Hey everyone :slightly_smiling_face: I have a ques...
# ory-networkb
brash-raincoat-15175
08/06/2024, 12:42 PMHey everyone 🙂 I have a question:
Is it possible to use JWTs instead of cookies with Ory Network/Ory Cloud?
I'm trying to deploy my application to production but I don't have a custom domain, meaning my client application will encounter CORS issues when trying to access Ory's Endpoints. Is it possible to use JWTs instead? I found this guide and I managed to generate a JWT and get it back, but I'm not sure what to do next (how to protect my API for example)
m
magnificent-energy-493
08/06/2024, 1:13 PM
Hello @brash-raincoat-15175
I would recommend to get a custom domain if you are using Ory Network in production - if there are concerns about budget, feel free to reach out to me, I am sure we can find a solution.
Are you using Ory for API authentication? I think that is the best use case for JWT and for most others using cookies is easier.
As for the CORS issues if you send the cookie and CSRF token to your backend middleware it should work (even without custom domain I think.)
b
brash-raincoat-15175
08/06/2024, 1:16 PMHi @magnificent-energy-493, thanks for the quick reply.
It's actually a matter of budget really. We saw that it costs 70$/month.
We're a very early stage startup, and we've migrated from Auth0 to Ory because we wanted to allow our users to self-host our product.
brash-raincoat-15175
08/06/2024, 1:18 PMAbout what you've mentioned (CORS issues) - if I'm not mistaken, our client sends a request to Ory to fetch the session, leading to a Set-Cookie in the response. If the client & Ory are not on the same domain, that won't work, right?
To give a concrete example, our client sits at app.merlinn.co (hosted by Vercel). In our client code we do this:
Copy code
ory
.toSession()
.then(({ data }) => {
// User has a session!
setSession(data);
ory.createBrowserLogoutFlow().then(({ data }) => {
// Get also the logout url
setLogoutUrl(data.logout_url);
});
})
.catch((err) => {
console.log("No session found", err);
})
.finally(() => {
setLoading(false);
}); Copy code
export const checkAuth = async function (
req: Request,
res: Response,
next: NextFunction,
) {
try {
const { data: session } = await ory.toSession({
cookie: req.header("cookie"),
});
req.session = session;
next();
} catch (error) {
next(error);
}
};brash-raincoat-15175
08/06/2024, 1:18 PMDo you have an idea in mind of making it work without custom domain maybe? 🧐
brash-raincoat-15175
08/06/2024, 1:21 PMTo give more context, this is our project. It's an open source one. We're currently working on building our Cloud edition, which led us to investigate this subject.
m
magnificent-energy-493
08/06/2024, 1:30 PM
I think you just need to include the CSRF token on the middleware.
Here is how I do it in my frontend test app for example:
Copy code
try {
const response = await fetch(`${apiBasePath}/user-data`, {
headers: {
"Content-Type": "application/json",
},
method: "GET",
credentials: "include", // Include cookies + CSRF token in the request
}); Copy code
const { data: session } = await ory.toSession({ cookie: cookies });magnificent-energy-493
08/06/2024, 1:31 PM
I will DM you on options for the Production plan for early stage startups
b
brash-raincoat-15175
08/06/2024, 2:06 PM@magnificent-energy-493 Thanks. However, I still don't understand whether the
ory.toSession()withCredentialsm
magnificent-energy-493
08/06/2024, 2:14 PM
Your code there looks fine to me 🤔
If we deploy the app to production, the tunnel won't exist there. Wouldn't we have to use custom domainYes that is right. Since your app is under a different domain it will cause CORS issues. There might be workaround using e.g. Cloudflare Tunnel or similar solutions in production. But we haven't tested those so I cant guarantee it 😬
b
brash-raincoat-15175
08/06/2024, 2:15 PMI see. So I guess we have to use custom domain in order to make our Ory Network the same domain as the application, which will allow the cookies to work. Is that correct?
✅ 1
👍 1
4 Views