unfortunately I have not heard back from Tucker since before the holidays regarding any updates, I checked in this week again with no word (yet)
šŸ‘ 1
Update: Iā€™ve set up a meeting with the founder of BoxyHQ on Feb 13th. I really hope we can have some coordination directly between Ory & BoxyHQ as this is the official recommendation by the Ory. Regardless, Iā€™ll report back with our findings and (hopefully) next steps so we can all get this to work
šŸ¤— 1
šŸ™Œ 1
šŸ˜‡ 1
24 Views
Open in Slack
PreviousNext
Powered by