fix(ory): configure Kratos oauth2 provider, session cookie domain, and flows
- Add oauth2_provider.url pointing to hydra-admin so login_challenge params are accepted (fixes People OIDC login flow) - Scope session cookie to parent DOMAIN_SUFFIX so admin.* subdomains share the session (fixes redirect loop on kratos-admin-ui) - Add allowed_return_urls for admin.*, enable recovery flow, add error and recovery ui_url entries - Fix KRATOS_PUBLIC_URL port in login-ui deployment (4433 → 80)
This commit is contained in:
@@ -20,13 +20,17 @@ kratos:
|
||||
- https://people.DOMAIN_SUFFIX/
|
||||
- https://src.DOMAIN_SUFFIX/
|
||||
- https://find.DOMAIN_SUFFIX/
|
||||
- https://admin.DOMAIN_SUFFIX/
|
||||
flows:
|
||||
error:
|
||||
ui_url: https://auth.DOMAIN_SUFFIX/error
|
||||
login:
|
||||
ui_url: https://auth.DOMAIN_SUFFIX/login
|
||||
registration:
|
||||
ui_url: https://auth.DOMAIN_SUFFIX/registration
|
||||
enabled: true
|
||||
recovery:
|
||||
enabled: true
|
||||
ui_url: https://auth.DOMAIN_SUFFIX/recovery
|
||||
settings:
|
||||
ui_url: https://auth.DOMAIN_SUFFIX/settings
|
||||
@@ -43,6 +47,16 @@ kratos:
|
||||
from_address: no-reply@DOMAIN_SUFFIX
|
||||
from_name: Sunbeam
|
||||
|
||||
oauth2_provider:
|
||||
url: http://hydra-admin.ory.svc.cluster.local:4445
|
||||
|
||||
session:
|
||||
cookie:
|
||||
# Scope session cookie to parent domain so all subdomains (auth.*, admin.*, etc.)
|
||||
# receive it. Without this Kratos scopes the cookie to auth.* only, causing
|
||||
# redirect loops on admin.*.
|
||||
domain: DOMAIN_SUFFIX
|
||||
|
||||
serve:
|
||||
public:
|
||||
base_url: https://auth.DOMAIN_SUFFIX/kratos/
|
||||
|
||||
@@ -22,7 +22,7 @@ spec:
|
||||
protocol: TCP
|
||||
env:
|
||||
- name: KRATOS_PUBLIC_URL
|
||||
value: "http://kratos-public.ory.svc.cluster.local:4433"
|
||||
value: "http://kratos-public.ory.svc.cluster.local:80"
|
||||
- name: KRATOS_BROWSER_URL
|
||||
value: "https://auth.DOMAIN_SUFFIX/kratos"
|
||||
- name: HYDRA_ADMIN_URL
|
||||
|
||||
Reference in New Issue
Block a user