Hello ! at my client we are using *Hydra + Kratos*...
# general
r
Hello ! at my client we are using Hydra + Kratos (as idp provider) for Authorization Code Flow we are successfully implementing the flow, except i'm confused on what to do for previously logged in (and still active) users what happens is that no matter if logged in or not, when i start the flow, Hydra redirects me as a user to a
/auth/login
endpoint (React app acting as self service UI) appending the
login_challenge=xyz
in the query params. then we initiate a flow using the ory front sdk.
Copy code
sdkMgr.getSdk().createBrowserLoginFlow({
        refresh: true,
        aal: aal2 ? 'aal2' : 'aal1',
        returnTo: returnTo || undefined,
        loginChallenge: loginChallenge || undefined,
      })
The user has to log again to complete the flow if I want to make it transparent to the user, especially who has logged before, it seems i could use:
.toSession()
from the sdk method to check if a ory kratos session already exists ? • Hydra endpoints to get/accept login challenge request seems to be admins endpoints and then not exposable to public • there could be an app to handle the login and use these former endpoints, but I thought it was already Kratos job to talk to Hydra through these endpoints to validate the login without having to redirect him to login lot of confusion, i'm sure there is something inherently wrong in the approach help appreciated! 🙂
m
What is the reason to use "Authorization Code Flow" ? Did you read this blogpost on when to use OAuth2?
r
yes !
i have read it indeed
it's for a use case of delegated rights/consent
m
makes sense and you do have a strong requirement for self-hosting? bc with Ory Network you get some more support, that could help you figure this out. Or you get a support agreement. If you use Ory for a commercial use case I would strongly recommend you get support from Ory as well, the scope of community support is very limited / technically companies running OSS do not get any support. Otherwise from what you shared, you're on the right track with using
.toSession()
. This is exactly how you check if a user already has a valid session. When you call
createBrowserLoginFlow
with
refresh: true
, you're explicitly telling Kratos to ignore the existing session and force a re-login. Instead, when you detect an existing session, you should: 1. Accept the login challenge directly 2. Skip showing the login UI entirely This is already solved in the built-in UI in Ory Network if that is an option for you to use.
r
hello @magnificent-energy-493 and thanks for the help ! but then, accepting the login challenge would be making a call from the front (after the
.toSession()
) to an
/admin
endpoint of
hydra
which is not supposed to be publicly available right ? This is where resides my issue
basically my point is:
1. Accept the login challenge directly
should that be made between Kratos and Hydra ? or do i absolutely need to bootstrap a login handler/server to actually make the call for accepting the login request ?
l
you can fetch the hydra login request using the
login_challenge
which should have a
Skip
value that lets you know whether you can skip showing the authentication UI for that subject. you can go straight to accepting the hydra login request
r
sorry if i'm repeating a bit/this might be obvious but:
you can go straight to accepting the hydra login request
from where do i accept a hydra login request? my setup: • i only have the front/ UI (and Ory frontend Sdk) • i do not have a login handler (as a login handler on a dedicated app) • i do only have kratos + hydra • I can't accept the login request from the front since it's a
/admin/...
endpoint
i basically have step 1 to 3 included as mentioned there
my understanding is that Kratos should be able to do it though