https://www.ory.sh/ logo
Join Slack
Powered by
Hello community, Is there any ETA on the Hydra-Kra...
# ory-network
v
Hello community, Is there any ETA on the Hydra-Kratos integration guide? I saw the demonstration video on the announcement channel, but I'm now just reading the pull requests Go/TS code for both Hydra, Kratos and Kratos-selfservice-ui to understand what's going on. Am I on the wrong track?
h
Hi @victorious-controller-5388 - the integration works out of the box on the Ory Network. In Ory Open Source it is not officially released yet and we have not yet written a guide
You can follow the guide at https://www.ory.sh/run-oauth2-server-open-source-api-security/ to get the integration working :)
v
Thank you. We're planning to not host anything (hail the Ory Network!) - except for a fork of the selfservice-ui, so if it works out of the box, that's great
h
Epic 🙂 Just note that the open source selfservice-ui itself also not yet has the consent page that’s needed
v
Yes, that is one of the reason I had doubts! I saw the consent page missing in the code. Can I procure that anywhere , is it on a different branch perhaps ?
It's not clear from the guide the redirect URI one should use; I've tried doing https://ORY-PROJECT-URL/ui/login, but it doesn't seem to work
h
Unfortunately not yet, it’s a bit of custom code for the cloud system 😞 But I can share with you the code if you need help
c
@high-optician-2097 I need to give @victorious-controller-5388 enough permissions to set up Ory Network for us, but I get no permissions options when I add him as a collaborator but apparently he's getting permissions issues (403s in the shell when creating an OAuth client). How do I fix this?
v
@high-optician-2097 Getting this when trying to implement the above example. CORS is enabled, but Ory Network won't let me save 127.0.0.1 as a valid domain
There's a very similar question 1 month ago, but w/o answer
h
Can you point me to the question?
Or create your own and link it here with as much detail as possible? 🙂
v
https://ory-community.slack.com/archives/C012RBW0F18/p1664366807684129 - this thread; thought I belive the gentleman there used a self-hosted Hydra
My problem occurs exactly after running
Copy code
ory perform authorization-code
exactly like in the tutorial
the error message is displayed in the console as well
h
Could you please create a discussion or issue on github.com/ory/network and provide as many details as possible? Slack is pretty hard for debugging. The best way is if I can follow the steps 1:1 and get the same result. Thank you!!
v
Thanks, will do
h
@victorious-controller-5388
this is more or less the route we have in cloud
🙌 1
🙏 1
v
@high-optician-2097 is it possible to have Kratos data (username, mail, etc.) in the userinfo endpoint ?
Or does that require a separate call (i.e. /whoami) at this moment ?
h
you mean when using openid connect?
v
Yes
h
so oidc via ory oauth2&openid + ory identity
yeah that is currently a limitation but we have it on the backlog to work on this
v
I managed to do the entire flow (OAuth -> Kratos -> OAuth -> Local app), using Miniorange's WP SSO plugin
👍 1
h
the problem primarily is that the identity schema can be anything and it’s difficult to know which field is basically affected by the scope
epic!!!
v
It actually probes the idToken regardless of whether doing openid or not, but this is the extent of the info I'm getting
So I guess I'd have to hack the code to make a call to /whoami on Kratos
until then
h
ok, yes we definitely need to add the user data there. I’m bumping htis in priority
for now it needs a workaround but we’ll get it done!
@fast-lunch-54279 you will be very interested - Titus managed to get wordpress ( https://plugins.miniorange.com/wordpress ) with ory oauth2 working, using a social sign in provider in the last step.
👀 1
v
I didn't use a social sign in, I used (implicitly) Kratos
It's pretty cool, it's just missing a bit of final juice. Thanks for the help !
A minor unrelated issue is that I don't seem to be able to specify multiple 
--redirect-uri
in Ory Hydra CLI (tried comma separated, square brackets and quotes JSON-style, etc. ) , I had to 
cURL
directly for that
f
this is really interesting, did the miniorange plug in work out of the box for you?
v
It's a bit weird, it failed yesterday on a server farm I was testing on, but it worked today on a local WAMP server, of all things
That's the reason I moved to my local machine, to xDebug it out, but the thing that broke down originally worked, so I ended out with the problem of insufficient user data above (which is a far better problem to have!)
f
ah, that is great, thanks so much for sharing the experience!
🙌 1
h
A minor unrelated issue is that I don’t seem to be able to specify multiple 
--redirect-uri
in Ory Hydra CLI (tried comma separated, square brackets and quotes JSON-style, etc. ) , I had to 
cURL
directly for that (edited)
Could you maybe create an issue in https://github.com/ory/cli - we’ll then get it resolved :)
🙌 1
v
@fast-lunch-54279 I don't think this is can be ameliorated using the API at the moment. Kratos expects a 
ory_kratos_session
🥠 cookie, which is completely opaque at the moment from the perspective of a Hydra 2.0 consumer
Even if on the SSO 'hub' (in our case passport.tangible.one) the user has a Kratos cookie, we obviously can't grab it from a separate domain
@fast-lunch-54279 @high-optician-2097 any news on this (getting more info on /userinfo) ? We can't do SSO until we get some user data there
f
we def have this on our radar and are priortizing it, but it'll take a bit longer to land in prod
c
Is that weeks? Months? Trying to gauge when we'll be able to launch since we obviously can't do SSO without being able to pass over account info. The ETA changes how we prioritize things quite a bit.
h
this week, a fix is already in review
ory hydra 1
👀 2
ory kratos 1
1
1️⃣ 1
💡 1
c
@high-optician-2097 did this go live?
h
yes
👀 1
v
@high-optician-2097 is it in the network code yet, though? I've just re-tested our WP + Miniorange + Ory Network setup, and I'm still getting minimal data from 
/userinfo
. Do I have to spawn a new Hydra/oauth client ? (It has been the case in the past, IIRC)
h
Hm, did you accept the email scope? You also need to have email verification enabled currently for this to work
The user does not need to be verified, but they need to have a record in the table that tracks verified emails
v
Hi @high-optician-2097 Sorry for the radio silence, we're swamped with other things ATM but I will return to our Ory integration ASAP
Thank you 🙏
s
What's the status on this? Is it possible to get the email of the user from 
/userinfo
endpoint? I'm trying in self-hosting, but I suppose this is not too far off from the hosted version?
4 Views
Open in Slack
PreviousNext
Powered by