This message was deleted.

Hey Tony, you can solve that with OAuth2 now, and we are also working on a multi-domain feature that lets you configure multiple CNAMEs per project.

Hey Vincent, Thank you ! Do you have any rough estimate for that feature ?

AFAIK it was merged today, but I will clarify when it is available to users. Should be soon.

@magnificent-energy-493 what product/repo would that feature be a part of?

This is a feature of Ory Network! You can configure CNAMEs through the UI. This is of course also possible when self-hosting Ory, you need to write the glue code yourself. I dont think this will be opensource, as it is very specific to how we built the Ory Network. I am looking however for input & help with selfhosting examples if that is something you are interested in.

Yes, we may be interested in that. We are self-hosting, and we need to support two different domains, so we opted to use Hydra instead of Kratos/Identity (also Kratos seemed to still be in alpha/beta at the time). But we are running into some issues with session management (related to https://www.ory.sh/docs/hydra/concepts/before-oauth2#access-and-refresh-tokens-arent-sessions).

Hello @magnificent-energy-493. Do you have any news regarding this features ?

Hey @broad-processor-55988 , sorry missed the last bump 😅 This is already rolled out and can be configured through Hydra, but not yet officially announced and documented. Should be done soon 🙏

@magnificent-energy-493 is this possible to achieve if self-hosting Kratos and Hydra?

Yes definitely all the features in Ory Network are possible to replicate, but require work and knowledge of the domain. If you are just looking to host Ory services for a couple of domains yourself, I suggest to deploy multiple instances of e.g. Kratos & Hydra. That is most likely the most sane option. See this document also: https://www.ory.sh/docs/kratos/guides/multi-tenancy-multitenant

Unfortunately we have two domains, but want to share the same identity provider across them.

Hey @flat-flower-81031, you can do that with the Ory OAuth2 server Hydra (https://www.ory.sh/docs/hydra/) Using it as identity provider for Ory Kratos for both domains.

So 2 instances of Kratos, both connected to the same Hydra. Let me think if that will work.

with this approach, I suppose we lose a lot of the nice Kratos features such as 2FA, password reset, etc since we are delegating sign in to Hydra

No basically there is an integration of Hydra & Kratos available now. So you should be able to use Kratos features, as the login and other self-service flows are handled by Kratos and Hydra then federates the identity to different domains. This is not super easy, and unfortunately we dont have a great guide for it yet ( but will have one somewhat soon!)

Interesting. I will have to experiment a bit with Kratos to see what is possible. We are also going to take a look at Ory Network, since that may be much easier to implement.

With Ory Network managed UI you get this integration out of the box, I would also recommend it for testing or building a PoC as its basically feature parity with selfhosting, so it is helpful even if you decide later on that its worth to host your own.