feedback for a problem on android application (web view with ory hydra and ory kratos)

[fenix01]

Hi !

I don't know if it is the right place for this discussion but I want to share my experience with ory hydra and ory kratos since 6 months.
During this period, I faced a very hard bug that was complicated to find. It was due to a wrong architecture design and a wrong ory kratos configuration. That's why I want to share this experience because I think it could help others to avoid this error.

My goal was to build an architecture based on oauth2 to allow my users to consume various services (mobile application, web services, api, etc.). By this way, I have successfully created my own portal based on ory kratos for identity management (registration, password change, profile update, etc). And I was able to serve oauth2 tokens, id token, with identities stored in kratos.

To simplify the architecture, kratos, hydra, and my portal were configured on 3 sub domains (like id1.myaccount.com, id2.myaccount.com, and portal.myaccount.com). At this time, it was easier for me to deploy these applications on 3 subdomains because I was using a reverse proxy to autoconfigure HTTPS requests with letsencrypt.

With this configuration, I had to configure Kratos cookies with SameSite = None to allow hydra to access the cookie of kratos.
This scenario was working correctly on modern web browsers (firefox, chromium, vivaldi, etc.)

I started to face some problems when working on an android application. I use an oauth2 framework that launches a web view and get back the oauth2 token. It was working correctly on modern version of android (android 10) but not on old version like android 7.
After a long investigation I figured out that it was a problem with the web view and ory kratos. When I authenticated myself, the cookie was not saved in the web view. I discovered later that there were some changes with how cookies were handled between version 51 to 66 of chrome.
For these versions, all cookies configured with SameSite=None are dropped.

To fix this problem, I changed my architecture to serve Kratos, Hydra, and my portal on a unique domain and the kratos cookie is configured with SameSite=Strict.

Finally, for those who plan to work with mobile application, and the ory stack I recommand to use only one domain to avoid all of these problems :)

[aeneasr]

Thank you for this experience report, I think it will be very helpful to others! And congratulations on getting everything to work! :)