https://www.ory.sh/ logo
Join Slack
Powered by
Hello :wave: I am trying to set up the Ory ecosyst...
# ory-selfhosting
c
Hello 👋 I am trying to set up the Ory ecosystem on my Kubernetes cluster, starting with Kratos and selfservice-ui-node. Each component is exposed via Nginx on a different subdomain. I am encountering a redirect loop.
this is my kratos configuration:
Copy code
version: v1.2.0

dsn: "<postgres://kratos:secret@localhost:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4>"

serve:
  public:
    base_url: <http://127.0.0.1:4433/>
    cors:
      enabled: true
      allowed_origins:
        - https://*.<http://my-domain.com|my-domain.com>
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Cookie
        - Content-Type
      exposed_headers:
        - Content-Type
        - Set-Cookie
  admin:
    base_url: <http://127.0.0.1:4434/>

session:
  cookie:
    domain: <http://my-domain.com|my-domain.com>

selfservice:
  default_browser_return_url: "<https://register.my-domain.com/>"
  allowed_return_urls:
    - <https://register.my-domain.com>

  methods:
    password:
      enabled: true
      config:
        haveibeenpwned_enabled: true
        max_breaches: 0
        ignore_network_errors: true
        min_password_length: 6
        identifier_similarity_check_enabled: true
        haveibeenpwned_host: "<http://api.pwnedpasswords.com|api.pwnedpasswords.com>"
    totp:
      config:
        issuer: Kratos
      enabled: true
    lookup_secret:
      enabled: true
    link:
      enabled: true
    code:
      enabled: true

  flows:
    error:
      ui_url: "<https://register.my-domain.com/error>"

    settings:
      ui_url: "<https://register.my-domain.com/settings>"
      privileged_session_max_age: 15m
      required_aal: highest_available

    recovery:
      enabled: true
      ui_url: "<https://register.my-domain.com/recovery>"
      use: code

    verification:
      enabled: true
      ui_url: "<https://register.my-domain.com/verification>"
      use: code
      after:
        default_browser_return_url: "<https://register.my-domain.com/>"

    logout:
      after:
        default_browser_return_url: "<https://register.my-domain.com/login>"

    login:
      ui_url: "<https://register.my-domain.com/login>"
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: "<https://register.my-domain.com/registration>"
      #after:
      #  password:
      #    hooks:
      #      - hook: session
      #  default_browser_return_url: "<https://register.my-domain.com/>"

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: noop

hashers:
  argon2:
    iterations: 1
    parallelism: 1
    salt_length: 16
    key_length: 16
    expected_duration: 0ns
    expected_deviation: 0ns
  algorithm: argon2

identity:
  schemas:
    - id: user-v1
      url: <file://etc/kratos/identity.schema.json>
  default_schema_id: "user-v1"


courier:
  smtp:
    connection_uri: <smtp://user:pass@mail.svc.example:465/?skip_ssl_verify=true>
    from_address: <mailto:no-reply@my-domain.com|no-reply@my-domain.com>
    from_name: domain

watch-courier: true


tracing:
  service_name: Ory Kratos
  providers:
    jaeger:
      sampling:
        trace_id_ratio: 1
        server_url: <http://127.0.0.1:5778/sampling>
      local_agent_address: 127.0.0.1:6831
  provider: jaeger

log:
  leak_sensitive_values: false
  redaction_text: "hidden-sensitive-value"
  format: json
  level: warning
btw when I deployed them under the same subdomain it works.
fixed by enabling CORS in nginx ingress
5 Views
Open in Slack
PreviousNext
Powered by