SSO for multi-domain project

[ditschedev]

Hey there, first of all thanks a lot for your implementations. I was searching for a headless IDP for a long, long time..
I may be somewhat inexperienced when it comes to authentication so I just want to ask for support.

What we want to build is an ecosystem comparable to the one from atlassian (which are using auth0 I think). We are planning on using Ory Kratos as our IDP and a self service UI running on id.domain.tld. This will be our SSO login for all other services we build which may, or may not be subdomains of our original domain.tld.

I read in #662 that this is currently not possible, so I want to ask you:

1. Is Kratos able to handle this without the need of Hydra. Cause I need JWTs for all those applications I think its stupid to send a global one to all the services.
2. What would be needed to implement the SSO logic? Will the UI Service be handling redirects?

Thanks in advance for your time and effort!
Cheers.

[aeneasr]

Hey there, glad you like Ory Kratos! :)

So currently cross-domain is simply not possible for browser flows. What I wanted to do was to take the YouTube approach to cross-domain SSO but keep in mind that for every domain you add you also add a redirect. If you have thousands of TLDs you will go through thousands of redirects.

The redirect can not be removed! It is required in order for the cookies to be set.

If we talk about implementation, I think the first step would be to analyze and understand how YouTube achieves it (not in Chrome but e.g. Firefox!) or see if there is research on this topic. Then make a plan and implement it :)

[dm17]

Has anything changed with regards to this? Can we manage SSO between several domain names on the same Ory instance? If each domain needs its own Ory instance, then that doesn't seem like seamless SSO - unless I'm missing something. Thanks!

[vinckr]

Hey @ditschedev
The Ory Kratos and Ory Hydra integration just landed with Hydra 2.0,
see the release notes for more details!
That should help solve this.

[ditschedev]

@vinckr
Thanks for the update!
Though I am missing the quick start in the release notes stated here: #273 (comment)

Am I missing something?