studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ory): configure Kratos oauth2 provider, session cookie domain, and flows

Browse Source 
- Add oauth2_provider.url pointing to hydra-admin so login_challenge
  params are accepted (fixes People OIDC login flow)
- Scope session cookie to parent DOMAIN_SUFFIX so admin.* subdomains
  share the session (fixes redirect loop on kratos-admin-ui)
- Add allowed_return_urls for admin.*, enable recovery flow, add error
  and recovery ui_url entries
- Fix KRATOS_PUBLIC_URL port in login-ui deployment (4433 → 80)
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-03 11:31:00 +00:00
parent 6cc60c66ff
commit b19e553f54
2 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
base/ory/kratos-values.yaml
View File

@@ -20,13 +20,17 @@ kratos:
- https://people.DOMAIN_SUFFIX/ - https://people.DOMAIN_SUFFIX/
- https://src.DOMAIN_SUFFIX/ - https://src.DOMAIN_SUFFIX/
- https://find.DOMAIN_SUFFIX/ - https://find.DOMAIN_SUFFIX/
- https://admin.DOMAIN_SUFFIX/
flows: flows:
error:
ui_url: https://auth.DOMAIN_SUFFIX/error
login: login:
ui_url: https://auth.DOMAIN_SUFFIX/login ui_url: https://auth.DOMAIN_SUFFIX/login
registration: registration:
ui_url: https://auth.DOMAIN_SUFFIX/registration ui_url: https://auth.DOMAIN_SUFFIX/registration
enabled: true enabled: true
recovery: recovery:
enabled: true
ui_url: https://auth.DOMAIN_SUFFIX/recovery ui_url: https://auth.DOMAIN_SUFFIX/recovery
settings: settings:
ui_url: https://auth.DOMAIN_SUFFIX/settings ui_url: https://auth.DOMAIN_SUFFIX/settings
@@ -43,6 +47,16 @@ kratos:
from_address: no-reply@DOMAIN_SUFFIX from_address: no-reply@DOMAIN_SUFFIX
from_name: Sunbeam from_name: Sunbeam
oauth2_provider:
url: http://hydra-admin.ory.svc.cluster.local:4445
session:
cookie:
# Scope session cookie to parent domain so all subdomains (auth.*, admin.*, etc.)
# receive it. Without this Kratos scopes the cookie to auth.* only, causing
# redirect loops on admin.*.
domain: DOMAIN_SUFFIX
serve: serve:
public: public:
base_url: https://auth.DOMAIN_SUFFIX/kratos/ base_url: https://auth.DOMAIN_SUFFIX/kratos/

2
base/ory/login-ui-deployment.yaml
View File

@@ -22,7 +22,7 @@ spec:
protocol: TCP protocol: TCP
env: env:
- name: KRATOS_PUBLIC_URL - name: KRATOS_PUBLIC_URL
value: "http://kratos-public.ory.svc.cluster.local:4433" value: "http://kratos-public.ory.svc.cluster.local:80"
- name: KRATOS_BROWSER_URL - name: KRATOS_BROWSER_URL
value: "https://auth.DOMAIN_SUFFIX/kratos" value: "https://auth.DOMAIN_SUFFIX/kratos"
- name: HYDRA_ADMIN_URL - name: HYDRA_ADMIN_URL