Shoud/can Kratos and Hydra be hosted on the same domain?

They can, if you intend to use paths, eg

<http://mydomain.com/hydra|mydomain.com/hydra>

&

<http://mydomain.com/kratos|mydomain.com/kratos>

as an example. We did a similar approach when we were having CORS issues (which are fixed and use subdomains now instead)

@tall-angle-41306 thanks, can I just ask as what I can get from another reply is I have to write some glue code to get them to work together?

It's quite minimal to be honest, are you setting up via helm, docker, or self-hosting the binary?

Helm 🙂

Yeah pretty much spot on - This is a good working example if you've not seen it already - https://github.com/ory/kratos-selfservice-ui-node We based our implementation on that

Thanks 🙂

Hey. You can find Nginx configuration for Kratos and Hydra You can host them under one domain without any issues but you need to think about routing and configuration a little bit

If you have 4 applications, do you write the glue code for 4 different apps as they all have different client ids or is the glue code itself a client and your other apps can use 1 glue code?

We have an internal service using the Kratos SDK that all the frontend apps talk to, each front-end app has their own Client ID

ok and does that internal service also have it's own client id? Or does the frontend app somehow tell the service which client id to use?

The frontend app passes the client ID downstream

Ok, I can't imagine there is any examples out there of such implementation?

It's not too dissimilar to that example repo o shared earlier to be honest, that had a dummy frontend app as part of the example

Ok sounds good 🙂

If you have 4 applications, do you write the glue code for 4 different apps as they all have different client ids or is the glue code itself a client and your other apps can use 1 glue code?

That depends on what you want to achieve. You can write the glue code only once and make it reusable. Hence, you need to import the app and expose required endpoints.

I was under the assumption I would have something like the following: app1.example.org app2.example.org app3.example.org app4.example.org they would all have their own client id, and if the user isn't logged-in/authorized they would redirect to a single endpoint accounts.example.org that would then allow the user to login and would automatically consent for apps 1, 2 and 3 but we do have an app external number 4 that would need the user to specifically consent after the above is done the user is redirected back to the specific app they came from with the code so they're able to obtain the access token and refresh token how would this be done? am I thinking about this wrong? would you write glue code for each app distinctively?

@colossal-whale-56336 The below example repo shared earlier, was developed with your use case in mind which is the same as my use case and in the company I work for I created only one implemention combining Kratos and Hydra hosted on accounts.example.org with different apps on different domains such as http://app1.example.org http://app1.example.org with their own OAuth client ID and metadata.

@bulky-architect-22083 are you able to offer a run through sometime this week, just so I can get my head around it all? Like I buy an hour of your time

I will get you the flow diagram that I made using UML. We can have a run through after you take a look at the UML first 🙏 Give me a few hours to post it here.

Thanks 🙂

Also seems like there is an 8hr time difference? Does early morning like 7am your time work for you. I am generally free only during that time 🙏

probably not tomorrow but Friday I could

Sounds good. I will share the UML before that.

Will send a private DM 🙂