https://www.ory.sh/ logo
Join Slack
Powered by
Hello! I am currently trying to set up Kratos as t...
# ory-selfhosting
a
Hello! I am currently trying to set up Kratos as the IdP for Hydra and even though no real documentation was provided until now, I managed to get the basic functionality working. I built Kratos directly from the main branch in order to use the 
oauth2_provider.url
configuration value to set the Hydra admin API address. I can log in at the target service (Mastodon in my case) and after about 6-7 hours of reading PRs and commits that already feels like a huge success to me. Now I am stuck trying to forward my identity's claims to Mastodon. Basically I want 
claims.email
and 
claims.username
to be included in the OIDC ID token issued by Hydra. How do I achieve that?
Update: I think I figured it out. I need to set these values in the consent flow approval request made by the consent UI. This makes sense and gives me the idea of implementing this for the Node.js self service UI, using another schema extension like this:
Copy code
{
  "email": {
    "type": "string",
    "format": "email",
    "<http://ory.sh/kratos|ory.sh/kratos>": {},
    "<http://ory.sh/hydra|ory.sh/hydra>": {
      "id_token": {
        "scope": "email",
        "path": "email"
      }
    }
  }
}
Update 2: To anyone that may come across the same question: I implemented a service that has this functionality. It propagates Kratos identity traits to the ID and/or session token(s) issued by Hydra based on definitions made in the identity schema. It does not yet implement a user-facing UI to manually approve requested scopes, but that is a ToDo for the future. However, I think it is a perfect fit for SSO-only environments that only issue Oauth2 clients to internal services. If you want to use it, it is open source at https://github.com/lus/hydra-consent. (If I am not allowed to send this here, I am sorry and I will delete the message)
🔥 1
🙌 2
👀 1
9 Views
Open in Slack
PreviousNext
Powered by