https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> I want to use ory has an IdP to pro...
# ory-copilot
w
@chilly-king-10285 I want to use ory has an IdP to provide auth to multiple microservices, how best to handle that?
c
A message from kapa.ai
To use Ory as an Identity Provider (IdP) for multiple microservices, the recommended approach is to leverage Ory Hydra as your OAuth2 and OpenID Connect (OIDC) provider. Here’s how you can handle this setup: 1. Centralize Authentication with Ory Hydra Ory Hydra acts as your OAuth2/OIDC server. Each microservice that requires authentication is registered as an OAuth2 client in Hydra. This allows all your microservices to delegate authentication to a single, centralized IdP, ensuring consistent identity management and security across your system. Hydra does not manage user identities itself, so you typically pair it with Ory Kratos (for identity management) or your own user management system. Hydra issues access, refresh, and ID tokens to authenticated users, which your microservices can validate and use for authorization decisions [Ory Ecosystem Introduction](https://www.ory.sh/docs/ecosystem/projects#ory-hydra). 2. Register Each Microservice as an OAuth2 Client For each microservice, create an OAuth2 client in Hydra. Assign appropriate redirect URIs and scopes for each service. This allows each microservice to initiate the OAuth2 authorization code flow and receive tokens after successful authentication [Ory Hydra OAuth2 Use Cases](https://www.ory.sh/docs/oauth2-oidc#use-cases). 3. Token Validation and User Info Microservices validate the received tokens (JWTs) using Hydra’s JWKS endpoint. If needed, they can also use the userinfo endpoint to fetch additional user details. This ensures that only authenticated and authorized users can access protected resources. 4. Single Sign-On (SSO) Experience With this setup, users authenticate once with Ory, and can then access all registered microservices without repeated logins, providing a seamless SSO experience [Ory Hydra OAuth2 Use Cases](https://www.ory.sh/docs/oauth2-oidc#use-cases). 5. Multi-Tenancy and Flexibility Ory supports multi-tenancy, so you can isolate authentication flows and data per tenant if needed. This is especially useful for SaaS platforms serving multiple customers [Ory Overview: Components](https://www.ory.sh/docs/intro#components). Summary Flow: - User tries to access a microservice. - Microservice redirects the user to Ory Hydra for authentication. - User authenticates (via Ory Kratos or your identity system). - Ory Hydra issues tokens. - Microservice validates tokens and grants access. This architecture is scalable, secure, and aligns with modern best practices for microservices authentication. If you need to support SAML or OIDC-based SSO with external enterprise IdPs, you can also use Ory Polis to bridge those protocols and expose a unified OAuth2/OIDC interface to your microservices [Ory Polis Overview](https://www.ory.sh/docs/ecosystem/projects#ory-polis). If you need more specific implementation details or code examples, let me know!
w
@chilly-king-10285 Is there any examples for creating an application for the authentication flow with hydra, and pairing it with kratos?
c
A message from kapa.ai
Yes, there are examples and documentation for creating an application that implements the authentication flow with Ory Hydra and pairs it with Ory Kratos. Key Points: - Ory Hydra does not manage user identities itself; it delegates authentication to an external identity provider (like Ory Kratos) via the Login and Consent flow. - You need to implement a Login and Consent App that interacts with both Hydra and Kratos. Example Resources: 1. Exemplary Login and Consent App The official Ory documentation provides a tutorial for running an exemplary Login and Consent App alongside Hydra, which you can adapt to work with Kratos as your identity provider. The example uses Helm and Docker Compose, and shows how to configure the necessary endpoints for login and consent. You can find the details and configuration steps in the [Kubernetes Helm Chart example](https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart#exemplary-login-and-consent-app). 2. Hydra Login & Consent Example App There is a reference implementation of a Login and Consent App available at [github.com/ory/hydra-login-consent-node](https://github.com/ory/hydra-login-consent-node). This app demonstrates how to handle the login and consent challenges from Hydra, and can be adapted to authenticate users via Kratos. 3. Pairing with Kratos While the knowledge sources do not provide a full step-by-step example specifically pairing Kratos and Hydra, they do mention that Hydra can be integrated with any identity service, including Ory Kratos, by configuring the login and consent URLs to point to your Kratos-powered UI. The [GitHub issue](https://github.com/ory/kratos/issues/4024) also shows configuration snippets for connecting Kratos and Hydra, including how to set the 
oauth2_provider.url
in Kratos to point to Hydra. Summary: - Use the Login and Consent App example as a starting point. - Configure Hydra to delegate authentication to your Kratos instance by setting the appropriate login and consent URLs. - Adapt the example app to use Kratos for user authentication. If you need a direct code example, the [hydra-login-consent-node](https://github.com/ory/hydra-login-consent-node) repository is a good starting point, and you can find more configuration details in the [official documentation](https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart#exemplary-login-and-consent-app) and [related GitHub issues](https://github.com/ory/kratos/issues/4024).
w
@chilly-king-10285 So basically all I need to do is point kratos and hydra at each other, and then use hydra to create the flows?
c
A message from kapa.ai
New message text here
w
@chilly-king-10285 Okay, how would I go about adapting the reference implementation. Obviously modify the kratos and hydra configurations, but what in the app?
c
A message from kapa.ai
To adapt the [hydra-login-consent-node](https://github.com/ory/hydra-login-consent-node) reference implementation to use Ory Kratos for authentication, you need to make changes in both your configuration and the application code. ### 1. Configuration Changes - Hydra: Set 
urls.login
and 
urls.consent
in your Hydra config to point to your custom app endpoints (e.g., 
/login
and 
/consent
), which will interact with Kratos for authentication and consent ([hydra.yml example](https://github.com/ory/kratos/issues/4233)). - Kratos: Set 
oauth2_provider.url
in your Kratos config to point to Hydra’s admin endpoint (e.g., `http://hydra:4445`). This enables Kratos to handle OAuth2 login challenges ([kratos.yml example](https://github.com/ory/kratos/issues/4233)). ### 2. Application Code Changes In the reference app, the login endpoint currently authenticates users against a local database or in-memory store. To use Kratos, you need to: - Replace Local Authentication with Kratos Flows: Instead of checking credentials locally, your 
/login
route should initiate a Kratos login flow (typically by redirecting the user to Kratos’ self-service login UI or by using Kratos’ API to handle the flow in your app). - Handle Kratos Session: After successful authentication with Kratos, retrieve the user’s identity ID from the Kratos session. Use this ID as the 
subject
when accepting the Hydra login challenge. - Example Flow (from the docs): - When Hydra redirects to your 
/login?login_challenge=...
, your app should: 1. Start a Kratos login flow (redirect or API). 2. On successful login, get the Kratos identity ID. 3. Call Hydra’s 
acceptOAuth2LoginRequest
with the Kratos identity ID as the subject ([login endpoint code example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#login-endpoint-code-example)).
Copy code
js // Pseudocode for login handler const kratosSession = await getKratosSession(req); // Use Kratos SDK or API if (kratosSession) {   await hydra.acceptOAuth2LoginRequest({     loginChallenge: challenge,     acceptOAuth2LoginRequest: {       subject: kratosSession.identity.id,       // ...other options     },   });   // Redirect as instructed by Hydra }
- Consent Endpoint: The consent endpoint logic generally remains the same, but you may want to fetch additional user info from Kratos if needed for scopes or claims ([consent endpoint code example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#consent-endpoint-code-example)). ### 3. Summary - Update Hydra and Kratos configs to point at each other and your app. - In the app, replace local user authentication with Kratos login flows. - Use the Kratos identity ID as the OAuth2 subject when accepting login challenges from Hydra. The knowledge sources provide configuration examples and code snippets for the login and consent endpoints, but do not include a full, ready-to-use integration with Kratos. You will need to adapt the reference app to use Kratos’ APIs for authentication and session management ([custom login/consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps)). If you need more detailed code examples for integrating Kratos into the login flow, let me know!
w
@chilly-king-10285 Are there any guides on linking hydra and kratos and making an sso service using that? If not can you create one?
c
A message from kapa.ai
I'm sorry, but the knowledge sources do not contain a dedicated, step-by-step guide specifically for linking Ory Hydra and Ory Kratos to create an SSO service. However, the sources do provide relevant information and configuration examples that outline the general approach: - Hydra and Kratos Integration: The typical setup involves configuring Hydra to delegate authentication to a login/consent app, which in turn uses Kratos for user authentication. You set Hydra's 
urls.login
and 
urls.consent
to your app, and configure Kratos with the 
oauth2_provider.url
pointing to Hydra's admin endpoint. This allows the login/consent app to bridge the two systems ([see config example](https://github.com/ory/kratos/issues/4233)). - Reference Implementations: There is a [reference login/consent app](https://github.com/ory/hydra-login-consent-node) for Hydra, but it is not specifically tailored for Kratos. You would need to adapt it to use Kratos for authentication, as described in previous answers. - General Flow: The flow is: 1. OAuth2 client redirects user to Hydra. 2. Hydra redirects to your login UI (which uses Kratos for authentication). 3. After login, your app accepts the login challenge with Hydra, passing the Kratos identity as the subject. 4. Consent is handled similarly. While there is no single, official guide in the knowledge sources, you can piece together the process using the configuration examples and reference app. If you need a custom step-by-step guide, I can help draft one based on the available information, but please note it will be a synthesis rather than a direct excerpt from the documentation ([see config details](https://github.com/ory/kratos/issues/4233)). If you need that synthesized guide, let me know!
w
@chilly-king-10285 Please create the synthesized guide.
c
A message from kapa.ai
Certainly! Here is a synthesized guide for linking Ory Hydra and Ory Kratos to create an SSO service, based strictly on the information available in the knowledge sources. --- ## Guide: Linking Ory Hydra and Ory Kratos for SSO ### 1. Overview Ory Hydra provides OAuth2 and OpenID Connect (OIDC) flows, but does not manage user identities itself. Ory Kratos handles identity management and authentication. To create an SSO service, you connect Hydra and Kratos using a custom login and consent app that bridges the two systems. This enables multiple applications (OAuth2 clients) to authenticate users via a single identity provider and SSO experience [Ory Ecosystem Introduction](https://www.ory.sh/docs/ecosystem/projects#ory-hydra). --- ### 2. Configuration Steps #### A. Configure Ory Hydra - Set the login and consent URLs in Hydra’s configuration to point to your custom login/consent app:
Copy code
yaml   urls:     login: <http://your-login-app/login>     consent: <http://your-login-app/consent>
This tells Hydra to delegate authentication and consent to your app, which will use Kratos for user authentication ([custom login/consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps)). #### B. Configure Ory Kratos - Set the 
oauth2_provider.url
in Kratos’ configuration to point to Hydra’s admin endpoint:
Copy code
yaml   oauth2_provider:     url: <http://hydra:4445>
This allows Kratos to interact with Hydra for OAuth2 login challenges ([kratos.yml example](https://github.com/ory/kratos/issues/4233)). #### C. Register OAuth2 Clients in Hydra - For each application (microservice) that should use SSO, register it as an OAuth2 client in Hydra. Assign appropriate redirect URIs and scopes [Ory Hydra OAuth2 Use Cases](https://www.ory.sh/docs/oauth2-oidc#use-cases). --- ### 3. Implement the Login and Consent App - Use the [hydra-login-consent-node](https://github.com/ory/hydra-login-consent-node) reference app as a starting point. - Adapt the login endpoint to use Kratos for authentication: - When Hydra redirects to 
/login?login_challenge=...
, your app should initiate a Kratos login flow (either by redirecting to Kratos’ self-service UI or using Kratos’ API). - After successful login, retrieve the Kratos identity ID and use it as the 
subject
when accepting the login challenge with Hydra ([custom login/consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#login-endpoint-code-example)). - Consent endpoint: After login, present the consent screen. On approval, accept the consent challenge with Hydra, specifying the granted scopes and user info as needed. --- ### 4. SSO Flow Summary 1. User tries to access an OAuth2 client (microservice). 2. The client redirects the user to Hydra’s 
/oauth2/auth
endpoint. 3. Hydra checks for a session; if none, it redirects to your login app. 4. The login app uses Kratos to authenticate the user. 5. On success, the login app accepts the login challenge with Hydra, passing the Kratos identity. 6. Hydra redirects to the consent app (can be the same as the login app). 7. User grants consent; the app accepts the consent challenge with Hydra. 8. Hydra issues tokens and redirects the user back to the client. --- ### 5. References and Examples - [Custom Login and Consent Flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps) - [hydra-login-consent-node reference app](https://github.com/ory/hydra-login-consent-node) - [kratos.yml and hydra.yml example](https://github.com/ory/kratos/issues/4233) --- Note: The knowledge sources do not provide a full, ready-to-use example specifically pairing Kratos and Hydra, but the above steps synthesize the process from the available documentation and examples. You will need to adapt the reference login/consent app to use Kratos for authentication as described above.
w
@chilly-king-10285 
hydra create oauth2-client --name "RFID SSO" --grant-type authorization_code,refresh_token --response-type code --scope openid,offline_access,email --redirect-uri <http://localhost:3000/auth/callback,https://sso.eagle-rfid.com/auth/callback> --skip-consent --skip-logout-consent --endpoint <https://kratos-admin.eagle-rfid.com>
Is this correct for creating a client?
c
A message from kapa.ai
Your command is mostly correct in terms of the options used for creating an OAuth2 client with Ory Hydra, but there are a few points to clarify and correct based on the knowledge sources: 1. Multiple Redirect URIs: The 
--redirect-uri
flag should be used multiple times for each URI, not as a comma-separated list. For example:
Copy code
--redirect-uri <http://localhost:3000/auth/callback> --redirect-uri <https://sso.eagle-rfid.com/auth/callback>
This is shown in the examples from the documentation [Manage OAuth2 Clients](https://www.ory.sh/docs/hydra/guides/oauth2-clients#example-oauth2-clients). 2. Endpoint URL: The 
--endpoint
flag should point to the Hydra admin endpoint, not the Kratos admin endpoint. For example, it should be something like 
<https://hydra-admin.eagle-rfid.com>
(or the appropriate URL for your Hydra admin API), not Kratos. 3. Flags and Options: The flags you are using (
--name
, 
--grant-type
, 
--response-type
, 
--scope
, 
--redirect-uri
, 
--skip-consent
, 
--skip-logout-consent
) are all valid and documented options for creating a client [hydra create oauth2-client options](https://www.ory.sh/docs/hydra/cli/hydra-create-oauth2-client#options). Corrected Example:
Copy code
sh hydra create oauth2-client \   --name "RFID SSO" \   --grant-type authorization_code \   --grant-type refresh_token \   --response-type code \   --scope openid \   --scope offline_access \   --scope email \   --redirect-uri <http://localhost:3000/auth/callback> \   --redirect-uri <https://sso.eagle-rfid.com/auth/callback> \   --skip-consent \   --skip-logout-consent \   --endpoint <https://hydra-admin.eagle-rfid.com>
Summary: - Use multiple 
--redirect-uri
flags for each URI. - The 
--endpoint
should be your Hydra admin endpoint, not Kratos. - All other options are correct and supported. For more details, see the [official documentation on client creation](https://www.ory.sh/docs/hydra/cli/hydra-create-oauth2-client#options) and [example usage](https://www.ory.sh/docs/hydra/guides/oauth2-clients#example-oauth2-clients).
w
@chilly-king-10285 so with that somethinhg like this goes in my kratos config
Copy code
selfservice:
  methods:
    oidc:
      config:
        providers:
          - id: rfid-sso # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
            provider: generic
            client_id:             client_secret: .... # Replace this with the Client secret
            issuer_url: <https://your-project-slug.projects.oryapis.com> # Replace this with the providers issuer URL
            mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"
            # Alternatively, use an URL:
            # mapper_url: <https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17f22ce7f4295c739604b183f05ac4afb4>
            scope:
              - email
              - offline_access
              - openid
            # supported scopes can be found in your providers dev docs
      enabled: true
c
A message from kapa.ai
Yes, your Kratos configuration snippet is on the right track for adding an OIDC provider (such as your "RFID SSO" client) to Kratos. Here’s how it should look, based on the knowledge sources:
Copy code
yaml selfservice:   methods:     oidc:       config:         providers:           - id: rfid-sso # this is <provider-id> in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!             provider: generic             client_id: ... # Replace this with the OAuth2 Client ID you created in Hydra             client_secret: ... # Replace this with the OAuth2 Client Secret from Hydra             issuer_url: <https://your-hydra-public-url> # This should be the public URL of your Hydra instance             mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"             # Alternatively, use an URL:             # mapper_url: <https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17f22ce7f4295c739604b183f05ac4afb4>             scope:               - email               - offline_access               - openid       enabled: true
Key points from the knowledge sources: - 
id
is the unique identifier for this provider and is used in the callback URL. - 
provider
should be 
generic
for a standard OIDC provider like Hydra. - 
client_id
and 
client_secret
must match what you configured in Hydra for this OAuth2 client. - 
issuer_url
should be the public URL of your Hydra instance, not the Ory Network project slug unless you are using Ory Network as the OIDC provider ([see example](https://www.ory.sh/docs/kratos/social-signin/generic)). - 
mapper_url
is required for mapping claims to your Kratos identity schema, and can be provided as a base64-encoded Jsonnet snippet or a URL ([see example](https://www.ory.sh/docs/kratos/social-signin/generic#data-mapping)). - 
scope
should include at least 
openid
, and any other scopes you need (like 
email
, 
offline_access
) ([see example](https://www.ory.sh/docs/kratos/social-signin/generic#scopes)). Summary: Your configuration is correct in structure. Just ensure you fill in the actual values for 
client_id
, 
client_secret
, and set 
issuer_url
to your Hydra public endpoint. For more details and examples, see the [Ory Kratos social sign-in generic provider documentation](https://www.ory.sh/docs/kratos/social-signin/generic).
w
@chilly-king-10285 what is the jsonet snippet for, and what do I need to do with it?
Copy code
local claims = {
  email_verified: false,
} + std.extVar('claims');

{
  identity: {
    traits: {
      // Allowing unverified email addresses enables account
      // enumeration attacks,  if the value is used for
      // verification or as a password login identifier.
      //
      // Therefore we only return the email if it (a) exists and (b) is marked verified.
      [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
    },
  },
}
c
A message from kapa.ai
The Jsonnet snippet you provided is used for data mapping in Ory Kratos when integrating with an OIDC (OpenID Connect) provider. Its purpose is to map the claims (user information) received from the OIDC provider (such as Hydra) to the traits defined in your Kratos identity schema. What does the snippet do? - It takes the claims received from the OIDC provider and checks if the 
email
field exists and is verified (
email_verified
is true). - If both conditions are met, it sets the 
email
trait in the Kratos identity; otherwise, it leaves it unset. This helps prevent unverified or missing emails from being used as identifiers, which is important for security. What do you need to do with it? 1. Save the snippet to a file (e.g., 
your-data-mapping.jsonnet
). 2. Encode the file in Base64:
Copy code
sh    cat your-data-mapping.jsonnet | base64
3. Add the Base64-encoded string to your Kratos OIDC provider configuration under the 
mapper_url
field, like this:
Copy code
yaml    mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"
Alternatively, you can host the Jsonnet file at a URL accessible to Ory Kratos and use that URL in 
mapper_url
. This process ensures that when a user signs in via your OIDC provider, Kratos will use this mapping to extract and validate the user's email before creating or updating the identity [see Ory documentation](https://www.ory.sh/docs/kratos/social-signin/ory#data-mapping). > Note: Do not store secrets or sensitive data in the Jsonnet snippet, as it is not encrypted in Ory Network [see Ory documentation](https://www.ory.sh/docs/kratos/social-signin/ory#data-mapping).
w
@chilly-king-10285 can you just create a basic jsonnet file that pairs with hydra?
c
A message from kapa.ai
Certainly! Here is a basic Jsonnet file for Ory Kratos that pairs with Ory Hydra as an OIDC provider. This snippet maps the 
email
claim (if it exists and is verified) from Hydra to the Kratos identity traits. This pattern is recommended in the Ory documentation for secure email handling:
Copy code
jsonnet local claims = {   email_verified: false, } + std.extVar('claims');  {   identity: {     traits: {       // Only set the email trait if it exists and is verified       [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,     },   }, }
How to use: 1. Save this snippet to a file (e.g., 
hydra-mapper.jsonnet
). 2. Encode it in Base64 and use the resulting string in your Kratos OIDC provider configuration under 
mapper_url
as described in the documentation [Data mapping](https://www.ory.sh/docs/kratos/social-signin/ory#data-mapping). This is the standard and recommended minimal mapping for pairing Kratos with Hydra as an OIDC provider.
w
@chilly-king-10285 Okay I've configured the hydra and kratos services with each other like this
Copy code
selfservice:
  default_browser_return_url: <https://sso.eagle-rfid.com/>
  flows:
    login:
      ui_url: <https://sso.eagle-rfid.com/auth/login>
    recovery:
      ui_url: <https://sso.eagle-rfid.com/auth/recovery>
    registration:
      ui_url: <https://sso.eagle-rfid.com/auth/registration>
    settings:
      ui_url: <https://sso.eagle-rfid.com/auth/settings>
    methods:
      oidc:
        config:
          providers:
            - id: rfid-sso
              provider: generic
              client_id: redacted
              client_secret: redacted
              issuer_url: <https://hydra.eagle-rfid.com>
              scope:
                - email
                - offline_access
                - openid
        enabled: true
c
A message from kapa.ai
Your configuration is mostly correct for setting up Ory Kratos to use Ory Hydra as an OIDC provider, but there are a few important points and potential improvements based on the knowledge sources: 1. OIDC Provider Configuration - The 
issuer_url
should be the public URL of your Hydra instance (as you have set). - You must also provide a 
mapper_url
to map claims from Hydra to your Kratos identity traits. This is required for the OIDC provider to work correctly. The knowledge sources provide a [Jsonnet example for data mapping](https://www.ory.sh/docs/kratos/social-signin/ory#data-mapping). 2. Scopes - The scopes you have listed (
email
, 
offline_access
, 
openid
) are correct and recommended for a standard OIDC flow [Connecting a project to the SSO provider](https://www.ory.sh/docs/kratos/social-signin/ory#connecting-a-project-to-the-sso-provider). 3. Missing 
mapper_url
 - Your configuration is missing the 
mapper_url
field, which is necessary for Kratos to map the claims from Hydra to the identity traits. Without this, the OIDC flow may not work as expected. Here’s how you should add it:
Copy code
yaml      mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"
Use a Jsonnet snippet like the one provided in the documentation to securely map the email claim [Data mapping](https://www.ory.sh/docs/kratos/social-signin/ory#data-mapping). 4. Example with 
mapper_url
Copy code
yaml    selfservice:      default_browser_return_url: <https://sso.eagle-rfid.com/>      flows:        login:          ui_url: <https://sso.eagle-rfid.com/auth/login>        recovery:          ui_url: <https://sso.eagle-rfid.com/auth/recovery>        registration:          ui_url: <https://sso.eagle-rfid.com/auth/registration>        settings:          ui_url: <https://sso.eagle-rfid.com/auth/settings>      methods:        oidc:          config:            providers:              - id: rfid-sso                provider: generic                client_id: redacted                client_secret: redacted                issuer_url: <https://hydra.eagle-rfid.com>                scope:                  - email                  - offline_access                  - openid                mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"          enabled: true
5. Summary - Add the 
mapper_url
to your provider configuration. - Ensure your Jsonnet mapping is secure and only exposes verified claims as needed. For more details and the recommended Jsonnet snippet, see the [Ory documentation on data mapping](https://www.ory.sh/docs/kratos/social-signin/ory#data-mapping). If you need help generating the base64-encoded Jsonnet, let me know!
w
@chilly-king-10285 I've configured the kratos service with this
Copy code
selfservice:
  default_browser_return_url: <https://sso.eagle-rfid.com/>
  flows:
    login:
      ui_url: <https://sso.eagle-rfid.com/auth/login>
    recovery:
      ui_url: <https://sso.eagle-rfid.com/auth/recovery>
    registration:
      ui_url: <https://sso.eagle-rfid.com/auth/registration>
    settings:
      ui_url: <https://sso.eagle-rfid.com/auth/settings>
    methods:
      oidc:
        config:
          providers:
            - id: rfid-sso
              provider: generic
              client_id: redacted
              client_secret: redacted
              issuer_url: <https://hydra.eagle-rfid.com>
              scope:
                - email
                - offline_access
                - openid
        enabled: true
and created the oauth2-client in hydra and put the credentails in the kratos methods. Now what do I do?
c
A message from kapa.ai
You’ve completed the core configuration steps for connecting Ory Kratos and Ory Hydra for OIDC-based SSO. Here’s what you should do next, based on the knowledge sources: --- ### 1. Add a Data Mapping (
mapper_url
) Your Kratos OIDC provider configuration is missing the required 
mapper_url
field. This field tells Kratos how to map claims from Hydra to your identity traits. Without it, the OIDC flow will not work as expected. Follow the [official guidance](https://www.ory.sh/docs/kratos/social-signin/ory#data-mapping): - Create a Jsonnet file (see example below). - Base64-encode the file. - Add the encoded string to your Kratos config as 
mapper_url: "base64://..."
. Example Jsonnet:
Copy code
jsonnet local claims = {   email_verified: false, } + std.extVar('claims');  {   identity: {     traits: {       [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,     },   }, }
--- ### 2. Restart Kratos After updating your configuration, restart the Kratos service to apply the changes. --- ### 3. Test the Flow - Go to your login UI (e.g., `https://sso.eagle-rfid.com/auth/login`). - You should see an option to log in with your OIDC provider (Hydra). - When you select it, the flow should redirect you through Hydra, perform authentication, and return you to Kratos with the mapped identity. --- ### 4. Verify User Creation and Login - After a successful login, Kratos should create or update the user identity using the mapped claims from Hydra. - Check that the user’s traits (e.g., email) are set as expected. --- ### 5. Troubleshooting If the flow does not work: - Check Kratos and Hydra logs for errors. - Ensure the client credentials and redirect URIs match between Hydra and Kratos. - Make sure the 
mapper_url
is correctly set and the Jsonnet is valid. --- For more details and examples, see the [Ory Kratos social sign-in documentation](https://www.ory.sh/docs/kratos/social-signin/ory#connecting-a-project-to-the-sso-provider). If you need help with the Jsonnet or base64 encoding, let me know!
w
@chilly-king-10285 I've added the mapper url, how do I create a basic nextjs login page for the sso?
c
A message from kapa.ai
To create a basic Next.js login page for SSO with your Ory Kratos and Hydra setup, you can use the [Ory Elements](https://www.ory.sh/docs/getting-started/integrate-auth/nextjs-app-router-quickstart) library, which provides ready-to-use React components for Ory self-service flows, including OIDC/social sign-in. Here’s a high-level outline based on the official quickstart: --- ### 1. Install Ory Elements and Next.js Integration
Copy code
bash npm install @ory/elements-react @ory/nextjs
[Next.js App Router Quickstart](https://www.ory.sh/docs/getting-started/integrate-auth/nextjs-app-router-quickstart) --- ### 2. Set Up Ory Configuration Create an 
ory.config.ts
file in your project root. (See the [example config](https://raw.githubusercontent.com/ory/elements/refs/heads/main/examples/nextjs-app-router/ory.config.ts#L0-L0).) --- ### 3. Create the Login Page Create a file at 
app/auth/login/page.tsx
(for App Router) or 
pages/auth/login.tsx
(for Pages Router). You can use the Ory Elements 
<LoginFlow />
component, which will automatically render the OIDC/Social login button if your Kratos config is correct. Example for App Router:
Copy code
tsx // app/auth/login/page.tsx 'use client'  import { LoginFlow } from '@ory/elements-react'  export default function Login() {   return <LoginFlow /> }
[See full code example](https://raw.githubusercontent.com/ory/elements/refs/heads/main/examples/nextjs-app-router/app/auth/login/page.tsx#L0-L0) --- ### 4. Run Your App Start your Next.js app and navigate to 
/auth/login
. You should see a login form with an option to log in using your OIDC/SSO provider (Hydra), as configured in Kratos. --- Note: - The OIDC/SSO button will appear automatically if your Kratos OIDC method is enabled and configured. - If you want to build a fully custom UI, you can use the [custom UI guides and reference implementations](https://www.ory.sh/docs/getting-started/custom-ui) for Next.js/React, which show how to manually handle the login flow and render the OIDC button. --- For more details and working examples, see the [Next.js authentication quickstart](https://www.ory.sh/docs/getting-started/integrate-auth/nextjs-app-router-quickstart) and [custom UI example](https://www.ory.sh/nextjs-authentication-spa-custom-flows-open-source/).
w
@chilly-king-10285 The guide asks for
Copy code
# This is an example project, please replace it with yours!
NEXT_PUBLIC_ORY_SDK_URL=<https://nervous-lewin-4edwdlsbyw.projects.oryapis.com>

# Set the API Token for support of SAML and OIDC.
ORY_PROJECT_API_TOKEN=
Where do I put my kratos login?
c
A message from kapa.ai
In the context of the Ory Next.js integration guide, the 
NEXT_PUBLIC_ORY_SDK_URL
environment variable should be set to the base URL of your Ory Kratos (or Ory Network) public API endpoint. This is how the frontend communicates with Kratos for authentication flows. You do not put your Kratos login UI URL in this variable. Instead, you set the SDK URL to your Kratos project's public API endpoint, for example:
Copy code
NEXT_PUBLIC_ORY_SDK_URL=<https://sso.eagle-rfid.com>
or, if you are using Ory Network:
Copy code
NEXT_PUBLIC_ORY_SDK_URL=https://<your-project-slug>.<http://projects.oryapis.com|projects.oryapis.com>
The login UI URL itself is configured in your Kratos configuration file under 
selfservice.flows.login.ui_url
, not in the 
.env
file for your Next.js app [Configure Ory to use your UI](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui). So, in summary: - In your 
.env
file, set 
NEXT_PUBLIC_ORY_SDK_URL
to your Kratos public API endpoint. - The login UI URL is set in the Kratos config, not in the Next.js environment variables. For more details, see the [Next.js App Router Quickstart](https://www.ory.sh/docs/getting-started/integrate-auth/nextjs-app-router-quickstart) and [Bring your own UI guide](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui).
w
@chilly-king-10285 When I click sign in with rfid-sso it takes me to a page that says
Copy code
The OAuth2 request resulted in an error.
Error: invalid_request
Description: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls.
Hint:
Debug:
You are seeing this page because configuration key urls.error is not set.

If you are an administrator, please read the guide to understand what you need to do. If you are a user, please contact the administrator.
and the request tries to go to 0.0.0.0:4433
Copy code
ime=2025-09-17T17:22:53Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:en-US,en;q=0.9 priority:u=0, i referer:<http://localhost:3000/> sec-ch-ua:"Chromium";v="140", "Not=A?Brand";v="24", "Google Chrome";v="140" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"macOS" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 x-forwarded-for:10.224.0.5 x-forwarded-host:<http://hydra.eagle-rfid.com|hydra.eagle-rfid.com> x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:traefik-7d75df66bb-6r9dl x-real-ip:10.224.0.5] host:<http://hydra.eagle-rfid.com|hydra.eagle-rfid.com> method:GET path:/oauth2/auth query:client_id=fc7073bc-de5d-440e-8aa6-b0ebd79f56a5&code_challenge=B2-K-qS56zAl34823pDUgR7TtoW8h79rvfeHlPhGo3I&code_challenge_method=S256&redirect_uri=http%3A%2F%2F0.0.0.0%3A4433%2Fself-service%2Fmethods%2Foidc%2Fcallback%2Frfid-sso&response_type=code&scope=email+offline_access+openid&state=0a101590ad37b19b4d33be5a6e799be26aa9121021c663806fc24967aef579b8606e4c011a08726669642d73736f222b767a7967493474616c537664556a58744557706c7865787a4b797959316e76516e53684274334b66714a51 remote:10.244.1.164:50442 scheme:http]
time=2025-09-17T17:22:53Z level=error msg=An error occurred audience=application error=map[debug: message:invalid_request reason:The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls. stack_trace:
c
A message from kapa.ai
The error message you are seeing:
Copy code
The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls.
means that the 
redirect_uri
being sent in the OAuth2 request (`http://0.0.0.0:4433/self-service/methods/oidc/callback/rfid-sso`) does not exactly match any of the redirect URIs you registered for your OAuth2 client in Hydra. How to resolve this: 1. Check your registered redirect URIs in Hydra: The redirect URI must match exactly (including protocol, host, port, and path) one of the URIs you registered for your OAuth2 client in Hydra. Even small differences (like 
localhost
vs 
127.0.0.1
, or missing ports) will cause this error [Resolve redirect URL mismatch errors](https://www.ory.sh/docs/getting-started/integrate-auth/auth-js#resolve-redirect-url-mismatch-errors). 2. Update your OAuth2 client in Hydra: If your Kratos instance is running on 
0.0.0.0:4433
(which is the default for local development), you need to add
Copy code
<http://0.0.0.0:4433/self-service/methods/oidc/callback/rfid-sso>
as a redirect URI for your OAuth2 client in Hydra. You can do this by updating the client with the Hydra CLI, for example:
Copy code
sh    hydra update oauth2-client <client-id> \      --redirect-uri <http://0.0.0.0:4433/self-service/methods/oidc/callback/rfid-sso>
3. Restart or reload your services if needed. 4. Retest the flow. Additional notes: - If you are running in production, make sure the public URL of your Kratos instance is used as the redirect URI, not 
0.0.0.0
or 
localhost
. - The error page also mentions that you have not set the 
urls.error
configuration in Hydra, which is why you see the default error page. You can set this in your Hydra config to redirect users to a custom error page if desired. For more details, see the [Ory troubleshooting guide on redirect_uri mismatch](https://www.ory.sh/docs/troubleshooting/troubleshooting-social-sign-in#redirect_uri-mismatch) and [OAuth2 client configuration examples](https://www.ory.sh/docs/hydra/guides/oauth2-clients#example-oauth2-clients). Summary: Update your OAuth2 client in Hydra to include the exact redirect URI that Kratos is using in the OIDC callback. The URIs must match exactly, or the request will be rejected.
w
@chilly-king-10285 How do I make it redirect to kratos.eagle-rfid.com instead of trying to go to 0.0.0.0
c
A message from kapa.ai
To make Ory Kratos use 
<http://kratos.eagle-rfid.com>
(or 
<https://kratos.eagle-rfid.com>
) as the redirect URI instead of 
0.0.0.0
, you need to ensure that Kratos is configured to use the correct public URL in its self-service OIDC flow. The redirect URI is constructed based on the public URL Kratos is aware of. Steps to resolve: 1. Set the public URL in Kratos configuration: Make sure your Kratos configuration specifies the correct public URL. This is typically done with the 
serve.public.base_url
setting in your Kratos config file. For example:
Copy code
yaml    serve:      public:        base_url: <https://kratos.eagle-rfid.com>
This ensures that all self-service flow URLs (including OIDC callback URLs) are generated with your desired domain, not 
0.0.0.0
or 
localhost
. 2. Restart Kratos after making this change. 3. Update the OAuth2 client in Hydra: After updating Kratos, ensure that the redirect URI registered in Hydra matches the new callback URL, e.g.:
Copy code
<https://kratos.eagle-rfid.com/self-service/methods/oidc/callback/rfid-sso>
The redirect URI in Hydra must match exactly what Kratos will use [Social sign-in troubleshooting](https://www.ory.sh/docs/troubleshooting/troubleshooting-social-sign-in#redirect_uri-mismatch). Summary: Set the 
serve.public.base_url
in your Kratos config to your public domain. This will make Kratos generate redirect URIs with your desired hostname, and you must ensure Hydra’s client configuration matches this URI. If you follow these steps and still see 
0.0.0.0
in the redirect URI, double-check your Kratos config and restart the service to apply changes.
w
@chilly-king-10285 I'm getting this error
Copy code
ime=2025-09-17T17:41:48Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:en-US,en;q=0.9 cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". priority:u=0, i referer:<http://localhost:3000/> sec-ch-ua:"Chromium";v="140", "Not=A?Brand";v="24", "Google Chrome";v="140" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"macOS" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 x-forwarded-for:10.224.0.5 x-forwarded-host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:traefik-7d75df66bb-6r9dl x-real-ip:10.224.0.5] host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> method:GET path:/self-service/methods/oidc/callback/rfid-sso query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:10.244.1.164:55078 scheme:http]
time=2025-09-17T17:41:49Z level=error msg=An error occurred and is being forwarded to the error user interface. audience=application error=map[debug:key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity
c
A message from kapa.ai
The error message:
Copy code
key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity
indicates that Ory Kratos is unable to find the required OIDC session information in the expected cookie. This typically happens when the OIDC login flow is interrupted, the browser loses the relevant cookie, or the flow is not executed in a single browser session. Possible causes and solutions based on the knowledge sources: 1. Flow not executed in the same browser/session: Ory Kratos self-service flows (including OIDC) require that the flow is started and finished in the same browser session. If you start the flow in one browser or tab and try to finish it in another, or use tools like Postman or cURL for browser flows, the necessary cookies will not be present and you will see this error [General troubleshooting](https://www.ory.sh/docs/kratos/debug/troubleshooting). 2. Cookies not set or lost: If your browser is blocking cookies, or if there is a misconfiguration in your domain, path, or SameSite settings, the required cookies may not be set or sent back to Kratos. Make sure your cookie settings in Kratos are correct and that your browser is not blocking them [Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies). 3. Mixing up domains or ports: If you are using different domains (e.g., 
localhost
, 
127.0.0.1
, or your public domain) inconsistently, cookies may not be shared as expected. Ensure you are using the same domain throughout the flow and that your Kratos 
serve.public.base_url
is set correctly [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf). 4. API vs. Browser flows: The OIDC flow must be executed as a browser flow, not as an API flow. The API flow does not use cookies and will not work for OIDC [Traits from the Update Registration API Flow payload with OIDC get lost](https://github.com/ory/network/issues/345). What you should do: - Make sure you are starting and finishing the OIDC login flow in the same browser and session. - Double-check your Kratos cookie configuration (
serve.public.base_url
, cookie domain, SameSite settings). - Ensure your browser is not blocking cookies. - Do not use API clients or tools for browser flows. If you continue to see this error, try clearing your cookies and restarting the flow in a single browser window [General troubleshooting](https://www.ory.sh/docs/kratos/debug/troubleshooting). If you need to debug further, you can enable more verbose logging by setting 
log.leak_sensitive_values = true
in your Kratos config, but be cautious as this will log sensitive data.
w
@chilly-king-10285 ime=2025-09-17T174533Z level=info msg=started handling request http_request=map[headersmap[accepttext/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:en-US,en;q=0.9 cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". priority:u=0, i referer:http://localhost:3000/ sec-ch-ua:"Chromium";v="140", "Not=A?Brand";v="24", "Google Chrome";v="140" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"macOS" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 x-forwarded-for:10.224.0.5 x-forwarded-host:kratos.eagle-rfid.com x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:traefik-7d75df66bb-6r9dl x-real-ip:10.224.0.5] host:kratos.eagle-rfid.com method:GET path:/self-service/methods/oidc/callback/rfid-sso query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote10.244.1.16452664 scheme:http] time=2025-09-17T174533Z level=error msg=An error occurred and is being forwarded to the error user interface. audience=application error=map[debug:key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity
c
A message from kapa.ai
The error message:
Copy code
key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity
indicates that Ory Kratos cannot find the required OIDC session information in the expected cookie. According to the knowledge sources, this typically happens when: - The OIDC login flow is not executed in the same browser session from start to finish. - Cookies are not being set or are lost due to misconfiguration (domain, path, SameSite, or secure settings). - There is a mismatch or inconsistency in the domains or ports used (e.g., mixing 
localhost
, 
127.0.0.1
, or your public domain). - The flow is being attempted via an API client or tool instead of a browser, which does not handle cookies as required. Recommended actions: 1. Ensure the flow is executed in the same browser session. Ory Kratos self-service flows require that the flow is started and finished in the same browser. Starting the flow in one browser or tab and finishing in another, or using tools like Postman or cURL, will cause this error [General troubleshooting](https://www.ory.sh/docs/kratos/debug/troubleshooting). 2. Check your cookie configuration. Make sure your Kratos configuration for cookies (domain, path, SameSite, and secure settings) is correct and matches your deployment environment. Inconsistent domains or ports can prevent cookies from being set or sent [Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies). 3. Use consistent domains and ports. Avoid mixing 
localhost
, 
127.0.0.1
, and your public domain. Set 
serve.public.base_url
in your Kratos config to your actual public domain and ensure all requests use this domain [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf). 4. Do not use API clients for browser flows. The OIDC flow must be executed as a browser flow, not as an API flow. API clients do not handle cookies as required for browser flows. If you continue to see this error, try clearing your cookies and restarting the flow in a single browser window. If needed, enable more verbose logging by setting 
log.leak_sensitive_values = true
in your Kratos config, but be aware this will log sensitive data [General troubleshooting](https://www.ory.sh/docs/kratos/debug/troubleshooting). If these steps do not resolve the issue, the knowledge sources do not provide further specific troubleshooting steps for this error.
w
@chilly-king-10285
Copy code
ime=2025-09-17T17:47:34Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:en-US,en;q=0.9 cookie:[csrf_token_b171536732acbc48f851a30731eb6145db3b603a8067e22ef9ad639df17014be=XiPUDJrQwAGwGzgqK4JbTOIlUzwiusRsG5gHyPlXSLY=; csrf_token_863fe46463d63c410b128390413bc41eb6cd4623e6a7e6e40c1af1b1c8dec526=8hpFgReQq4BNBOj+PqKJnGw1gczOizU03t/RoNLS98I=; csrf_token_04efef418fcf2a4bc48324ea5d31427cf8af5992d46878fc2b105b2cfaca2e51=K04tLL7HOQnKk/LMwezA+Rs3MIvLs7IGYu9ESuX2RQ8=] priority:u=0, i referer:<http://localhost:3000/> sec-ch-ua:"Chromium";v="140", "Not=A?Brand";v="24", "Google Chrome";v="140" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"macOS" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 x-forwarded-for:10.224.0.5 x-forwarded-host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:traefik-7d75df66bb-6r9dl x-real-ip:10.224.0.5] host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> method:GET path:/self-service/methods/oidc/callback/rfid-sso query:error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.+The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%27email%27.&state=0a1015d524c400714e76a5c6b29951fcf4c31210539f8767f1954b68b813dd42d5e932bb1a08726669642d73736f222b6452466751376931575f4d7a66674a5a5952476b504e6a456530762d79646242455f37444c324f63514151 remote:10.244.1.164:40420 scheme:http]
time=2025-09-17T17:47:34Z level=error msg=An error occurred and is being forwarded to the error user interface. audience=application error=map[debug:key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity
c
A message from kapa.ai
The error message in your log:
Copy code
error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.+The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%27email%27.
means that the OAuth2 client (configured in Hydra) is requesting the 
email
scope, but this client is not allowed to request that scope. How to resolve: 1. Check your OAuth2 client configuration in Hydra: Make sure that the client you created in Hydra includes 
email
in its allowed scopes. When creating or updating the client, you must specify all scopes you want to allow, for example:
Copy code
--scope openid --scope offline_access --scope email
or as a comma-separated list:
Copy code
--scope openid,offline_access,email
This is required for the client to be able to request the 
email
scope [Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom). 2. Update the client if needed: If you missed the 
email
scope, update the client using the Hydra CLI:
Copy code
sh    hydra update oauth2-client <client-id> --scope openid --scope offline_access --scope email
or
Copy code
sh    hydra update oauth2-client <client-id> --scope openid,offline_access,email
3. Restart the flow: After updating the client, restart your login flow to ensure the new configuration is used. Summary: The error is because the OAuth2 client in Hydra is not allowed to request the 
email
scope. Update the client to include 
email
in its allowed scopes, then try the flow again [Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom).
w
@chilly-king-10285 Now
Copy code
ime=2025-09-17T17:50:21Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:en-US,en;q=0.9 cookie:[better-auth.session_token=VM6inhXISrw64hQcHpMLivvL1M14WHta.QMMsxRtM8LiuBIFKpdJ4QnS0vPIxgOhpk0%2F0qoI2PPc%3D; csrf_token_399fc7197b0e388b8cc59a1a762758482ce0aee72506d16664d54a2352c620aa=NJtC63MRGd8cgCe8iSdX4Uz0P1HZaDsmKve7dYHdc8s=; csrf_token_b171536732acbc48f851a30731eb6145db3b603a8067e22ef9ad639df17014be=eBLSkXcTN8amQUVZmDSK9xaOWmxJ1y4aj9lasQ+OrOw=; next-auth.csrf-token=fada604d24aa29142266ceb6e8bccb8b4312db51a440b4e1d902f47673cd44a3%7C96e53e769882d7b4854f89fbbbd969b66fd2c2d77c8c9a651b00a6775a64baec; next-auth.callback-url=http%3A%2F%2Flocalhost%3A3000; csrf_token_863fe46463d63c410b128390413bc41eb6cd4623e6a7e6e40c1af1b1c8dec526=gpoLHRCukA9FW47vNRndD53B09U/3cnnxWSEA3YbZTI=; __next_hmr_refresh_hash__=014e0b863eb8fbf1afd16fe576d4c6fc633457081244afec; csrf_token_04efef418fcf2a4bc48324ea5d31427cf8af5992d46878fc2b105b2cfaca2e51=9vLFtAZEc2MUgzMpvP+NooRQRbvotvwacSXPp2JUzIw=; ory_kratos_continuity=MTc1ODEzMTQxNHxEWDhFQVFMX2dBQUJFQUVRQUFCZl80QUFBUVp6ZEhKcGJtY01Jd0FoYjNKNVgydHlZWFJ2YzE5dmFXUmpYMkYxZEdoZlkyOWtaVjl6WlhOemFXOXVCbk4wY21sdVp3d21BQ1F4WlRFeFlqZGtNQzB4T0dVNUxUUmxaR1V0T0RNNU55MHlOalEzTW1aaU5UazFNalk9fMSjr3d4m3p2FgUY2AprKNxKEQ7sIOtV3Na9-W-QbCRI] ory-base-url-rewrite:<http://localhost:3000> ory-base-url-rewrite-token: ory-no-custom-domain-redirect:true sec-fetch-mode:cors user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 x-forwarded-for:10.224.0.4 x-forwarded-host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:traefik-7d75df66bb-6r9dl x-middleware-subrequest:src/middleware x-real-ip:10.224.0.4] host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> method:GET path:/self-service/login/browser query:login_challenge=BYrnjCyZ7LqYqcD83_7LcHd44vIIsQ49waVN4ull9dHmqNut9P31z3tqaOqyGEU0_srVF7mhzJLHkL6U0p8hgc1ZlYW-aw1h3jGxffauHFfX6DpRpK2LL1BHv63hyH4r802zQCitcvxBXP1JeZU6pfl9KNrRAzZCxqR6S4JFtUrhwAAX6dVBFs8lDBanKNKATXXA6QjRIkSQgQqHkIy4gyEi_OE6fq3Bs1VNxGLoU1In2dj2GRLS422w-z4LA1oywpc3irCpggP2wjRcZ84gBWPCAmBceLtRTb2npIC4JWHarBMv2p3_2V7RglXo8UmYtqN8-kelXH5lPChJh11XhObTOhRpk7dxDIemxNgfKESPDygT4Fqm0aVhEkzaZbrVyaio1VW0uQR7RrggJLb9d3R-dJm5VF1e6-8buYWMtIRsjmUqgvScxHITk0GTxQpZjCr23vmkXKaQF-fMM3XSJ5ggm-zrLRnyRaB7qlYd7k6A6NV0WB2-uIlFQUI43CQSO9YvlbHnrRAISPw1d23r_gFT8q3yqhUYn9wbBMdgltxgBqZBqhoilRPx9yhvhV8NV8SvyI-ESivtVLVYUhHtDipiDZ6Va1_DWdsP9hm3y1PKD-m0SSwxAEUGMzlnxz8D_I2Up3UC5Lo3ZTUr5Uas9z_9V-f8PtI1zqQ4z_H52kL8kSarHYu-0gq22QOwCdkX5-fzfiHpN8T1w2jqQpl09vyEDxT7blZgxDVpjjZJwGixZOdXLFO1cEtizz-qWl6knmpC809bhINmc-uEbwrejBao_-QOY7ZuJZFxHnTTiyukJ0vnsnXAuYV4za317vMjbp9umV5my5n2azcoeJishuDSoM4AhdrXzR-hmbJM5oSNaZeMqR2ItiChHIv9NWhDylwDhlWo7Cf_yi8tgIuB2ina5aei5k3lkPvpJSF5b7vqe4SMYLj1kodsEzTXfProwRivVXIC-EUXUcSf4AlPg6BM75HR9Xlpx8VfHFddn1vuTdxEn3AR2ix_6XAVvIcxDl1BQp4ln3iZw2j3eYihZrDnntN1WapxZGJGwvOQYSCTUP_8TxJ0YKnWgzGgBa1xmGCpyZTzR1-b6uu0SbUKW4TI8g80WcDo_QxKtyDN0z703qt8KqZfQ0-WJUGxDe50zes4oZr9w6nGffNkm-XjeS__C5DF4oL0AekQVfhgACvQo0hWt6JUCq3PSoo-Zxqo_dqrRabNQAGJsa4jFOPGwzgG9jiZR1kZYp1fzkdfT6Zy2U_mIhm4AtWjykETZ18fD4QKxRGb3SLdHVOmdmcDhMSLQMWJReHB6ckh0ONkyWnZF0kvb9Uce8cva8LVerGGMjxR6fR846imZCyH_51xkA3UjFwQUTTbD9bp37m0zo4-Q_xcdiYM3B8CYqjmRQ%3D%3D remote:10.244.1.164:52838 scheme:http]
time=2025-09-17T17:50:21Z level=error msg=An error occurred and is being forwarded to the error user interface. audience=application error=map[debug: message:An internal server error occurred, please contact the system administrator reason:refusing to parse login_challenge query parameter because oauth2_provider.url is invalid or unset stack_trace:
<http://github.com/ory/kratos/hydra.GetLoginChallengeID|github.com/ory/kratos/hydra.GetLoginChallengeID>
c
A message from kapa.ai
The error message:
Copy code
refusing to parse login_challenge query parameter because oauth2_provider.url is invalid or unset
means that Ory Kratos is not able to process the 
login_challenge
parameter because the 
oauth2_provider.url
setting in your Kratos configuration is either missing or incorrectly set. How to resolve this: 1. Set 
oauth2_provider.url
in your Kratos config: You must configure the 
oauth2_provider.url
to point to your Hydra admin endpoint. For example:
Copy code
yaml    oauth2_provider:      url: <http://hydra-admin:4445>
Replace 
<http://hydra-admin:4445>
with the actual internal/admin URL of your Hydra service as accessible from Kratos. This is required for Kratos to communicate with Hydra and process the OAuth2 login challenge ([see config example](https://github.com/ory/kratos/issues/4233)). 2. Restart Kratos after updating the config. 3. Retest the flow. Summary: This error is caused by a missing or invalid 
oauth2_provider.url
in your Kratos configuration. Set this value to your Hydra admin endpoint and restart Kratos. This will allow Kratos to process the 
login_challenge
parameter as expected ([see config details](https://github.com/ory/kratos/issues/4233)).
w
@chilly-king-10285
Copy code
ime=2025-09-17T17:53:23Z level=info msg=[DEBUG] GET <https://hydra.eagle-rfid.com/admin/oauth2/auth/requests/login?login_challenge=4AO_hlcHKNlVzQmpzja0kKBQMI-OgaOm2ugUbIDbdvo5jpgoSWt2l2Uf0mi2mQw61J7GjZMcj8rGqnG6cA8JnWWzlqSxIMjRBTaVGcGtTNY_hUMgS-fpgmaomHlhP853upccGUolnRfWzhBHHAVl9hDQzNVO7M8D4v6Ny9YqnZmigTi3Q1h5d23ah9_BuaGuy_lG9zXFEW7h0ZzEbBRy6ABo56MYgqkQ08H5wcvh_AC8TPvcawdRBymkxv76RV1WMEZBS_t-_h9m7bQSrIN1butFifR_B5EpYgEWQ4BAKHQLCwA4DavXjPxHr4NwuXVhW_XKSYFgijziw6eQ6idayCQoryg2DrYkx4oU9hMelmoPmpiqr_4LOZjdCfKNsBkd_Uy_oDJPDh_olLj1DqW1K1LnXZbFTGZSzIlNObFkMmuEyufnGx_OdGJCopKHOP91rNffAPuZidKYC-kvDnUTrhlLg_r1hz9hLyhJ2tHBCM3AaTOLprJuxIwvhEzRb5mJQFSlSrJE4WfpMGObLnWJxn9f1kn34qjgmE6xWaR74FGF8eLZTaFp6C7DWphVBvFZADrOpepYYxFmRtm8E4lB0qH7dHJMVVvr7zVMSr4oROgUSDwWKhW3dDHmckE7Wo7f3ONoZ61Vzeb1A1NWmBDXCLTO2LfA5AgZ0lny434eI3aCGPnYrBUtBo6I0FdFr4ymVMBnA69Ca0lFkwGN7B3iyZm5m6xj9I5XzJO6wPLvhXNPIc-aHaHDUbhaw5d_g9I8zZON0KClpZXIboQl454OL1LgthJMJQrSMX_3ix4zro4KOZSsWNXEKFpKGT0MtHSXfFBtHsgo_782AnJjoZjBxOT6lW51XtvnNm39If0KZmt7uK1xy-4GXLEbrFvv6y8dFKwTlwXqhpNrva9tBhYIaIOSCL8wLcv-c0V6tIHrp6x94kUOSE9wE2Nvbd6rl_UxJ323-8UqVsJF4qnf_pVZzWnSg52TO22YRBkqyFPQSkeeMQ47FvmEKIGuC_AD0cZmTkLl-XzPqwKo_TsG_7YU5YOWNjhq2L3XMQ4Juvyntn1i-W6-mHYH-WCdNDbHPPKFLSGaJLDdNpNSgzuQJooLFLBAH70U4tUCF011ljUp6YE4E98LGs_cAYALO-E9AdCu4MfcfiZyIBt00x8IUc9IQ5HYnSlRb79ZyT5ve1zC89gnL2zGQZlqaxwSFNrBFjCxxqMn9gdFf5UcqF1fhYzb2ot9yFmQhulJqnMiPYOkul2xZfYjBWk9-cEGTpC6BCRqOI1Xdf7A-oXQ6FNqqNmNUcrx0bkQ3FmyHl_vQo2vSEmpzYBoY4L72XtrG0mbaIvUGFhfRkeqaaskAqT1-WcDxVc-bCZ4wyPAyESWudiJ4Bc5tvPHr6iZeWPIXd6IJA68zw%3D%3D> audience=application service_name=Ory Kratos service_version=v1.3.1
time=2025-09-17T17:53:23Z level=error msg=An error occurred and is being forwarded to the error user interface. audience=application error=map[debug:undefined response type details:map[status_code:404] message:The request was malformed or contained invalid parameters reason:Unable to get OAuth 2.0 Login Challenge. stack_trace:
<http://github.com/ory/kratos/hydra.(*DefaultHydra).GetLoginRequest|github.com/ory/kratos/hydra.(*DefaultHydra).GetLoginRequest>
c
A message from kapa.ai
The error message:
Copy code
Unable to get OAuth 2.0 Login Challenge. details:map[status_code:404]
means that when Ory Kratos tried to fetch the login challenge from Hydra at the admin endpoint (
/admin/oauth2/auth/requests/login?login_challenge=...
), Hydra responded with a 404 Not Found. This typically indicates one of the following issues: 1. Hydra Admin Endpoint URL is Incorrect or Inaccessible: Kratos must be configured with the correct 
oauth2_provider.url
pointing to Hydra's admin API endpoint. If this URL is incorrect, or if Kratos cannot reach Hydra at this address, you will get a 404 error. Double-check that your Kratos config has:
Copy code
yaml    oauth2_provider:      url: <http://hydra-admin:4445>
(Replace with your actual Hydra admin endpoint as accessible from Kratos.) This is explicitly required for the login challenge flow to work ([see config example](https://github.com/ory/kratos/issues/4233)). 2. Hydra is Not Running or Not Exposing the Admin API: Ensure that Hydra is running and the admin API is accessible at the expected address and port. If you are using Docker, make sure the network allows Kratos to reach Hydra's admin endpoint. 3. The Login Challenge is Invalid or Expired: If the 
login_challenge
parameter is not valid or has expired, Hydra will return a 404. This can happen if the flow is not started and completed in a timely manner, or if the challenge is malformed. 4. Mismatch Between Public and Admin Endpoints: The login challenge must be fetched from the admin endpoint, not the public endpoint. Ensure you are not mixing up the URLs. What you should do: - Verify that 
oauth2_provider.url
in Kratos is set to the correct Hydra admin endpoint. - Ensure Hydra is running and the admin API is accessible from Kratos. - Make sure the login flow is started and completed in the same browser session and without delay. - Double-check that the login challenge being sent is valid and not expired. If you have confirmed all of the above and still see the error, the knowledge sources do not provide further troubleshooting steps for this specific 404 error on the login challenge endpoint.
w
@chilly-king-10285 hydra config
Copy code
urls:
  self:
    issuer: <https://hydra.eagle-rfid.com/>
  login: <http://localhost:3000/auth/login>
  consent: <http://localhost:3000/auth/consent>
  logout: <http://localhost:3000/auth/logout>
kratos config
Copy code
selfservice:
  default_browser_return_url: <http://localhost:3000>
  flows:
    login:
      ui_url: <http://localhost:3000/auth/login>
    recovery:
      ui_url: <http://localhost:3000/auth/recovery>
    registration:
      ui_url: <http://localhost:3000/auth/registration>
    settings:
      ui_url: <http://localhost:3000/auth/settings>
    error:
      ui_url: <http://localhost:3000/auth/error>
  methods:
    oidc:
      config:
        providers:
          - id: rfid-sso
            provider: generic
            client_id: ss
            client_secret: sss
            issuer_url: <https://hydra.eagle-rfid.com>
            mapper_url: "<base64://bG9jYWwgY2xhaW1zID0gewogIGVtYWlsX3ZlcmlmaWVkOiBmYWxzZSwKfSArIHN>0ZC5leHRWYXIoJ2NsYWltcycpOwoKewogIGlkZW50aXR5OiB7CiAgICB0cmFpdHM6IHsKICAgICAgLy8gT25seSBzZXQgdGhlIGVtYWlsIHRyYWl0IGlmIGl0IGV4aXN0cyBhbmQgaXMgdmVyaWZpZWQKICAgICAgW2lmICdlbWFpbCcgaW4gY2xhaW1zICYmIGNsYWltcy5lbWFpbF92ZXJpZmllZCB0aGVuICdlbWFpbCcgZWxzZSBudWxsXTogY2xhaW1zLmVtYWlsLAogICAgfSwKICB9LAp9Cg=="
            scope:
              - email
              - offline_access
              - openid
      enabled: true
serve:
  admin:
    base_url: <http://0.0.0.0:4434/>
    port: 4434
  public:
    base_url: <https://kratos.eagle-rfid.com>
    cors:
      enabled: true
    port: 4433
oauth2_provider:
  url: <https://hydra-admin.eagle-rfid.com>
Whenever I click the login with rfid-sso button, it just changes the flow id in the url?
c
A message from kapa.ai
Based on your configuration and the behavior you describe—clicking the "login with rfid-sso" button just changes the flow ID in the URL—it appears that the OIDC login flow is not progressing past the Kratos login UI and is instead re-initializing the login flow each time. Possible causes from the knowledge sources: 1. OIDC Provider Misconfiguration: If the OIDC provider is not configured correctly in Kratos, the OIDC button may not initiate the external authentication flow and instead just refreshes the Kratos login flow. Double-check that your 
client_id
, 
client_secret
, and 
issuer_url
are correct and that the OIDC client is properly registered in Hydra with the correct redirect URIs [Social sign-in configuration](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc). 2. Redirect URI Mismatch: If the redirect URI that Kratos uses for the OIDC callback is not registered in Hydra, the flow may fail silently or not proceed. Ensure that the redirect URI
Copy code
<https://kratos.eagle-rfid.com/self-service/methods/oidc/callback/rfid-sso>
is registered as an allowed redirect URI for your OAuth2 client in Hydra [redirect_uri mismatch troubleshooting](https://www.ory.sh/docs/troubleshooting/troubleshooting-social-sign-in#redirect_uri-mismatch). 3. Base URL and CORS Issues: If the 
serve.public.base_url
in Kratos does not match the domain users are accessing, or if CORS is not properly configured, the flow may not work as expected. Your config shows 
<https://kratos.eagle-rfid.com>
as the public base URL, which should match the domain used in the browser [Cookie and domain configuration](https://www.ory.sh/docs/kratos/guides/configuring-cookies). 4. No Error or Debug Output: If the flow is failing but not showing an error, check the Kratos and Hydra logs for any error messages or warnings when you click the OIDC button. This can provide more insight into what is going wrong. What you should do: - Check the browser network tab for any failed requests or redirects when you click the button. - Verify the OIDC provider configuration in Kratos and the OAuth2 client in Hydra, especially the redirect URIs. - Check Kratos and Hydra logs for errors when you attempt the OIDC login. - Ensure the OIDC provider is enabled in Kratos (
enabled: true
under 
methods.oidc
). If after these checks the issue persists, the knowledge sources do not provide a more specific troubleshooting step for the behavior where only the flow ID changes in the URL without progressing the OIDC flow. This usually indicates a misconfiguration or a missing/incorrect redirect URI in the OIDC client setup [Social sign-in troubleshooting](https://www.ory.sh/docs/kratos/social-signin/generic#troubleshooting).
w
@chilly-king-10285 I'm testing the app from localhost that's why all the links are localhost. There are no error logs in the pods on kubernetes. I see this error in the console 422 Unprocessable Entity for
Copy code
<http://localhost:3000/self-service/login?flow=0bb6372d-ecfa-4686-a914-a52e1b8ceabd>
c
A message from kapa.ai
A 
422 Unprocessable Entity
error on the login flow endpoint (e.g., 
/self-service/login?flow=...
) in Ory Kratos typically means that the flow is no longer valid or has expired, or that the browser needs to be redirected to a new flow. This is a common scenario when working with Single Page Applications (SPAs) or when the flow is not properly initialized or completed in the same browser session. From the knowledge sources: - 422 Error Meaning: A 422 response indicates that the browser needs to be redirected with a newly created flow. For SPAs, the new flow ID can be extracted from the payload and the response can be retrieved in the background instead of a redirect. The error payload will include a 
redirect_browser_to
field with the new flow URL [SPAs and the '422' error](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#spas-and-the-422-error). - Typical Causes: - The flow has expired (flows have a limited lifespan). - The flow was started in a different browser session or tab. - The flow was already used or is otherwise invalid. - What to Do: - When you receive a 422 error, check the response body for a 
redirect_browser_to
field. Your frontend should redirect the user to this new URL to start a fresh flow. - Make sure your SPA or frontend app is handling this scenario by listening for 422 responses and performing the redirect as instructed in the payload. Example 422 Error Payload:
Copy code
json {   "error": {     "id": "browser_location_change_required",     "code": 422,     "status": "Unprocessable Entity",     "reason": "In order to complete this flow please redirect the browser to: /ui/login?flow=ad574ad7-1a3c-4b52-9f54-ef9e866f3cec",     "message": "browser location change required"   },   "redirect_browser_to": "/ui/login?flow=ad574ad7-1a3c-4b52-9f54-ef9e866f3cec" }
Your frontend should use the 
redirect_browser_to
value to redirect the user and continue the login process [SPAs and the '422' error](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#spas-and-the-422-error). If you are not seeing this field or the error persists, double-check that your frontend is correctly handling expired or invalid flows and that all requests are made in the same browser session [General troubleshooting](https://www.ory.sh/docs/kratos/debug/troubleshooting). If you need more details on handling this in your frontend, let me know!
w
Copy code
ime=2025-09-17T19:09:38Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:en-US,en;q=0.9 cookie:[better-auth.session_token=VM6inhXISrw64hQcHpMLivvL1M14WHta.QMMsxRtM8LiuBIFKpdJ4QnS0vPIxgOhpk0%2F0qoI2PPc%3D; csrf_token_399fc7197b0e388b8cc59a1a762758482ce0aee72506d16664d54a2352c620aa=NJtC63MRGd8cgCe8iSdX4Uz0P1HZaDsmKve7dYHdc8s=; csrf_token_b171536732acbc48f851a30731eb6145db3b603a8067e22ef9ad639df17014be=eBLSkXcTN8amQUVZmDSK9xaOWmxJ1y4aj9lasQ+OrOw=; next-auth.csrf-token=fada604d24aa29142266ceb6e8bccb8b4312db51a440b4e1d902f47673cd44a3%7C96e53e769882d7b4854f89fbbbd969b66fd2c2d77c8c9a651b00a6775a64baec; next-auth.callback-url=http%3A%2F%2Flocalhost%3A3000; csrf_token_863fe46463d63c410b128390413bc41eb6cd4623e6a7e6e40c1af1b1c8dec526=gpoLHRCukA9FW47vNRndD53B09U/3cnnxWSEA3YbZTI=; __next_hmr_refresh_hash__=014e0b863eb8fbf1afd16fe576d4c6fc633457081244afec; csrf_token_04efef418fcf2a4bc48324ea5d31427cf8af5992d46878fc2b105b2cfaca2e51=9vLFtAZEc2MUgzMpvP+NooRQRbvotvwacSXPp2JUzIw=; ory_kratos_continuity=MTc1ODEzNjE3N3xEWDhFQVFMX2dBQUJFQUVRQUFCZl80QUFBUVp6ZEhKcGJtY01Jd0FoYjNKNVgydHlZWFJ2YzE5dmFXUmpYMkYxZEdoZlkyOWtaVjl6WlhOemFXOXVCbk4wY21sdVp3d21BQ1F6TmpCa01UbG1PQzFqT1dWaExUUmxNelV0T1RReU1pMDNOV0kzWVRaak16VTNOakE9fKHewjT91NY3R5bupEfsewTS4ByOEfXLBhtzAk02udRS] ory-base-url-rewrite:<http://localhost:3000> ory-base-url-rewrite-token: ory-no-custom-domain-redirect:true referer:<http://localhost:3000/> sec-fetch-mode:cors user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 x-forwarded-for:10.224.0.5 x-forwarded-host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:traefik-7d75df66bb-6r9dl x-middleware-subrequest:src/middleware x-real-ip:10.224.0.5] host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> method:GET path:/self-service/login/browser query:login_challenge=TDo0vNqWGhlusGQs51h1UOQtZd7IhBZDKLjGimqoA5P7mNcgCKl3rO-cyKiq5iS9Pn7WWGiA7wdNYD-z9XIRSPTZMq33lUelq2KxLwugDQMz8EXK80TTaSRiw8M8tMN2SfNXdZBqy68qoeAGmKnW_9QErAyI0kAxnZCHC5nUWIwhod-eLCd1ENk5hp1K9FlpzqLLbnl_2PWpkhcJZfLJJ0SoiE7AUwtRtezCIn14iu9xX6cT12pDFHwFIdl0ClGUOVtMHZbzwjLsqEPRO6nuXwJirEH_nAAdDP8V4YQDrQES_fbMQaJ4zh7DGyak_BOqP8LGeApkclTe94InSVtgxHN1tRFPDlo_35vqEvNGpCTUBBX7g3PBQf20jSkgSv60iIYBCOznLTz-BAjCXWVI6uqAunLN3OR3IvO4x5LC8pm7hCsHiLXGNpSOzmCyPuTpkbRlGeHf462ZcYOXZUxrG1piklt2rxKsGGq1YQZWxweMw3CwDQeKRU26sC9ms3ilzKNQRcC3Zs0-rbYcG1KE-WGC35scCMvZ_UpG8SfPjQNT8AGjBKj8Ab_5gKi7iyQ7yBw5E5hZqZl14a2P-ZqRKFgSYzoD4_JZGQjjxajF-fL11khwwDPEGPdjEOx1h29chrkq_HMTim0ODVaorF0cbTZKMSaSohkplhfuUaAfqujAah_pDD81zCWiHRkWctJrVmmKPAtGvl6JUHOvgS6abeZky05EzhFzmTAEivqz5XkAeRcFN3S7u0w9awOinmmna2Gfxr4GQaxbp_N0T2gCV8rEzjWyo2lNZ9Em6fwkEALkusNTH5bMTQmSLs6oo7XWV0sQCCtUE9uy-QKe0fNLyXqV4JUnIt0pAZqRm_pHQB0FKOp_sPvJGWp4w-IEq-PyTuYMkU522RQbdYdavZYa2H7mkCjHroC03e80ym6G9X8lZaSUZe2FDgnh25AHMToO5EZAammDaNRv_YrFlNev8aFuYsiW6d-dLRpLZTiFBItSyobQohW0dXsGc00r7p48sVFhO-QVf0S_KyuxRJh_UblHssWaJtlLYNTWPbEXFIk6jHDvcghOkGRjSE8N5mnoOMHZibKEt09xzm87tpl3C896RBzGdjJ82TnSZF1d5kQqUdnB935bGBwLKffpD8eqMWRXppZysme6vRRCzwuw13gTBC9lLRLV6G5nPY9kLaQ6djmCYXg9heMfq8DjOjE2Tkph9kzxoaHxbCf1_ErfKuTdh7nxyHgiDi52jXtdSLA2qeiDqrW-wdN3yMc9OuQDjEzHjdwPqXgamSmlbR-gR-mNEwAmX_g5-EALID6x3QYPCTE3jyuy593LEZICFwXik9pCaphYhOP2F6YNH1PgcV_i4lg96c7rAumJn8YCUbI8rpXiosOe3X6VKwQe&refresh=true remote:10.244.1.164:34242 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:text/html; charset=utf-8 location:<http://localhost:3000/auth/login?flow=eee2c697-aca1-449d-a954-8092542aaa5a> vary:Origin] size:101 status:303 text_status:See Other took:90.505988ms]
time=2025-09-17T19:09:38Z level=info msg=started handling request http_request=map[headers:map[accept:application/json accept-encoding:br, gzip, deflate accept-language:* cache-control:max-age=0 cookie:[better-auth.session_token=VM6inhXISrw64hQcHpMLivvL1M14WHta.QMMsxRtM8LiuBIFKpdJ4QnS0vPIxgOhpk0%2F0qoI2PPc%3D; csrf_token_399fc7197b0e388b8cc59a1a762758482ce0aee72506d16664d54a2352c620aa=NJtC63MRGd8cgCe8iSdX4Uz0P1HZaDsmKve7dYHdc8s=; csrf_token_b171536732acbc48f851a30731eb6145db3b603a8067e22ef9ad639df17014be=eBLSkXcTN8amQUVZmDSK9xaOWmxJ1y4aj9lasQ+OrOw=; next-auth.csrf-token=fada604d24aa29142266ceb6e8bccb8b4312db51a440b4e1d902f47673cd44a3%7C96e53e769882d7b4854f89fbbbd969b66fd2c2d77c8c9a651b00a6775a64baec; next-auth.callback-url=http%3A%2F%2Flocalhost%3A3000; csrf_token_863fe46463d63c410b128390413bc41eb6cd4623e6a7e6e40c1af1b1c8dec526=gpoLHRCukA9FW47vNRndD53B09U/3cnnxWSEA3YbZTI=; __next_hmr_refresh_hash__=014e0b863eb8fbf1afd16fe576d4c6fc633457081244afec; csrf_token_04efef418fcf2a4bc48324ea5d31427cf8af5992d46878fc2b105b2cfaca2e51=9vLFtAZEc2MUgzMpvP+NooRQRbvotvwacSXPp2JUzIw=; ory_kratos_continuity=MTc1ODEzNjE3N3xEWDhFQVFMX2dBQUJFQUVRQUFCZl80QUFBUVp6ZEhKcGJtY01Jd0FoYjNKNVgydHlZWFJ2YzE5dmFXUmpYMkYxZEdoZlkyOWtaVjl6WlhOemFXOXVCbk4wY21sdVp3d21BQ1F6TmpCa01UbG1PQzFqT1dWaExUUmxNelV0T1RReU1pMDNOV0kzWVRaak16VTNOakE9fKHewjT91NY3R5bupEfsewTS4ByOEfXLBhtzAk02udRS] sec-fetch-mode:cors user-agent:node x-forwarded-for:10.224.0.5 x-forwarded-host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:traefik-7d75df66bb-6r9dl x-real-ip:10.224.0.5] host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> method:GET path:/self-service/login/flows query:id=eee2c697-aca1-449d-a954-8092542aaa5a remote:10.244.1.164:34242 scheme:http]
time=2025-09-17T19:09:38Z level=info msg=[DEBUG] GET <https://hydra-admin.eagle-rfid.com/admin/oauth2/auth/requests/login?login_challenge=TDo0vNqWGhlusGQs51h1UOQtZd7IhBZDKLjGimqoA5P7mNcgCKl3rO-cyKiq5iS9Pn7WWGiA7wdNYD-z9XIRSPTZMq33lUelq2KxLwugDQMz8EXK80TTaSRiw8M8tMN2SfNXdZBqy68qoeAGmKnW_9QErAyI0kAxnZCHC5nUWIwhod-eLCd1ENk5hp1K9FlpzqLLbnl_2PWpkhcJZfLJJ0SoiE7AUwtRtezCIn14iu9xX6cT12pDFHwFIdl0ClGUOVtMHZbzwjLsqEPRO6nuXwJirEH_nAAdDP8V4YQDrQES_fbMQaJ4zh7DGyak_BOqP8LGeApkclTe94InSVtgxHN1tRFPDlo_35vqEvNGpCTUBBX7g3PBQf20jSkgSv60iIYBCOznLTz-BAjCXWVI6uqAunLN3OR3IvO4x5LC8pm7hCsHiLXGNpSOzmCyPuTpkbRlGeHf462ZcYOXZUxrG1piklt2rxKsGGq1YQZWxweMw3CwDQeKRU26sC9ms3ilzKNQRcC3Zs0-rbYcG1KE-WGC35scCMvZ_UpG8SfPjQNT8AGjBKj8Ab_5gKi7iyQ7yBw5E5hZqZl14a2P-ZqRKFgSYzoD4_JZGQjjxajF-fL11khwwDPEGPdjEOx1h29chrkq_HMTim0ODVaorF0cbTZKMSaSohkplhfuUaAfqujAah_pDD81zCWiHRkWctJrVmmKPAtGvl6JUHOvgS6abeZky05EzhFzmTAEivqz5XkAeRcFN3S7u0w9awOinmmna2Gfxr4GQaxbp_N0T2gCV8rEzjWyo2lNZ9Em6fwkEALkusNTH5bMTQmSLs6oo7XWV0sQCCtUE9uy-QKe0fNLyXqV4JUnIt0pAZqRm_pHQB0FKOp_sPvJGWp4w-IEq-PyTuYMkU522RQbdYdavZYa2H7mkCjHroC03e80ym6G9X8lZaSUZe2FDgnh25AHMToO5EZAammDaNRv_YrFlNev8aFuYsiW6d-dLRpLZTiFBItSyobQohW0dXsGc00r7p48sVFhO-QVf0S_KyuxRJh_UblHssWaJtlLYNTWPbEXFIk6jHDvcghOkGRjSE8N5mnoOMHZibKEt09xzm87tpl3C896RBzGdjJ82TnSZF1d5kQqUdnB935bGBwLKffpD8eqMWRXppZysme6vRRCzwuw13gTBC9lLRLV6G5nPY9kLaQ6djmCYXg9heMfq8DjOjE2Tkph9kzxoaHxbCf1_ErfKuTdh7nxyHgiDi52jXtdSLA2qeiDqrW-wdN3yMc9OuQDjEzHjdwPqXgamSmlbR-gR-mNEwAmX_g5-EALID6x3QYPCTE3jyuy593LEZICFwXik9pCaphYhOP2F6YNH1PgcV_i4lg96c7rAumJn8YCUbI8rpXiosOe3X6VKwQe> audience=application service_name=Ory Kratos service_version=v1.3.1
time=2025-09-17T19:09:38Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json accept-encoding:br, gzip, deflate accept-language:* cache-control:max-age=0 cookie:[better-auth.session_token=VM6inhXISrw64hQcHpMLivvL1M14WHta.QMMsxRtM8LiuBIFKpdJ4QnS0vPIxgOhpk0%2F0qoI2PPc%3D; csrf_token_399fc7197b0e388b8cc59a1a762758482ce0aee72506d16664d54a2352c620aa=NJtC63MRGd8cgCe8iSdX4Uz0P1HZaDsmKve7dYHdc8s=; csrf_token_b171536732acbc48f851a30731eb6145db3b603a8067e22ef9ad639df17014be=eBLSkXcTN8amQUVZmDSK9xaOWmxJ1y4aj9lasQ+OrOw=; next-auth.csrf-token=fada604d24aa29142266ceb6e8bccb8b4312db51a440b4e1d902f47673cd44a3%7C96e53e769882d7b4854f89fbbbd969b66fd2c2d77c8c9a651b00a6775a64baec; next-auth.callback-url=http%3A%2F%2Flocalhost%3A3000; csrf_token_863fe46463d63c410b128390413bc41eb6cd4623e6a7e6e40c1af1b1c8dec526=gpoLHRCukA9FW47vNRndD53B09U/3cnnxWSEA3YbZTI=; __next_hmr_refresh_hash__=014e0b863eb8fbf1afd16fe576d4c6fc633457081244afec; csrf_token_04efef418fcf2a4bc48324ea5d31427cf8af5992d46878fc2b105b2cfaca2e51=9vLFtAZEc2MUgzMpvP+NooRQRbvotvwacSXPp2JUzIw=; ory_kratos_continuity=MTc1ODEzNjE3N3xEWDhFQVFMX2dBQUJFQUVRQUFCZl80QUFBUVp6ZEhKcGJtY01Jd0FoYjNKNVgydHlZWFJ2YzE5dmFXUmpYMkYxZEdoZlkyOWtaVjl6WlhOemFXOXVCbk4wY21sdVp3d21BQ1F6TmpCa01UbG1PQzFqT1dWaExUUmxNelV0T1RReU1pMDNOV0kzWVRaak16VTNOakE9fKHewjT91NY3R5bupEfsewTS4ByOEfXLBhtzAk02udRS] sec-fetch-mode:cors user-agent:node x-forwarded-for:10.224.0.5 x-forwarded-host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:traefik-7d75df66bb-6r9dl x-real-ip:10.224.0.5] host:<http://kratos.eagle-rfid.com|kratos.eagle-rfid.com> method:GET path:/self-service/login/flows query:id=eee2c697-aca1-449d-a954-8092542aaa5a remote:10.244.1.164:34242 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 vary:Origin] size:7547 status:200 text_status:OK took:80.239589ms]
t
@chilly-king-10285 this is the only stuff I see in the kratos console
c
A message from kapa.ai
Based on your logs and description, the flow appears to be working as expected from the Ory Kratos side: you are being redirected to a new login flow (
/auth/login?flow=...
), and the flow data is being returned with a 200 status. There are no error logs in Kratos, and the only visible issue is that the flow ID changes in the URL when you click the "login with rfid-sso" button. From the knowledge sources, this behavior typically means: - The OIDC provider is configured and enabled, but the frontend (your Next.js app at 
localhost:3000
) is not handling the OIDC flow initiation or the 422 error/redirects properly. - If you are using a Single Page Application (SPA), you must handle the 422 Unprocessable Entity error by redirecting the user to the new flow URL provided in the 
redirect_browser_to
field of the error response. This is a common requirement for SPAs using Ory Kratos [SPAs and the '422' error](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#spas-and-the-422-error). What you should do: 1. Check your frontend code: Ensure your frontend is handling 422 responses from the Kratos API. When a 422 is received, your app should read the 
redirect_browser_to
field from the response and redirect the browser to that URL to continue the flow. 2. Verify OIDC provider configuration: Double-check that your OIDC provider in Kratos is correctly configured and enabled, and that the OAuth2 client in Hydra has the correct redirect URIs registered. If the OIDC button is visible but does not initiate the external login, it may be a frontend or flow handling issue. 3. Browser session consistency: Make sure you are starting and finishing the flow in the same browser session and not mixing domains or ports, as this can cause cookies and flows to become invalid [General troubleshooting](https://www.ory.sh/docs/kratos/debug/troubleshooting). 4. Check for network errors: Use your browser's developer tools to inspect network requests when you click the OIDC button. Look for failed requests or 422 responses and check their payloads for the 
redirect_browser_to
field. If you follow these steps and the issue persists, the knowledge sources do not provide further specific troubleshooting steps for this scenario. The most likely cause, based on the documentation, is that your frontend is not handling the 422 error and redirecting as required for SPAs [SPAs and the '422' error](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#spas-and-the-422-error).
w
@chilly-king-10285 Is there no documenation for connecting ory hydra and ory kratos for self hosted instances?
c
A message from kapa.ai
I'm sorry, but the knowledge sources do not contain a dedicated, step-by-step official documentation specifically for connecting self-hosted Ory Hydra and Ory Kratos. While there are configuration examples, reference implementations, and related GitHub issues that discuss integrating the two (such as setting 
oauth2_provider.url
in Kratos to point to Hydra's admin endpoint and configuring Hydra's login/consent URLs to point to your app), there is no comprehensive, official guide that walks through the entire process for self-hosted instances. Most available information is pieced together from configuration snippets, reference apps, and troubleshooting tips found in the documentation and GitHub issues [see config example](https://github.com/ory/kratos/issues/4233). If you need to set up this integration, you will need to synthesize the process from these scattered resources.
Open in Slack
PreviousNext
Powered by