First, I’d like to thank you for this amazing open source project. I’m working on a personal project and was looking for a complete IAM solution. I was not satisfied by most products on the market because most of the time it is a monolithic software based on java. I’m very concerned by memory consumption, and can’t rely on solutions that require 2 Go of RAM to startup.
Right now, I have successfully deploy hydra, kratos, and kratos-selfservice-ui-node behind a reverse proxy on three subdomains. It works correctly with kratos-selfservice-ui-node on branch (hydra-integration). I compiled kratos with the master branch because I had to configure the domain for the cookie. And I had to add CORS headers for Kratos on my nginx proxy.
I started to implement user interface with single page application (vuejs). In the documentation of Hydra, it is advised to implement the login, consent, logout page with server side application (like in kratos-selfservice-ui-node with express.js)
However, Kratos offers public api for SPA.
So, should I keep the login, consent, and logout page with a server side application and other pages (register, profile management) with my SPA? Today, most of my frontends are developed with vuejs so I would like to reduce the need of server side pages.
What would be the best security design for this ?