Is your feature request related to a problem? Please describe.
Right now, the Ory Proxy has three main functions:
- Proxying an application and Ory's APIs on localhost environments;
- Proxying an application and Ory APIs on any domain;
- Proxying only Ory APIs.
For the first two use cases we use Ory Oathkeeper'esque method of converting the Ory Kratos Session Cookie / Token to a JWT which contains the session information. Right now, this can be disabled with --no-jwt
.
Additionally, there is an option which removes the HTTP Cookie Domain from the cookie. However, it is currently not possible to override the HTTP Cookie Domain!
Lastly we need to override:
- Location headers - these usually point to our application which might run on a different domain than the proxy if the 3rd option is used.
- HTTP Action Post URLs - these point to the proxy itself
return_to
- which should point to the application.
Describe the solution you'd like
Currently, the set up is a bit messy. It probably makes sense to split the proxy into two:
- Proxy the application to convert - like Ory Oathkeeper - the session into a JSON Web Token;
- Proxy Ory's APIs to handle with multi-domain set ups (sort of like a bridge).
A possible proposal could thus look as such:
$ ory proxy <upstream/downstream>
$ ory bridge
Ory Proxy
The Ory Proxy could be very simplistic. Any incoming request is proxied to the upstream application and depending wether a session is included or not we set a JWT or not. Possible configuration options could be:
- Loading the JWKs from a file or an env var;
- Setting up HTTPS with SSL for local environments;
As such, this can be very simple:
$ ory proxy http://localhost:1234/
$ JWKS_URL=http|base64|https|file://... ory proxy http://localhost:1234/
Ory Bridge
The purpose of this command is to build a bridge between one's own env and Ory. This is necessary because we need to set up cookies to make it all work and fit together. There are three application types that could be addressed by this:
As the last one (native) does not need any cookies, the Ory Bridge will only target SPA and Server-Side apps.