Deploying to <domain>/hydra

Zohreh · November 10, 2020, 10:12pm

I am trying to setup Hydra in a k8s cluster where the top level domain is shared by several applications and each application gets traffic at a directory path, e.g.

Any traffic to https://domain.com/web-application gets redirected to the web-application pod

I have similarly setup Hydra issuer_url to include a ‘/hydra/’ postfix.
However, Hydra application doesn’t seem to be able to correctly separate this part from the path and therefore returns 404. e.g. curl https://domain.com/hydra/.well-known/openid-configuration returns 404/

From the logs:

host:domain.com method:GET path:/hydra/.well-known/openid-configuration query:<nil> ...] http_response=map[status:404 text_status:Not Found took:299.925µs]

when I ssh to the pod and run curl http://localhost:4444/.well-known/openid-configuration
I see the correct URLs being generated:

{
"issuer":"https://domain.com/hydra/",
"authorization_endpoint":"https://<domain>/hydra/oauth2/auth",
...
}```
 similar to the example results here: https://www.ory.sh/hydra/docs/reference/api#200-response-1


Is there a different config that needs to be set in addition to the `URLS_SELF_ISSUER` for this setup to work?

hackerman · November 11, 2020, 8:12am

You need to enable path stripping in your proxy/ingress!

Zohreh · November 11, 2020, 3:20pm

That’s a good suggestion for a workaround; unfortunately gke ingress doesn’t support url-rewrite at the moment but there are probably similar solutions that I can look into.

Does this mean that Hydra does not support path prefixes?

hackerman · November 11, 2020, 4:18pm

No Ory Hydra does not support that. We replaced GKE ingress with NGinx as it has also many other shortcomings, despite vocal community pushback.