Hi, I have an issue related to OAuth2 authorization_code, developing locally with Ory Tunnel Here is my API instance

import { OAuth2Api } from "@ory/client";
import axiosFactory from "axios";

const axios = axiosFactory.create({
  withCredentials: true,
});

const oauth = new OAuth2Api(
  new Configuration({
    basePath: process.env.NEXT_PUBLIC_ORY_SDK_URL
    accessToken: process.env.ORY_API_KEY,
  }),
  "",
  axios
);

Then I setup Ory tunnel with

ory tunnel --dev --project <my_project_slug> <http://localhost:3000>

And set the env variable

NEXT_PUBLIC_ORY_SDK_URL=<http://localhost:4000>

Then when I use this

oauth

instance to access ory network, it will throw this error

error: {
      code: 401,
      status: 'Unauthorized',
      request: '4c5176ec-22b5-96fd-8b07-101af08359cc',
      message: 'Access credentials are invalid'
    }

But when I change the env var to

NEXT_PUBLIC_ORY_SDK_URL=<my_project_url>

The request will work. According to the Docs.

Only the

FrontendApi

needs to access the Ory Tunnel. Administrative APIs like

IdentityApi

can be accessed directly from your project slug, although they also work via the Ory Tunnel. (<https://www.ory.sh/docs/getting-started/local-development#local-development

|ref>)

It seems to have some bug here

// here is my ory cli version
❯ ory version
Version:    v0.2.1
Git Hash:   d1886fd9ec850e370c147a8ecb26f6e953943c9b
Build Time: 2023-01-07T17:43:52Z

_ This issue will further cause CSRF_TOKEN missing issue when develop locally with OAUTH2 authorization_code flow

What method/route are you trying to access?

Do you have this deployed somewhere so that we can reproduce?

Also, if you are using Next, the

@ory/integrations

package has the proxy/tunnel built-in.

@ory/integration

is hard to work with. I bump into this issue when try to social login with the nextjs example https://ory-community.slack.com/archives/C012RJ2MQ1H/p1673871819489039?thread_ts=1673846996.935599&amp;cid=C012RJ2MQ1H So I switch to implement my own logic that this comment suggested

Hey, sorry I forgot about this. We have our company planning this week. Next week I will have more time to look into it. How urgent is it?

@high-optician-2097 We plan to release our SaaS product using Ory Network in two weeks. I am currently relying on the Ory experience but we really want to have the UI with our design. Would you say that is possible that we can clean up this pace within this period of time together? Or it may take more? If the example ends up steady with these features • Authorization Code Flow login with the integration of Hydra and Kratos on Ory Network • Normal logout, recovery flow I will come up with a full steps setup example and a tutorial for the community.

Thank you for the information, we will do our best to solve it. I think the fix is probably not too hard

@high-optician-2097 When I set it to projects.oryapis.com URL the 401 issues indeed resolve (Access admin URL when we try to get ConsentRequest), but somehow it will later cause a CSRF Token issue at the acceptConsentRequest (Let me confirm this later~ I need to create a test project) And if I remember correctly, when developing at local, you actually can’t use projects.oryapis.com URL because the session cookie can’t be successfully set on localhost

🤔 so for all frontend apis you should probably use localhost, and for everything else that is e.g. administrative use the projects.oryapis.com domain

@high-optician-2097 I can record a video tomorrow, with the exact setup