Hi guys. I have a quick question with regards SSO....
# talk-kratosa
adorable-byte-96872
04/07/2022, 10:08 AMHi guys. I have a quick question with regards SSO.
Do I need to use ory hydra or is there a way to stick with just kratos?
Scenario: I am building a ecom platform. when users register they get their own subdomain, and can point their own domain(s) to this subdomain.
They need to be able to log in across multiple domains with the same username/password.
We need to be able to track accounts across domains and not have a seperate account for every domain.
They should not need to redirect to our domain to be able to log in.
Is this possible with the ory eco system? Can I have a broad "how to" ?
d
damp-sunset-69236
04/07/2022, 10:19 AMHello. Could you please give a short example about your usecase using domain setup because it’s hard to follow that domain logic
damp-sunset-69236
04/07/2022, 10:20 AMFor instance you have deployed kratos somewhere like
Copy code
<http://kratos.example.com|kratos.example.com> Copy code
<http://auth.example.com|auth.example.com> Copy code
<http://someshop.example.com|someshop.example.com>damp-sunset-69236
04/07/2022, 10:20 AMI don’t understand the url to login users in your description. Should it be something like
Copy code
<http://someshop.example.com/login|someshop.example.com/login>?a
adorable-byte-96872
04/07/2022, 10:35 AMIt's exactly like shopify's setup (and pretty much all other ecom platforms).
You register your business and they automatically provision mybusiness.shopify.com. You then start designing your shop etc. At some point it's ready and you want to sell, but look professional so you want your own domain (possibly several for different sales channels). So you point mybusiness.com at mybusiness.shopify.com and that's the site you send customers to. the subdomain merely acts as a quickstart.
So customer A goes to mybusiness.com and see's some awesome product they want. They add to cart, and at checkout there's a "Have an account? Sign in here" button. This directs them to mybusiness.com/signin. We want the same customer to have a seamless experience across stores and have a "powered by xxx" link which explains all websites using our backend have a secure SSO which saves them time and means they dont need to remember a log in for every independent store they shop at
adorable-byte-96872
04/07/2022, 10:41 AMi am thinking to have all admin stuff on the subdomains using pure kratos (multi tenanted/instances)
users do the shop creation at mybusiness.shopify.com/admin and if they try to access mybusiness.com/admin it redirects them to the subdomain.
but for the customer sign in i cant see how to get it to work across domains without redirecting them away from the store
s
steep-lamp-91158
04/07/2022, 11:23 AM
It will hardly work out of the box to be immediately signed in on all domains, as multi-domain cookies are not really a common thing. There is an issue for that in Kratos: https://github.com/ory/kratos/issues/662
However, a setup where you do OIDC is possible with Hydra and Kratos, but there you have redirects, as with any other similar protocol (SAML, LDAP, ...)
steep-lamp-91158
04/07/2022, 11:25 AM
One other possibility would be that you use Ory Cloud and add all your customers domains as CNAMEs there, then the API works across all domains (but again, not the cookie)
28 Views