# Identity in Subdomain This document is created to document all the changes needed to use an identity subdomain, such as `identity.alkem.io` instead of a relative path in a domain, e.g. `alkem.io/identity`. This will enable us to store all relevant identity information in the same subdomain (hopefully). The thinking behind it is, if possible, to have alkemio session kept in `identity.alkem.io`, so it can be used by different `Innovation Spaces`. ## Current setup Currently, we have a setup where Alkemio Client has the following relative paths hardcoded - `identity/logout` - `identity/registration` - `identity/login` - `identity/verify` - `identity/required` - `identity/sign_up` - `identity/recovery` - `identity/verify/reminder` - `identity/ory/kratos/public/self-service/recovery/browser` - `identity/required?returnUrl=${encodeURI(pathname)}` Ory Kratos is configured to provide pretty much all those paths in the same domain as the application, e.g. `https://alkem.io/identity/logout` as part of the Kratos configuration. ## The problem The problem is that the paths on the client assume the dynamic kratos UI is provided in the same domain as the application, thus enabling it to work with one client configuration for all domains. Re-factoring that logic to use a separate identity subdomain instead of a relative path renders this approach void as the routing will need to be dynamically configured per environment and need to be domain-based.   ## Potential solutions Potential solutions include: - URL rewrite in traefik that matches e.g. `identity-acc.alkem.io` and replaces it to `acc.alkem.io/identity`. That way we should have limited configuration changes. I have tried with [this](https://github.com/alkem-io/infrastructure-operations/blob/infra-ops-504-traefik/orchestration/k8s/overlays/acceptance/ory/10-replace-middleware.yml) ```yaml apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: replace-identity spec: replacePathRegex: regex: ^https://identity-acc.alkem.io/(.*)$ replacement: https://acc.alkem.io/identity/${1} ``` Theoretically that should work:  But it doesn't seem to be... - URL rewrite in nginx - we have nginx serving requests on the alkemio client, that might be an alternative route to be explored - Extending the client, developing a small domain-based routing component, picking up the domain from graphql configuration and dynamically building kratos endpoints. Altering all necessary configuration in kratos.yml, oathkeeper.yml files and ingress routes. ###### tags: `Identity`, `Kratos`, `Domain` ## Traefik notes - replacePathRegex only can affect the path part of the URL. Even if it can match on the domain. ## Requirements Branding / visuals and description per innovation space. NOTE: avoid touching the client paths. NOTE: every request has an associated innovation space. demo.alkem.io ==> DEMO innovation space - which can have unlimited Hubs in there demo.alkem.io/hub1 ==> demo.alkem.io/hub1 Innovation Space = subset of main platform that operates the same but has content adjusted / displayed differently. It is sufficient near term that all Innovation Spaces make use of Alkemio sub domains i.e. xxx.alkem.io Routing to not be aware of every innovation space that is created. Match on *.alkem.io. ## Client Client will need to be aware of what innovation space is operational. Get the information from the server. ## Domain model - subdomain - selectionCriteria: - visibility - list of Hubs - geographical ## Functional Requirements Innovation Space Lite ==> Map to a single Hub e.g. UWV alkem.io/uwv currently. https://uwv.alkem.io/uwv if in an innovation space https://uwv.alkem.io ==> https://uwv.alkem.io/uwv ## Open Issues - Kratos ## Steps in the flow demo.alkem.io ==> login ==> demo.alkem.io/identity/login How does Kratos pick up the domain? Kratos has to be willing to give the cookie. Response just goes back out? Cookie has a domain!! - Subdomains should work, but not yet working for us - i.e. xxx.alkem.io is ok? identity.alkem.io ==> Kratos How does this tie up to oathkeeper? How do redirects work from Kratos? Open question: emails related to Kratos. Note: if want to have cookies tied to the domain then need to also modify our non-prod environments access i.e. acc.alkem.io ==> alkem-acc.io ## Other notes - part of open source versus commercial offering? ## Useful resources - https://github.com/ory/kratos/discussions/1907 - https://www.ory.sh/docs/kratos/guides/multi-domain-cookies - https://github.com/ory/kratos/issues/662 - https://github.com/ory/kratos/discussions/2976