https://www.ory.sh/ logo
b

blue-arm-79140

12/01/2021, 2:32 PM
Hey all, I was wondering if I could get some clarification. I am trying to implement a user management system with Kratos. It has to be usable for various scenarios where a user should be able to log in with a same created account: ā€¢ Usable across all our subdomains, e.g.,
<http://game1.mydomain.com|game1.mydomain.com>
,
<http://game2.mydomain.com|game2.mydomain.com>
,
<http://game3.mydomain.com|game3.mydomain.com>
etc (there will be many and each of them will also have a mobile app store version) ā€¢ Usable also on the mobile app store versions that are the same as the browser apps but basically wrapped via frameworks such as Cordova ā€¢ Usable if the app was hosted by our third-party partners so the url might potentially be different e.g.,
<http://abc123.somepartner.com|abc123.somepartner.com>
Is using Kratos with Hydra the way to go to satisfy all these requirements or do I basically have to have a new deployment for each of the scenarios? We want to self-host as well which would be most likely via kubernetes deployments. Am I right in thinking that I can use the browser-based flows via AJAX? Asking because from the docs, it was stated that API flows should not be used except for non-browser based apps but the flow diagram looks very similar between API and AJAX method.
s

steep-lamp-91158

12/01/2021, 3:57 PM
sounds about right, you would have kratos for all the first-party domains and setting the cookie on e.g.
<http://mydomain.com|mydomain.com>
in a way that it would be accessible by all sub domains as well and for third-party integrations you can use OIDC through Hydra
šŸ™ 1
b

blue-arm-79140

12/02/2021, 9:40 AM
Thanks alot šŸ™!
and for third-party integrations you can use OIDC through Hydra
Does does this mean to login with our hosted Kratos deployment that is also used for the first-party domains through Hydra? Sorry if this is a stupid question but just wanted to get a clear picture as I dont usually get into the nitty gritty bits of auth so its something rather new to me.
I am assuming I will have to use Hydra as well for the mobile app store version of the apps if I do not want to have a seperate deployment of kratos? Actually maybe i am wrong and I can just make use of the
API Flows
directly but even then Is there a way to whitelist certain apps by their id (e.g., com.something.app1 etc) on the same deployment configuration?
Users will also have to be able to create an account on the mobile app version and only third party hosted version (if they dont have one) but I think this should be fine as we can probably go through the
User Registration
flow of Kratos via Hydra with some redirects as well if I am right.
s

steep-lamp-91158

12/02/2021, 10:29 AM
I recommend you have a read on https://www.ory.sh/hydra/docs/next/concepts/before-oauth2/ it should clarify at what point you need hydra, everything else should be solved through kratos
šŸ‘ 1
b

blue-arm-79140

12/02/2021, 12:14 PM
Thanks I have been reading the docs for both Hydra and Kratos but will look at it again as I am currently in the progress of getting a Kratos deployment up and running so Ive been looking at the quickstart stuff and also the kratos self-service repo with the outdated hydra integration branch.
3 Views