https://www.ory.sh/ logo
Join Slack
Powered by
I have problems understanding kratos and hydra wor...
# talk-kratos
b
I have problems understanding kratos and hydra workings together. I am using hydra 2.1.2 and kratos 0.13.0. ALso using react and typescript. When using the quickstat guide from hydra I can create oauth-client and go to the processes so I can get the link to my kratos login page with login challenge in the parameter. When using createBrowserLoginFlow() to create login flow I do get oauth2_login_request object that is populated in the response, so the kratos<->hydra communication seems to work. There does not seem to be any redirect_to url in responses. My question is, how should I know where to redirect the user after successful login? (If I understood the flow corretly, login should return back to hydra and hydra will redirect to the consent page) configuration to kratos. under oauth2_provider it need override_return_to to be set as TRUE because it is FALSE by default. EDIT: still not kratos making accept request to kratos
Copy code
{
  "id": "ad533422-946c-47f5-a691-0b7f543705a1",
  "oauth2_login_challenge": "575d40f9-14b3-47e6-887a-f5239a1c97aa",
  "oauth2_login_request": {
    "challenge": "575d40f914b347e6887af5239a1c97aa",
    "client": {
      "allowed_cors_origins": [],
      "audience": [],
      "client_id": "ca21be19-8a2f-4f95-9acb-ed78968bed5d",
      "client_name": "",
      "client_secret_expires_at": 0,
      "client_uri": "",
      "contacts": [],
      "created_at": "2023-06-01T19:27:02Z",
      "grant_types": [
        "authorization_code",
        "refresh_token"
      ],
      "jwks": {},
      "logo_uri": "",
      "metadata": {},
      "owner": "",
      "policy_uri": "",
      "redirect_uris": [
        "<http://127.0.0.1:5555/callback>"
      ],
      "request_object_signing_alg": "RS256",
      "response_types": [
        "code",
        "id_token"
      ],
      "scope": "openid offline",
      "subject_type": "public",
      "token_endpoint_auth_method": "none",
      "tos_uri": "",
      "updated_at": "2023-06-01T19:27:01.604918Z",
      "userinfo_signed_response_alg": "none"
    },
    "oidc_context": {},
    "request_url": "<http://localhost:4444/oauth2/auth?audience=>&client_id=ca21be19-8a2f-4f95-9acb-ed78968bed5d&max_age=0&nonce=myqefjigquhvqiaaeradyemv&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=ehehoxbrcfmzmgzxuxbkwyht",
    "requested_access_token_audience": [],
    "requested_scope": [
      "openid",
      "offline"
    ],
    "session_id": "b782bafe-7e91-40e9-b51e-e30f2dc4ffa7",
    "skip": false,
    "subject": ""
  },
  "type": "browser",
  "expires_at": "2023-06-01T20:29:18.891753326Z",
  "issued_at": "2023-06-01T19:29:18.891753326Z",
  "request_url": "<http://localhost:4433/self-service/login/browser?login_challenge=575d40f914b347e6887af5239a1c97aa>&refresh=true",
  "ui": {
    "action": "<http://localhost:4433/self-service/login?flow=ad533422-946c-47f5-a691-0b7f543705a1>",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "GHAOioNB7kvfkvv1DeJ/nmgamfePspy+/qX7DSjBCFV9sFLivmIQGSjPBVlt8rvbSZvl9+khQN/jWtctmZPJ5g==",
          "required": true,
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {}
      },
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "identifier",
          "type": "text",
          "value": "",
          "required": true,
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1070004,
            "text": "ID",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password",
          "type": "password",
          "required": true,
          "autocomplete": "current-password",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1070001,
            "text": "Password",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "password",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1010001,
            "text": "Sign in",
            "type": "info",
            "context": {}
          }
        }
      }
    ]
  },
  "created_at": "2023-06-01T19:29:18.894165Z",
  "updated_at": "2023-06-01T19:29:18.894165Z",
  "refresh": false,
  "requested_aal": "aal1"
}
hmm. seems that there is redirect_uris in the object after all 😄 But it is not automatically updated to the flow, so maybe that is something I have to do manually in the code when creating the flow?
nope, that did not work as expected
Ok, I think I know why it fails.. I have to accept the login request manually.
Ok, this might be a stupid question, but if I use hydra.acceptOAuth2LoginRequest() function call in my react/typescript application, it is trying to do that in the browser and not in the server->server communication. Where to look to solve that problem?
Ok, answering to myself again 🙂 I think this is related to the https://github.com/ory/kratos/issues/3225 issue where updateLoginFlow API call to Kratos does not make the PUT request to Hydra and that is why the updateLoginFlow does not return return_to url and that is why the browser is not redirected to hydra for the consent sequence to begin.
It seems that it is fixed in main, so now I just have to wait for 0.13.1 to be released or learn how to build kratos docker container myself..
I built the latest master repo and updateLoginFlow call to kratos does not make any calls to Hydra (createBroserLoginFlow does make a call to Hydra)
I might have found a bug. I think this is related to https://github.com/ory/kratos/issues/3225 issue. 1. When using createBrowserLoginFlow Kratos makes a call to Hydra and created oauth2_login_request object to the response data 2. After succesful login request, calling updateLoginFlow to kratos does not make Kratos to call Hydra -> wrong redirection in the app I am trying to make my kratos login UI app also work as consent UI app. I have all kratos related stuff working, but hydra+kratos seems to have some issues. Using kratos version 0.13.0 and also HEAD from master branch. Both seems to have this bug(?)
a
@billions-leather-15882 i'm also trying to get Hydra & Kratos working together in a React (Next) project but i'm having trouble figuring out how to do that. would you be willing to share some code showing how you did that? maybe a git gist?
b
Sure, but my hydra stuff only is working when creating the browser flow, not when updating it
It was pretty straight forward...
Copy code
.createBrowserLoginFlow({
                refresh: Boolean(refresh),
                aal: aal ? String(aal) : undefined,
                returnTo: returnTo ? String(returnTo) : undefined,
loginChallenge: loginChallenge ? String(loginChallenge) : undefined,
            })
And that did the trick to create the flow, but updating it.. that does not work (I am expecting Kratos has a bug in it)
for the hydra part, I just use the quickstart guide but changed the consnet node address to my kratos app. And also configured this line to kratos: oauth2_provider: url: http://hydra:4445/
Seems like this: https://github.com/ory/kratos/blob/5f33b08b40e6f13a788b91b1c4b9f5e48d79404b/selfservice/flow/login/hook.go#L239 is not called when updating login flow. The execution goes to this line: https://github.com/ory/kratos/blob/5f33b08b40e6f13a788b91b1c4b9f5e48d79404b/selfservice/flow/login/hook.go#L216 And inside the if and return response from there. My go skills are not good enough to fix this. I modified the code to change the location and it did make a call to hydra, but it did not fix the issue of return to address missing from reply. So the correct code seems to be there but it is executed in the wrong order.
Yep.. this is the same conclusion as is with this bug: https://github.com/ory/kratos/issues/3225
Ok this is not a bug, but reqquires configuration to kratos. under oauth2_provider it need override_return_to to be set as TRUE because it is FALSE by default.
It still might be a bug 😄
Kratos is not making login/accept request to hydra after succesfull login
24 Views
Open in Slack
PreviousNext
Powered by