From b19e553f5437b86702d89792fcd076e60f82a2fe Mon Sep 17 00:00:00 2001
From: Sienna Meridian Satterwhite <sienna@r3t.io>
Date: Tue, 3 Mar 2026 11:31:00 +0000
Subject: [PATCH] fix(ory): configure Kratos oauth2 provider, session cookie
 domain, and flows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add oauth2_provider.url pointing to hydra-admin so login_challenge
  params are accepted (fixes People OIDC login flow)
- Scope session cookie to parent DOMAIN_SUFFIX so admin.* subdomains
  share the session (fixes redirect loop on kratos-admin-ui)
- Add allowed_return_urls for admin.*, enable recovery flow, add error
  and recovery ui_url entries
- Fix KRATOS_PUBLIC_URL port in login-ui deployment (4433 → 80)
---
 base/ory/kratos-values.yaml       | 14 ++++++++++++++
 base/ory/login-ui-deployment.yaml |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/base/ory/kratos-values.yaml b/base/ory/kratos-values.yaml
index 0f911be..e3fc53b 100644
--- a/base/ory/kratos-values.yaml
+++ b/base/ory/kratos-values.yaml
@@ -20,13 +20,17 @@ kratos:
         - https://people.DOMAIN_SUFFIX/
         - https://src.DOMAIN_SUFFIX/
         - https://find.DOMAIN_SUFFIX/
+        - https://admin.DOMAIN_SUFFIX/
       flows:
+        error:
+          ui_url: https://auth.DOMAIN_SUFFIX/error
         login:
           ui_url: https://auth.DOMAIN_SUFFIX/login
         registration:
           ui_url: https://auth.DOMAIN_SUFFIX/registration
           enabled: true
         recovery:
+          enabled: true
           ui_url: https://auth.DOMAIN_SUFFIX/recovery
         settings:
           ui_url: https://auth.DOMAIN_SUFFIX/settings
@@ -43,6 +47,16 @@ kratos:
         from_address: no-reply@DOMAIN_SUFFIX
         from_name: Sunbeam
 
+    oauth2_provider:
+      url: http://hydra-admin.ory.svc.cluster.local:4445
+
+    session:
+      cookie:
+        # Scope session cookie to parent domain so all subdomains (auth.*, admin.*, etc.)
+        # receive it. Without this Kratos scopes the cookie to auth.* only, causing
+        # redirect loops on admin.*.
+        domain: DOMAIN_SUFFIX
+
     serve:
       public:
         base_url: https://auth.DOMAIN_SUFFIX/kratos/
diff --git a/base/ory/login-ui-deployment.yaml b/base/ory/login-ui-deployment.yaml
index 5ca097e..edaac6c 100644
--- a/base/ory/login-ui-deployment.yaml
+++ b/base/ory/login-ui-deployment.yaml
@@ -22,7 +22,7 @@ spec:
               protocol: TCP
           env:
             - name: KRATOS_PUBLIC_URL
-              value: "http://kratos-public.ory.svc.cluster.local:4433"
+              value: "http://kratos-public.ory.svc.cluster.local:80"
             - name: KRATOS_BROWSER_URL
               value: "https://auth.DOMAIN_SUFFIX/kratos"
             - name: HYDRA_ADMIN_URL