I have N web apps running on a platform that I don...
# talk-kratos
h
I have N web apps running on a platform that I don't manage that needs to use my Identity Provider (implemented with Kratos) but it cant't directly use it to login/register/etc. using browser self-service flows since it's NOT running in the same domain. Alternatives to use it I came across: • Using Hydra as OIDC provider that uses Kratos as Identity Provider, and connect to my system using OIDC. This option is discarded since OIDC login/consent flows require redirecting to a domain under my management, and the platform where my web apps are running doesn't allow it. • Using the API flow in the web apps to use Kratos but that would open potential attack vectors according to the docs. • Implementing a "Kratos proxy" service. This proxy will stand between the web apps and Kratos and it'll use API flow to manage authentication with Kratos in the name of the web apps.
My questions are: • Does the 3rd alternative make sense? • Would it also be vulnerable to the attack vectors mentioned in the docs?
The "Kratos proxy" will talk with Kratos with in-cluster communications (so that should cover most security concerns)
This would be an example of login flow: • Web App -- POST request including credentials --> "Kratos Proxy" • "Kratos Proxy" -- Login API Flow -> Kratos • (after completing Login flow) • Kratos -- (session token) --> "Kratos Proxy" • "Kratos Proxy" -- response to original request forwarding session token --> Web App
a
As i understand correctly u dont need api flow. Its sufficient to run ory proxy in front of kratos and your webapp
h
ory proxy?
Do you refer to oathkeeper or this?
a
h
But that would require running the ory proxy in the platform I don't manage, right?
a
You can run ory proxy anywhere i guess, but you have to ensure your users connect to your webapps and kratos through the proxy
h
So.. would this be the flow? • Web App (running on external platform) -- Login Browser Flow -> Ory Proxy (running on a platform managed by me) • Communications between Ory Proxy and Kratos • Ory Proxy -- (session token) --> Web App
a
Lets say you have control over Domain xyz.com (This will be the entrypoint of your users). On this Domain you are running ory-proxy. Your users access your WebApp through the proxy. Your WebApp requesting a loginflow (through proxy) against kratos. On success kratos will set the session cookie for Domain xyz.
h
I don't have control over the domain where the webapps are running (I just publish them in this platform): • Web app is running at app1.external.com for final users • My Kratos instance is running at auth.mydomain.com I can't run
ory proxy/tunnel
like in the example below because I don't have control over `external.com`:
Copy code
ory tunnel \
		--cookie-domain <http://external.com|external.com> \
		<https://app1.external.com/> \
		<https://auth.external.com>
Would it be possible to run it like this?
Copy code
ory tunnel \
		<https://app1.external.com/> \
		<https://proxy.mydomain.com>
Hi @ambitious-solstice-89744 did you have a chance to take a look to my comments?
a
Hi @hundreds-train-83112, yes but unfortunately im going out of ideas. The whole ory-stack ist also new for myself.
h
Thanks man! I appreciate your help
@damp-sunset-69236 do you know if what I'm try to achieve is possible?
d
Ory Proxy and Ory tunnel are for Ory cloud instances
But I like the idea implementing proxy. I’ll answer tomorrow to your question
👍 1
h
Are you sure Ory Cloud is needed? According to: https://www.ory.sh/docs/cli/ory-proxy
Before you start, you need a running Ory Cloud project or a self-hosted version of Ory Kratos, Ory Hydra...
So.. I did some tests today and I think that
ory tunnel
won't work: • First, I setup my Kratos instance running at https://kratos.my.owned.domain • Then, I created a tunnel using:
Copy code
ory tunnel \
--sdk-url <https://krato.my.owned.domain> \
--cookie-domain <http://extenral-platform.com|extenral-platform.com> \
<https://external-platform.com> \
<https://tunnel.my.owned.domain>
• Then I made the tunnel public at https://tunnel.my.owned.domain • If I initialize the login flow addressing the tunnel:
Copy code
curl -iH "Accept: application/json" <https://tunnel.my.owned.domain/self-service/login/browser?return_to=https://external-platform.com>
...
set-cookie: csrf_token_cb65a7d7a96218bec508e681e5a5a9471717b874b24ca09bea5be06fc0aa84c9=wAZhlznen6skLI/E+W8pm/PVVBEvVld8MroY1khh0qg=; Path=/; Domain=<http://external-platform.com|external-platform.com>; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
As you can see the domain in the cookie is "external-platform.com" but the browser agent doesn't store the cookie since it doesn't match the request domain
d
I think ory proxy works better for that case
h
But ory proxy must be run in front of the app, right?
d
Right. But let me check. I’m reading the source code right now
h
This is the use case (with more detail): I develop a web videogame, and I'm publishing this game in a partner platform. This partner hosts the game and I don't have any control on that environment. I want my game to be able to use a Kratos instance that I manage in my own domain, but I have a few restrictions: • Kratos and the game are running on different domains • The game can't redirect the user to anywhere nor use a pop-up window (so it's not possible to connect the game to Hydra as OIDC provider that uses my Kratos as Identity Provider)
That's why I'm looking for something that allows the game to directly use Kratos (e.g. API flow) but I don't want to introduce vulnerabilities that can be exploited to steal users's identities
d
Copy code
ory tunnel \
--sdk-url <https://krato.my.owned.domain> \
--cookie-domain <http://extenral-platform.com|extenral-platform.com> \
<https://external-platform.com> \
<https://tunnel.my.owned.domain>
To make it work you need to request
<https://tunnel.external-platform.com>
h
There's the problem: I don't control the external-platform.com domain
d
Okay. What URLs the external platform expose?
Could you please describe the network architecture here a little bit?
h
For instance, the game "game-01" would be running at https://game-01.apps.external-platfform.com (this is a browser game that can't open pop-windows nor redirect users to other pages) Users of the game should have a form to login using our Authentication system. Our Auth system has a Kratos instance running at https://krato.my.owned.domain Challenge here is how to make that possible in a secure way
d
What tools/technologies are used?
h
The game is a js/html app (assume everything's client side)
d
Okay. And how the authentication flows were implemented, since they’re running on the external domain?
Is it possible to run a backend service on your platform?
h
Currently there's none authentication in these games. We want introduce authentication using our Auth system based on Kratos
Is it possible to run a backend service on your platform?
In the external platform where the game's hosted: no In the cluster where we have Kratos running: yes