I'm non-technical and trying to wrap my head around whether this product will work for us because my dev team is giving me the impression that Ory doesn't work for this. We have a bunch of related products hosted on different domains (product1.com, product2.com. etc.). We want people to have a single account that they can use on all of the various products and all of our products run on stacks that have existing Oauth2 clients we can leverage. My non-technical reading of the Ory website made me believe that this would work more or less out of the box with Ory cloud, but I'm being told that somehow Ory can't help us with logging into more than one domain and being linked to github issues like this: https://github.com/ory/kratos/issues/662 Can someone help me understand what the problem is here? I don't understand the point of Ory cloud (which I thought included an Oauth server) if it can't connect to sites on various domains using Oauth clients.

Hi @calm-psychiatrist-71991 Your use case is possible with Ory Cloud, by doing SSO through an OAuth flow. Maybe we can setup a call with you to go over the use cases. /cc @fast-lunch-54279

Sure, we just got off a call where we tried to figure out what the issue was and they just told us they were non-technical and we should post here instead haha

I see... I've cc'd Klaus here which would have more insights into the use case.

Happy to hop on a call but it sounds like we need someone technical from Ory to be on it this time

Yes 🙂 It is, however, EOD here so we will probably only be able to do this next week. I will keep track of this and get back to you on Monday. Does that sound good?

Sure, thanks!

Hi @calm-psychiatrist-71991 I spoke to our team internally about this use case you mentioned above. Just to make sure I have this correct, you want: 1. Each app (product) has its own top level domain 2. Each app has users, however they are shared through the single sign on (SSO) provider 3. The session is scoped to only a singular domain e.g. product1.com has its own session to product2.com) From the above use case, you have 3 options: 1. Run a new Ory project per domain and have a "main" Ory project as the SSO provider 2. Have another IAM solution per domain and have an Ory project as the SSO provider 3. Each domain can have its own OAuth client with its own session management done by you (self-built) hooking up to an Ory project as the SSO provider.

It sounds like the issue we had setting it up is simply that Kratos and Hydra are not integrated, but it sounds like there's a pull request to do so that is planned to be included in Ory Cloud at some point. It seems like DIYing this integration on our end could be months of dev time given our low experience with the product. That turns this into more of a business decision based on when we can expect it to be included in Ory Cloud. If it will be included in the next few weeks we go with Ory, if it will take months we probably will have to go a different route than Ory Cloud. Do you have any info about this we can use to make a decision?

I see what you are saying. Yes this feature is planned for the coming weeks, not months.

That's great! And that's not just merging the PR, that's actually launching it on Ory Cloud?

Yes 🙂

@proud-plumber-24205 how's the ETA on this looking?

Hey @calm-psychiatrist-71991, We are working on it currently as high priority and will ship it as soon as it is ready, it’s scheduled this or next week. Maybe @fast-lunch-54279 can chime in here, as he is working closer with the product team.

@proud-plumber-24205 @magnificent-energy-493 Any update on the ETA? Just want to make sure I don't miss the release.

Hey @calm-psychiatrist-71991, this is possible now with the Hydra/Kratos integration, we just shipped it this week with Hydra 2.0! https://www.ory.sh/docs/getting-started/ory-cloud-oauth2 We will update our run OAuth2 server blogpost with a guide and publish more docs soon 🙂 Let me know if that helps