ory proxy
ory proxy
Run your app and Ory on the same domain using a reverse proxy
Synopsis
The Ory Proxy allows your application and Ory to run on the same domain by acting as a reverse proxy. It forwards all traffic to your application, ensuring that features like cookies and CORS function correctly during local development.
The first argument, application-url
, points to the location of your application. The Ory Proxy will pass all traffic through to this URL.
Example usage:
$ ory proxy --project <project-id-or-slug> https://www.example.org
$ ORY_PROJECT=<project-id-or-slug> ory proxy proxy http://localhost:3000
Connecting to Ory
Before using the Ory Proxy, you need to have an Ory Network project. You can create a new project with the following command:
$ ory create project --name "Command Line Project"
Once your project is ready, pass the project’s slug to the proxy command:
$ ory proxy --project <project-id-or-slug> ...
Local development
For local development, use the --dev
flag to apply a relaxed security setting:
$ ory proxy --dev --project <project-id-or-slug> http://localhost:3000
The first argument, application-url
, points to your application's location. If running both the proxy and your app on the same host, this could be localhost
. All traffic sent to the Ory Proxy will be forwarded to this URL.
The second argument, publish-url
, is optional and only necessary for production scenarios. It specifies the public URL of your application (e.g., https://www.example.org
). If publish-url
is not set, it defaults to the host and port the proxy listens on.
Important: The Ory Proxy is intended for development use only and should not be used in production environments.
Connecting in automated environments
To connect the Ory Tunnel in automated environments, create a Project API Key for your project and set it as an environment variable:
$ %[2]s=<project-api-key> ory proxy tunnel ...
This will prevent the browser window from opening.
Running behind a gateway (development only)
If you are using the Ory Proxy behind a gateway during development, you must set the publish-url
argument:
$ ory proxy --project <project-id-or-slug> \
http://localhost:3000 \
https://gateway.local:5000
Note: You cannot set a path in the publish-url
.
Ports
By default, the proxy listens on port 4000. To change this, use the --port
flag:
$ ory proxy --port 8080 --project <project-id-or-slug> http://localhost:3000
Multiple domains
If the proxy runs on a subdomain and you want Ory’s cookies (e.g., session cookies) to be accessible across all your domains, use the --cookie-domain
flag to customize the cookie domain. Additionally, allow your subdomains in the CORS headers:
$ ory proxy --project <project-id-or-slug> \
--cookie-domain gateway.local \
--allowed-cors-origins https://www.gateway.local \
--allowed-cors-origins https://api.gateway.local \
http://127.0.0.1:3000 \
https://ory.gateway.local
Redirects
By default, all redirects will point to publish-url
. You can customize this behavior using the --default-redirect-url
flag:
$ ory proxy --project <project-id-or-slug> \
--default-redirect-url /welcome \
http://127.0.0.1:3000 \
https://ory.example.org
This ensures that all redirects (e.g., after login) go to /welcome
instead of /
, unless you’ve specified custom redirects in your Ory configuration or via the flow’s ?return_to=
query parameter.
JSON Web Token
When a request is not authenticated, the HTTP Authorization
header will be empty:
GET / HTTP/1.1
Host: localhost:3000
If the request is authenticated, a JSON Web Token (JWT) containing the Ory session will be sent in the HTTP Authorization
header:
GET / HTTP/1.1
Host: localhost:3000
Authorization: Bearer the-json-web-token
The JWT claims contain:
- The
sub
field, which is set to the Ory Identity ID. - The
session
field, which contains the full Ory Session.
The JWT is signed using the ES256 algorithm. You can fetch the public key by querying the /ory/jwks.json
endpoint, for example:
http://127.0.0.1:4000/.ory/jwks.json
An example JWT payload:
{
"id": "821f5a53-a0b3-41fa-9c62-764560fa4406",
"active": true,
"expires_at": "2021-02-25T09:25:37.929792Z",
"authenticated_at": "2021-02-24T09:25:37.931774Z",
"issued_at": "2021-02-24T09:25:37.929813Z",
"identity": {
"id": "18aafd3e-b00c-4b19-81c8-351e38705126",
"schema_id": "default",
"schema_url": "https://example.projects.oryapis.com/api/kratos/public/schemas/default",
"traits": {
"email": "foo@bar"
// ... other identity traits
}
}
}
ory proxy <application-url> [<publish-url>] [flags]
Examples
ory proxy http://localhost:3000 --dev
ory proxy http://localhost:3000 https://app.example.com \
--allowed-cors-origins https://www.example.org \
--allowed-cors-origins https://api.example.org \
--allowed-cors-origins https://www.another-app.com
Options
--additional-cors-headers strings A list of additional CORS headers to allow. Wildcards are allowed.
--allowed-cors-origins strings A list of allowed CORS origins. Wildcards are allowed.
-c, --config string Path to the Ory Network configuration file.
--cookie-domain string Set a dedicated cookie domain.
--debug Use this flag to debug, for example, CORS requests.
--default-redirect-url url Set the URL to redirect to per default after e.g. login or account creation.
--dev Use this flag when developing locally.
-h, --help help for proxy
--no-jwt Do not create a JWT from the Ory Session. Useful if you need fast start up times of the Ory Proxy.
--open Open the browser when the proxy starts.
--port int The port the proxy should listen on. (default 4000)
--project string The project to use, either project ID or a (partial) slug.
-q, --quiet Be quiet with output printing.
--rewrite-host Use this flag to rewrite the host header to the upstream host.
--workspace string The workspace to use, either workspace ID or a (partial) name.
-y, --yes Confirm all dialogs with yes.
SEE ALSO
- ory - The Ory CLI