Oathkeeper has 2 different interactions with Kratos:
1) When it calls the sessions endpoint to check the validity of the user's cookie.
2) When it redirects the user to Kratos to authenticate
In (1) it does not matter whether the request is done through HTTP or HTTPS (it should be over HTTPS after we have completed the end-to-end TLS story). In (2) the redirect needs to be over HTTPS, because the browser needs to set the Kratos secure cookies.
Currently both actions use HTTP. This means that to make it work, Kratos needs to run using the dev flag.
IMHO we should make the second call using the HTTPS ingress port and the first call using plain HTTP, until the end-to-end tls is implemented.
Bug Description
Oathkeeper has 2 different interactions with Kratos: 1) When it calls the sessions endpoint to check the validity of the user's cookie. 2) When it redirects the user to Kratos to authenticate
In (1) it does not matter whether the request is done through HTTP or HTTPS (it should be over HTTPS after we have completed the end-to-end TLS story). In (2) the redirect needs to be over HTTPS, because the browser needs to set the Kratos secure cookies.
Currently both actions use HTTP. This means that to make it work, Kratos needs to run using the
devflag.IMHO we should make the second call using the HTTPS ingress port and the first call using plain HTTP, until the end-to-end tls is implemented.