https://www.ory.sh/ logo
Join Slack
Powered by
Hi everyone! I am struggling with cookies in our ...
# ory-network
j
Hi everyone! I am struggling with cookies in our setup. All is working fine when we are not inside an iframe. We have dedicated Auth app where user login and then get redirected to redirect_uri, all works fine in regular mode. For our partners we are using zoid js library where partner's domain load child app, all Hydra related things happen in child app. Auth app redirect does not work properly inside a child app iframe, we are getting following error when redirected to redirect_uri: "The+request+is+not+allowed.+No+CSRF+value+available+in+the+session+cookie." To fix this error I have already tried applying following settings https://www.ory.sh/docs/hydra/guides/cookies via Ory CLI
Copy code
# SameSite=none requires HTTPS, so we need to disable dev mode:
dev: false

serve:
  cookies:
    same_site_mode: None
    same_site_legacy_workaround: true
but we still have same issue as before and it looks like cookie settings has not been changed. SameSite cookie attribute is still set to Lax on Ory domain. Possibly following Ory CLI command does not apply settings at once, maybe some caching exists?
Copy code
ory update oauth2-config projectId --file /settings.json
Please advise. Thanks!
s
the config update should happen instantaneously, but maybe your browser has some cache? did you try with all cookies deleted?
j
yeah, I tried deleting cookies for Ory domain
h
I believe this is on purpose, it’s a security requirement to avoid clickjacking etc
j
If this is on purpose, then why docs says following: https://www.ory.sh/docs/hydra/guides/cookies
Copy code
# SameSite=none requires HTTPS, so we need to disable dev mode:
dev: false

serve:
  cookies:
    same_site_mode: None
    same_site_legacy_workaround: true
settings above does not work, cookie has SameSite Lax even after applying above
f
@narrow-van-43826 do you have insights here?
❤️ 1
j
I tried using prod instance with the same subdomain, but still same error. Firefox is more verbose than Chrome. Following error triggered inside an iframe: Cookie “ory_oauth2_login_csrf_XXXXXX” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”. Even after I have added same site none
n
Hi, when I do this:
Copy code
ory patch identity-config --replace '/cookies/same_site="None"'
then the cookie with the csrf_token has a samesite attribute of "None".
j
Hi @narrow-van-43826 Thanks! Let me try.
s
this is about the oauth2 config though
j
so I assume the command will be slightly different but I really didn't try using patch
n
@steep-lamp-91158 yes, but I found that these cookie settings are governed by the identity config.
@jolly-fall-64359 let me know if it works for you, and I'll update the docs 🙂
j
Thanks @narrow-van-43826! I really appreciate your help!
s
hm that seems weird to me 😅
j
Inside identity-config there one more place with session cookie settings:
Copy code
ory patch identity-config uuid --replace '/session/cookie/same_site="None"'

ory patch identity-config --replace '/cookies/same_site="None"'
applied both commands successfully but cookies are still Lax. (And I have removed them before checking)
I will try to clean my setup, possibly something can be wrong on my side. I will use dev environment from scratch.
restored all dev settings, applied identity-config settings and still no luck. Cookie “ory_oauth2_login_csrf_xxxxxxx” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”.
n
Weird. Can you paste me the config (DM is fine) so that I can load it into my account?
j
sure, will do
n
Hmm https://github.com/ory/hydra/blob/ed2ac06b4f880d6bcf6c889c259f4ca32428fb1f/driver/config/provider.go#L279-L283 @steep-lamp-91158 do you know what's up with that? In dev mode we always go "Lax" even if the user wanted "None"? 🤔
s
Hm it was introduced by https://github.com/ory/hydra/commit/534203c541ee797c0968f299e59f7da018ac3e9c but not sure if it is a bug, looks like one tbh
n
s
n
hmm well but even dev mode has HTTPS on Ory Network
So it is nonsensical to assume that in dev mode there is no https
@jolly-fall-64359 can you check if the issue goes away if you disable dev env?
j
checking, thanks
I assume dev env is a setting in oauth2-config?
If I am right, I am not able to change this setting with patch or update.
Copy code
ory update oauth2-config uuid --file /dev-oauth2-config.json

 ory patch oauth2-config uuid --replace '/dev="false"'

 ory patch oauth2-config uuid --replace '/dev=false'
it is still set to true
n
IIRC you have to upgrade your subscription for that, as only dev projects are free
j
ok, got it. Thanks, will switch to prod instance where paid plan added.
Tried to use same update/patch commands to prod, but still with no luck dev is still true 😞
n
OK but is the samesite still lax?
j
yeah, samesite is still Lax
I can share prod configs if needed, in DM
all same applied as on dev
n
@steep-lamp-91158 do you know why?
fwiw, dev is false in your oauth2 config
so the cookie should be settable to none
j
yeah, cause I tried to update it from file
but after update when I do get oauth2-config it is still true
n
ah ok
j
shared command and result in DM
Hi again, I wonder if you have ideas why dev mode can't be disabled on paid project? Thanks
s
I'm looking into it, seems there is some bug...
🙏 2
j
Hi again, please let me know if you have updates. Thanks
Hi again, please let me know if I can help somehow. Since Hydra is written in Go my knowledge won't be enough, but it looks like this cookie is not set at all - https://github.com/ory/hydra/blob/master/consent/helper.go#L75 And then during validation this error thrown - https://github.com/ory/hydra/blob/master/consent/helper.go#L85
s
The fix is already done in Hydra: https://github.com/ory/hydra/pull/3502
gratitude thank you 1
we are currently working on the release but have some CI issues
🙏 1
but we want to release to Ory network ASAP
gratitude thank you 1
j
Thank you for a quick fix!
Please ping me when changes will be released so I could help testing the fix. Thanks
s
yes, I have you on the list
gratitude thank you 1
still fighting ci though...
🙏 1
j
Thank you!
Hi everyone I can confirm that now cookies have SameSite: None
Just want to say THANK YOU to all your team! You are great!
❤️ 2
s
haha you were faster than me, I just wanted to confirm that the release is done
🙂 1
39 Views
Open in Slack
PreviousNext
Powered by