Hi all! I'm running Kratos (version: v0.9.0-alpha....
# ory-selfhosting
n
Hi all! I'm running Kratos (version: v0.9.0-alpha.3) in AKS Cluster with the helm chart and custom values.yml & behind nginx ingress. I have Kratos running on https://kratos.example.com, and I have multiple frontend apps with different subdomains but under the same TLD https://{appName}.example.com. I can't seem to figure out how to set the cookie for TLD, atm it gets set for each subdomain and this makes the UX terrible, since they have to login for each app. values.yaml:
kratos:
autoMigrate: true
identitySchemas:
"identity.default.schema.json": |
{
"$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
"$schema": "<http://json-schema.org/draft-07/schema#>",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
},
"totp": {
"account_name": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
},
"role": {
"title": "Role",
"type": "string",
"default": "user",
"enum": ["user", "admin"]
}
},
"required": [
"email"
],
"additionalProperties": true
}
}
}
config:
version: v0.9.0-alpha.3
serve:
# admin:
# port: 80
public:
base_url: <https://kratos.example.com>
cors:
enabled: true
allowed_origins:
- <https://example.com>
- https://*.<http://example.com|example.com>
- <http://localhost:3000>
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Cookie
- Content-Type
- X-Session-Token
exposed_headers:
- Content-Type
- Set-Cookie
dsn: <postgres://secretDb>
courier:
smtp:
connection_uri: <smtps://secretSmtp>
identity:
default_schema_id: default
schemas:
- id: default
url: file:///etc/config/identity.default.schema.json
log:
level: debug
format: text
leak_sensitive_values: true
selfservice:
default_browser_return_url: <https://appLogin.example.com>
allowed_return_urls:
- https://*.<http://example.com|example.com>
- <https://appLogin.example.com>
- <https://app2.example.com>
- <https://app2.example.com>
- <http://localhost:3000>
methods:
password:
enabled: true
flows:
error:
ui_url: <https://appLogin.example.com/error>
settings:
ui_url: <https://appLogin.example.com/settings>
privileged_session_max_age: 15m
recovery:
enabled: false
ui_url: <https://appLogin.example.com/recovery>
verification:
enabled: false
ui_url: <https://appLogin.example.com/verification>
after:
default_browser_return_url: <https://appLogin.example.com/>
logout:
after:
default_browser_return_url: <https://appLogin.example.com/>
login:
ui_url: <https://appLogin.example.com/>
after:
default_browser_return_url: <https://appLogin.example.com/>
lifespan: 10m
registration:
lifespan: 10m
ui_url: <https://appLogin.example.com/registration>
after:
password:
hooks:
- hook: session
ciphers:
algorithm: xchacha20-poly1305
hashers:
algorithm: bcrypt
bcrypt:
cost: 8
secrets:
cookie:
- SOME_LONG_SECRET
cipher:
- SOME_LONG_SECRET
cookies:
domain: <http://example.com|example.com>
path: /
same_site: Lax
# session:
#   cookie:
#     domain: .<http://example.com|example.com>
#     path: /
#     same_site: Lax
image:
# -- ORY KRATOS image
repository: oryd/kratos
# -- ORY KRATOS VERSION
# Alternative format: image: oryd/kratos:v0.6.3-alpha.1
tag: v0.9.0-alpha.3
# pullPolicy: IfNotPresent
imagePullPolicy: Always
deployment:
# -- Configure the probes for when the deployment is considered ready and ongoing health check
livenessProbe:
httpGet:
path: /health/alive
port: http-admin
initialDelaySeconds: 60
periodSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /health/ready
port: http-admin
initialDelaySeconds: 60
periodSeconds: 10
failureThreshold: 5
# -- If you want to mount external volume
# For example, mount a secret containing Certificate root CA to verify database
# TLS connection.
ingress:
admin:
enabled: true
className: nginx
annotations:
<http://kubernetes.io/ingress.allow-http|kubernetes.io/ingress.allow-http>: "false"
<http://nginx.ingress.kubernetes.io/proxy-body-size|nginx.ingress.kubernetes.io/proxy-body-size>: "0"
<http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "600"
<http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "600"
<http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
<http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: letsencrypt
hosts:
- host: <http://admin-kratos.example.com|admin-kratos.example.com>
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: kratosadmin-tls
hosts:
- <http://admin-kratos.example.com|admin-kratos.example.com>
public:
enabled: true
annotations:
<http://kubernetes.io/ingress.allow-http|kubernetes.io/ingress.allow-http>: "false"
<http://nginx.ingress.kubernetes.io/proxy-body-size|nginx.ingress.kubernetes.io/proxy-body-size>: "0"
<http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "600"
<http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "600"
<http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
<http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: letsencrypt
className: nginx
hosts:
- host: <http://kratos.example.com|kratos.example.com>
paths:
- path: /
pathType: Prefix
tls:
- secretName: kratospublic-tls
hosts:
- <http://kratos.example.com|kratos.example.com>
d
Hello. Try to modify this
Copy code
cookies:
      domain: <http://example.com|example.com>
      path: /
      same_site: Lax
to this
Copy code
cookies:
      domain: <http://example.com|example.com>