Kratos is unable to contact NAT64 addresses even when clients.http.disallow_private_ip_ranges is false

[tesinormed]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

GitHub or Discord, both IPv4-only websites, do not work with Kratos when it is a IPv6-only network and NAT64 is deployed.

Reproducing the bug

1. Set up Kratos in a IPv6-only network (no IPv4 address assigned)
2. Add a selfservice.methods.oidc.providers configuration with a service that is IPv4-only (like GitHub or Discord)
3. Try to login / sign up using that service

Relevant log output

time=2024-10-04T02:33:21Z level=info msg=Encountered self-service login error. audience=audit error=map[message:Post "https://github.com/login/oauth/access_token": dial tcp [64:ff9b::8c52:7403]:443: prohibited IP address: 64:ff9b::8c52:7403 is not a permitted destination as it's outside of the IPv6 Global Unicast range] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 accept-encoding:gzip, deflate, br, zstd accept-language:en-US,en;q=0.5 cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". dnt:1 priority:u=0, i referer:https://iam.5505.industries/ sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 sec-gpc:1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0 x-forwarded-for:2600:8802:d05:fc01:2e98:11ff:fe3d:4775 x-forwarded-host:api.iam.5505.industries x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:0.ingress.5505.industries x-real-ip:2600:8802:d05:fc01:2e98:11ff:fe3d:4775] host:api.iam.5505.industries method:GET path:/self-service/methods/oidc/callback/github query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:[fd23:1591:fdfc:940b::2]:58564 scheme:http] login_flow=map[active:oidc id:7c48906a-a6a0-46ab-a030-fe42b4a98a8b nid:f0b8cd2a-731e-428a-809c-77c2876cbeb5 refresh:false request_url:https://api.iam.5505.industries/self-service/login/browser?aal=&refresh=&return_to=&organization=&via= requested_aal:aal1 return_to: state:choose_method type:browser] service_name=Ory Kratos service_version=v1.3.0

Relevant configuration

clients:
  http:
    disallow_private_ip_ranges: false

selfservice:
  methods:
    oidc:
      enabled: true
      config:
        providers:
          - id: 'github'
            provider: github
            label: 'GitHub'
            client_id: 'REDACTED'
            client_secret: 'REDACTED'
            mapper_url: 'base64://bG9jYWwgY2xhaW1zID0gewogIGVtYWlsX3ZlcmlmaWVkOiBmYWxzZSwKfSArIHN0ZC5leHRWYXIoJ2NsYWltcycpOwp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICAvLyBBbGxvd2luZyB1bnZlcmlmaWVkIGVtYWlsIGFkZHJlc3NlcyBlbmFibGVzIGFjY291bnQKICAgICAgLy8gZW51bWVyYXRpb24gYXR0YWNrcywgZXNwZWNpYWxseSBpZiB0aGUgdmFsdWUgaXMgdXNlZCBmb3IKICAgICAgLy8gZS5nLiB2ZXJpZmljYXRpb24gb3IgYXMgYSBwYXNzd29yZCBsb2dpbiBpZGVudGlmaWVyLgogICAgICAvLwogICAgICAvLyBUaGVyZWZvcmUgd2Ugb25seSByZXR1cm4gdGhlIGVtYWlsIGlmIGl0IChhKSBleGlzdHMgYW5kIChiKSBpcyBtYXJrZWQgdmVyaWZpZWQKICAgICAgLy8gYnkgR2l0SHViLgogICAgICBbaWYgJ2VtYWlsJyBpbiBjbGFpbXMgJiYgY2xhaW1zLmVtYWlsX3ZlcmlmaWVkIHRoZW4gJ2VtYWlsJyBlbHNlIG51bGxdOiBjbGFpbXMuZW1haWwsCiAgICB9LAogIH0sCn0K'
            scope:
              - read:user
              - read:email

Version

1.3.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response