Skip to content

allow additional ranges of ips#1

Open
davidcarrera wants to merge 5 commits into
masterfrom
allow-ip-ranges
Open

allow additional ranges of ips#1
davidcarrera wants to merge 5 commits into
masterfrom
allow-ip-ranges

Conversation

@davidcarrera

@davidcarrera davidcarrera commented Nov 26, 2025

Copy link
Copy Markdown

We have the same situation that is described in this PR
ory/x#806

A customer is using range 198.18.0.0/16 for their K8s services, and kratos is therefore unable to access other services (perminator in our case).

The situation comes from SSRF component used by kratos, that limits access to these IP ranges:
https://github.com/daenney/ssrf/blob/main/ssrf_gen.go#L49

@fenech fenech force-pushed the allow-ip-ranges branch 2 times, most recently from df62234 to 2443a9f Compare November 30, 2025 11:50
@fenech

fenech commented Nov 30, 2025

Copy link
Copy Markdown
Collaborator

@davidcarrera I pushed registry.nearbycomputing.com/nearbyone/external/oryd/kratos:v25.4.1-oidc-ips which combines this change with my OIDC changes ory#3922

This was referenced Nov 30, 2025
Draft
Closed
Open
@fenech fenech force-pushed the allow-ip-ranges branch 2 times, most recently from 8d8bc64 to 97e10e1 Compare June 15, 2026 10:42
@fenech

fenech commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

I rebased this onto current ory:master and resolved conflicts, but I haven't built an image yet.

@fenech fenech force-pushed the allow-ip-ranges branch from 97e10e1 to 0a984e2 Compare June 15, 2026 12:23
fenech and others added 5 commits June 15, 2026 14:39
@fenech
Pass OIDC claims into post-login flow to include in web hook context
d4867b6 
The login flow doesn't trigger a refresh of the identity when the OIDC
claims have changed. By passing the claims through to the web hook
context, this means that an external handler can be configured to
update the identity as appropriate, when there are changes.
@fenech
Add license comment to new files
4fe3281
@fenech
chore: fix formatting issue
c8136e3
@fenech
test: fix claims in body (apply Code Rabbit suggestion)
66b5ae1
@davidcarrera @fenech
allow additional ranges of ips
267f50f
@fenech fenech force-pushed the allow-ip-ranges branch from 0a984e2 to 267f50f Compare June 15, 2026 13:04
@fenech

fenech commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Built image using make docker, tagged and pushed to v26.2.1-oidc-ips for use in NearbyOne Controller

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davidcarrera @fenech