https://www.ory.sh/ logo
Join Slack
Powered by
I am not sure if I have a miss configuration but I...
# ory-network
f
I am not sure if I have a miss configuration but I am having issues with the domain cookie. The root custom domain does work but the cookie is getting ignored for the sub domain request. I can see the session cookie get set and Chrome shows me its getting filtered out because it does not match the domain or the subdomain but I have verified that the Domain of the cookie is the same as he root and the sub domain.
p
Hi @full-cat-61619 are you setting the cookie on the top level domain (tld)? e.g. example.com vs sub.example.com when the cookie is set for the tld it will also be set for any sub domains. by root custom domain do you mean auth.example.com? if you have an application on app.example.com or example.com then you need the cookie set on the tld example.com. also make sure that any ajax / fetch requests from the browser includes the cookies with 
withCredentials: true
/ 
credentials: include
f
The cookie is set to the tld and that one is working (https://example.com/api/.ory/sessions/whoami works but https://api.example.com/user does not set the cookie. On localhost everything with 
withCredentials
is configured and working but does not work with Ory cloud
p
Do you have CORS enabled?
f
I believe so (not get any cors errors) and everything with the code works fine with the selfhosted version (even a tld) but the only diffrence it is I have a "." in front of the tld
p
are you using the Ory proxy / tunnel? or are you adding a cname? cause you have Ory APIs linked to your TLD?
f
No proxy / tunnel. I added the cname for the custom domain and its showing as active and CORS enabled under the console. I added cookie domain as the tld, enabled cors and added the origin to https://*.example.com
Is anything else required outside of the Custom Domains page to configure?
The middleware is all configured to use the custom domain I configured (id.example.com)
p
No nothing else is supposed to be configured. Only your api requests should have the 
withCredentials: true
set and should use CORS when doing requests against the Ory apis from a browser.
so you have a frontend right now making a request to your backend which has a middleware pointing to ory? so e.g. app.example.com (frontend) -> api.example.com (your backend) -> id.example.com (ory api)
this should be all you need
f
I have the front-end running nextjs using the Ory SDK (the nextjs server calls Ory directly) and a separate system using c# api also with custom middleware to call Ory whoami directly using the custom subdomain id.example.com. The nextjs front-end call to the c# system I am just making a regular ajax call with withCredentials: true from the nextjs front-end
p
but is the nextjs project also using the ory integrations package? meaning it has the ory apis bound to the same domain? e.g. example.com/.ory/...
f
yes ORY_SDK_URL is the same in nextjs as is the c# system
p
ahh that's probably why it's not working
so you don't need the integrations package since you are using the cname setup. the ory integrations package is basically the ory proxy
point the sdk you have setup inside your nextjs project to id.example.com
f
the nextjs seems to be fine its configured to use the sub-domain set in the console, I can sign-up, login and call whoami with the sdk but once I call anything with a ajax call the cookie does not get set
p
if you copied the nextjs example from github you automatically use the ory/integrations package https://github.com/ory/kratos-selfservice-ui-react-nextjs/blob/master/pkg/sdk/index.ts
could you maybe share with me the sdk setup? (you can omit the domain)
f
the code in the link is exactly what I have
p
yes, so that sets up a built in proxy running on the same domain as your frontend
so you won't have any cookies set for your 
<http://api.example.com|api.example.com>
domain
f
ok, so should i make a ajax call to id.example.com/session/whoami to set the cookie on the front-end?
p
it's basically proxying any setup you have done on the console and overwriting it to fit into your frontend domain
you need to change how the sdk is created to something like
Copy code
export default new V0alpha2Api(new Configuration({
  basePath: process.env.ORY_SDK_URL,
  baseOptions: {
    withCredentials: true,
  }
}))
where 
ORY_SDK_URL
is your CNAME 
<http://id.example.com|id.example.com>
and not use the integrations there
f
ok interesting, I think I see what's going on now a little more. Its weird because it seemed like the bowser was picking up the set-cookie but I should be able to make this change without much effort.
p
yeah basically what was happening is the proxy was rewriting the cookies set by our apis through nextjs (<your-nextjs-app>/.ory/...) would be the default proxy even though you would use the id.example.com as the ORY_SDK_URL. So the cookie is scoped to the frontend and nothing else. Your C# backend wouldn't then be able to get these cookies even though the console was setup correctly 🙂
f
I made this change and all request url go to https://playground.projects.oryapis.com/. I verified process.env.ORY_SDK_URL is getting set
p
yeah playground is the default url, i then doubt process.env has ORY_SDK_URL set. maybe try hard code it first just to test it
👍 1
h
What could we improve to avoid confusion about this? Is it documentation that needs fixing or more explanations?
f
I think adding a few line changes in the example project would have got my attention. If it could include a env bool for prod/dev. Design side, if you wanted to change it, you could make the proxy not the default, knowing as a developer you would configure it as a proxy to work with the cloud server. Also, in the documentation or readme you could be explicit and say for localhost or single domains use proxy, for production or sub domains do not use the proxy.
👍 1
TBH its a really nice feature that I did not even realize I was using until I jumped on here to get it working in Kubernetes.
Open in Slack
PreviousNext
Powered by