Hi friends, I'm currently trying to spike ory for ...
# general
t
Hi friends, I'm currently trying to spike ory for our app in an effort to evaluate whether moving to ory makes sense for us. So far I have a very hard time finding any documentation or examples, so I'm hoping that you can help me out. There are three components in my scenario: • A static React app (no nextjs) @ app.example.com • A backend API app (Spring) @ api.example.com • Ory Managed UI (default everything with custom domain) @ auth.example.com The cookie domain is
.<http://example.com|example.com>
so if I understood correctly, this setup should be supported. Is there any documentation (or examples) that describes this use case? Sorry if I just missed it. I'm stuck trying to connect the react app since the only example I could find uses an edge integration, but I assume this is optional, just like with Auth0? Any pointers or guidance would be much appreciated, thanks!
some additional info - I did also read through https://www.ory.sh/docs/kratos/quickstart but don't quite understand how/if one is supposed to configure and use the ory client without a server context. However I am not a frontend developer, so maybe this is just me being thick
ah - I think I misunderstood. do I understand correctly that to realize this use case I'd need to use hydra which is not yet available in ory cloud. also there is no js sdk (yet) that simply handles all redirects/callbacks like the auth0 sdk does? so basically what we'd need to do is a) run our own hydra instance + connect it to the hosted kratos and b) implement all the login/registration redirect/state/callback logic ourselves in the react app? I haven't looked into what's required for the Spring app yet
h
Hey Dan, your set up should be workable. How do you deploy your React app?
You won’t need Ory Hydra :)
But essentially you need a custom domain name, then you need to configure the cookie domain to be
<http://example.org|example.org>
, and you will need to set up some CORS rules, in that case probably allow CORS traffic from
<http://app.example.org|app.example.org>
and
<http://api.example.org|api.example.org>
@wonderful-lamp-2357 @magnificent-energy-493 I think this could be a good exercise to understand how we can better help developers understand how to set up Ory if the do not have a dedicated guide yet
👍 1
t
hey @high-optician-2097, thanks for the reply. the react app is deployed to S3 + cloudfront. I've already set up the custom domain and connected some social login providers. I also have access to the ory session cookie in the react app; that part seems to work fine. but what I don't understand is: • what do I do with the session cookie? my assumption is that there'd be a kratos js sdk that automatically picks up the session to check if the session is authenticated, calls the kratos api to get profile data, etc. but I can't find any docs / examples for that. do you have any pointers for me? • how do I get a bearer token in the js app to call the api with?
h
No need for a bearer token, just call
toSession
in the SDK (Java / React) or make a REST request to
/sessions/whoami
. Make sure to include all the HTTP headers the client sends you when you do this server-side, the API needs in particular the
Cookie
header from the client to know what session the user has. You don’t need to worry about any tokens, we do everything automatically for you 🙂
In Java
Since you havbe CNAME, you won’t really need the Proxy but you can also try it with the proxy - up to preference
t
ah ok, now I get it, thanks! that's much simpler than I thought
h
Awesome 🙂 Let us know how it goes!
t
will do. so far I have to admit that I wasted about half an hour banging my head at the screen trying to understand why it doesn't work...... only to realize that cookies are https only 🙄
at this point I'm afraid to check if the docs had mentioned that 😆
other than that everything seems to be working fine!
h
ok awesome 🙂 is your app somewhere I can check it out? just curios 🙂
t
our dev environments aren't publicly accessible, so sadly no. though if we decide to switch to ory it will soon(tm) be on https://zezam.io
👍 2
a follow-up question if I may: does the session cookie itself contain any data similar to a jwt? i.e. can I validate the session and get the equivalent of a
sub
claim out of the cookie or would I need to call
/sessions/whoami
on every request to validate & get traits/metadata?
h
currently only with a call to
/sessions/whoami
. there’s a couple of strategies one can use to reduce the calls, we still need to develop some libraries for it though
but we’re also working to get this latency down to 50ms P95
t
hmmmm ok I think that's potentially a blocker. the latency itself is a concern, but it's mostly having a third party in all the critical paths isn't really acceptable
the solution would be to deploy hydra into our cluster, connect it to kratos from ory cloud and use hydra to issue oauth tokens?