https://www.ory.sh/ logo
n

numerous-energy-92403

01/25/2022, 3:31 AM
Okay...can someone PLEASE explain to me what
SERVE_PUBLIC_BASE_URL
should be set to when you are using Oathkeeper and JWT and when you are using cookie without it? The most frustrating thing about working with Kratos is understand when "public" actually means public to the world...or just means "public" API. That keeps biting me in the butt, and it needs to STOP! Can someone lay it out for me finally once and for all?
p

proud-plumber-24205

01/25/2022, 2:52 PM
it should be the external domain e.g. auth.example.com. It can also contain paths e.g. example.com/auth/ As the documentation says:
The URL where the endpoint is exposed at. This domain is used to generate redirects, form URLs, and more.
ā€¢ https://www.ory.sh/kratos/docs/reference/configuration/ Here is an example, you do a login redirect, the browser gets redirected back to whatever value you specified under
selfservice.flows.login.ui_url
. The user now fills in their details. You in the background have a form pointing to whatever kratos is giving you (e.g.
<http://auth.example.com/self-service/login?flow=af09e010-ea81-4597-9fd9-5012ec8aa278|auth.example.com/self-service/login?flow=af09e010-ea81-4597-9fd9-5012ec8aa278>
) this is calculated by kratos using the
serve.public.base_url
. Cookie domains are set using the
session.cookie.domain
config. This value can be overridden when using
domain_aliasing
. https://www.ory.sh/kratos/docs/guides/multi-domain-cookies Public also does mean public (to the world), meaning that it is safe to expose on your server. Is there something in the documentation that is making this confusing?
šŸ‘ 1
n

numerous-energy-92403

01/25/2022, 2:56 PM
I think the confusing thing, @User, is that all your examples use localhost or 127.0.0.1 and not actual real domains. Because of that an internal connection between services has the SAME URL as external URL's, so when figuring out what the settings should be, you get confused--and stay that way for a long time. I finally got stuff working with Kratos, but I am STILL confused about how to properly configure Oathkeepr and Kratos together for my app inside a cluster using domains. I have a
docker-compose
installation that has worked great, but I am unable to get mutators to actually activate and create JWT tokens under ANY condition inside Kubernetes. Is there a reference implementation of this being done by anybody anywhere?
@User, I will be writing an article on Medium, as I said, that outlines how to get the Ory stack rolling completely in production on a real system with DNS, Kubernetes, multiple services needing Oathkeeper protection and JWT's, etc. I almost have everything I need figured out. The last, and most important thing, is figuring out how to configure Oathkeeper to properly create JWT tokens given a session cookie in a request targeted at a resource. The next thing to figure out is how to update Oathkeeper configurations when an "ingress" is added (like Ingress controllers do). Right now, that would be a manual process in managing a cluster (probably need a custom controller or a sidecar for that).
@User, I finally got everything working exactly the way I need it..
p

proud-plumber-24205

01/26/2022, 5:03 PM
Awesome @User! Can't wait to read your medium post about it šŸ™‚
n

numerous-energy-92403

01/26/2022, 5:05 PM
I will make sure to let you know when it is done! Perhaps a week...this is really important stuff! In the end, I was bitten by just a few configuration settings combined with an SSL certificate not validating to its root...
I ended up solving the situation by manually adding the certificate I was using (from Azure DNS...but valid for outside use--not internal) to the
ca_certificates
file in a custom Alpine-based Docker image build for Kratos and Oathkeeper, so the calls could be made without resorting to insecure flags....
Understanding how cookies are used and propagated in the request cycle is super important when configuring all this for production, and that fact is hard to capture in documentation...very easy to get confused about when an internal call can be used (to Kratos API) and when a cookie preserving call MUST be used, so Kratos and Oathkeeper have the data needed to generate JWT's, CSRF cookies, and session cookies.
m

magnificent-energy-493

01/27/2022, 8:40 AM
I agree Travis, and thanks a ton for your feedback and work šŸ™ We still have a lot of work to do on the documentation. Please do let me know if I can help you in any way with the article, happy to review etc. We will also repost it on our blog (with credit to you and a link to your project) if you like.
šŸ‘ 1
n

numerous-energy-92403

01/29/2022, 11:02 PM
@User I have started work on the content this weekend. I think you will really like it, because it will reflect TWO different projects we actually have in production and be an end-to-end example.
ā¤ļø 1
m

magnificent-energy-493

01/31/2022, 8:30 AM
I love to hear that @User šŸ™Œ Ping me whenever!
4 Views