Okay...can someone PLEASE explain to me what `SERV...
# talk-kratosn
numerous-energy-92403
01/25/2022, 3:31 AMOkay...can someone PLEASE explain to me what
SERVE_PUBLIC_BASE_URLp
proud-plumber-24205
01/25/2022, 2:52 PMit should be the external domain e.g. auth.example.com. It can also contain paths e.g. example.com/auth/
As the documentation says:
The URL where the endpoint is exposed at. This domain is used to generate redirects, form URLs, and more.ā¢ https://www.ory.sh/kratos/docs/reference/configuration/ Here is an example, you do a login redirect, the browser gets redirected back to whatever value you specified under
selfservice.flows.login.ui_url<http://auth.example.com/self-service/login?flow=af09e010-ea81-4597-9fd9-5012ec8aa278|auth.example.com/self-service/login?flow=af09e010-ea81-4597-9fd9-5012ec8aa278>serve.public.base_urlsession.cookie.domaindomain_aliasingš 1
n
numerous-energy-92403
01/25/2022, 2:56 PMI think the confusing thing, @User, is that all your examples use localhost or 127.0.0.1 and not actual real domains. Because of that an internal connection between services has the SAME URL as external URL's, so when figuring out what the settings should be, you get confused--and stay that way for a long time. I finally got stuff working with Kratos, but I am STILL confused about how to properly configure Oathkeepr and Kratos together for my app inside a cluster using domains. I have a
docker-composenumerous-energy-92403
01/25/2022, 3:09 PM@User, I will be writing an article on Medium, as I said, that outlines how to get the Ory stack rolling completely in production on a real system with DNS, Kubernetes, multiple services needing Oathkeeper protection and JWT's, etc. I almost have everything I need figured out. The last, and most important thing, is figuring out how to configure Oathkeeper to properly create JWT tokens given a session cookie in a request targeted at a resource. The next thing to figure out is how to update Oathkeeper configurations when an "ingress" is added (like Ingress controllers do). Right now, that would be a manual process in managing a cluster (probably need a custom controller or a sidecar for that).
numerous-energy-92403
01/26/2022, 11:37 AM@User, I finally got everything working exactly the way I need it..
p
proud-plumber-24205
01/26/2022, 5:03 PMAwesome @User!
Can't wait to read your medium post about it š
n
numerous-energy-92403
01/26/2022, 5:05 PMI will make sure to let you know when it is done! Perhaps a week...this is really important stuff! In the end, I was bitten by just a few configuration settings combined with an SSL certificate not validating to its root...
numerous-energy-92403
01/26/2022, 5:06 PMI ended up solving the situation by manually adding the certificate I was using (from Azure DNS...but valid for outside use--not internal) to the
ca_certificatesnumerous-energy-92403
01/26/2022, 5:09 PMUnderstanding how cookies are used and propagated in the request cycle is super important when configuring all this for production, and that fact is hard to capture in documentation...very easy to get confused about when an internal call can be used (to Kratos API) and when a cookie preserving call MUST be used, so Kratos and Oathkeeper have the data needed to generate JWT's, CSRF cookies, and session cookies.
m
magnificent-energy-493
01/27/2022, 8:40 AM
I agree Travis, and thanks a ton for your feedback and work š
We still have a lot of work to do on the documentation.
Please do let me know if I can help you in any way with the article, happy to review etc.
We will also repost it on our blog (with credit to you and a link to your project) if you like.
š 1
n
numerous-energy-92403
01/29/2022, 11:02 PM@User I have started work on the content this weekend. I think you will really like it, because it will reflect TWO different projects we actually have in production and be an end-to-end example.
ā¤ļø 1
m
magnificent-energy-493
01/31/2022, 8:30 AM
I love to hear that @User š
Ping me whenever!
16 Views