feat: support self-hosted ory envs#368
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 328b758c89
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
328b758 to
3d6ba32
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3d6ba32e49
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Identity and OAuth2 admin checks ran independently and each accepted ORY_PROJECT_API_TOKEN, so a self-hosted env with a leftover PAT and only ORY_KRATOS_ADMIN_URL passed validation. At runtime getOryOAuth2Api() then fell back to the public ORY_SDK_URL, silently misrouting session revocations away from the self-hosted Hydra admin port. Replace both any-of checks with a single mode-coherence rule: any self-hosted admin URL requires both, otherwise require the project token. Addresses codex review on PR #368.
Today the dashboard's
AUTH_PROVIDER=orypath assumes Ory Network: it requiresORY_PROJECT_API_TOKENand points every admin call atORY_SDK_URL(the unified SDK host). That makes local devenv and self-hosted deployments — where Kratos and Hydra are separate services on separate admin ports — impossible to configure.This PR adds first-class support for self-hosted Ory by letting the IdentityApi and OAuth2Api clients each target an explicit admin base path, with the env check enforcing that one valid admin surface is configured per service.
Supported configurations
ORY_PROJECT_API_TOKEN(covers both Kratos and Hydra admin via the unified SDK host)ORY_KRATOS_ADMIN_URLandORY_HYDRA_ADMIN_URL(each gated by network reachability)