https://www.ory.sh/ logo
Join Slack
Powered by
When integrating hydra and kratos, how can I stop ...
# talk-kratos
c
When integrating hydra and kratos, how can I stop kratos from redirecting to somewhere OTHER than the redirect_uri after a successful login? Why does it do this instead of redirecting to the authorize endpoints' specified redirect uri?
p
Hi @curved-ram-6189 since this is an oauth2 flow, the user will always be redirected back from kratos to hydra. hydra should then dictate where the user should end up at. this is then usually specified by the client 
redirect_uri
in these circumstances, kratos has no authority to redirect the user to anywhere other than back to hydra.
c
Does this mean that I MUST set hydra as the redirect_uri? Since others have this working I'm certain it must be a configuration issue, but I don't really understand what the default_browser_return_url is in these scenarios. Here's the flow when I try to use the postman OIDC integration test
The relevant part of the kratos config:
Copy code
selfservice:
          methods:
            password:
              enabled: true
              config:
                haveibeenpwned_enabled: false
            oidc:
              enabled: true
          allowed_return_urls:
            - <http://localhost>
            - <https://oauth.pstmn.io/v1/callback>
            - https://$(BASE_DOMAIN)/kratos/ui/
          flows:
            login:
              ui_url: https://$(BASE_DOMAIN)/kratos/ui/login
              after:
                default_browser_return_url: https://$(BASE_DOMAIN)/kratos/ui/
            registration:
Copy code
oauth2_provider:
          url: <http://hydra-admin:4445>
p
Does this mean that I MUST set hydra as the redirect_uri?
what do you mean? Kratos can work independent of hydra, and so the 
default_browser_return_url
key is exactly what it says. the default url to redirect to after a browser flow. in an independent flow (no oauth2) a login flow through a browser will return the browser to the 
default_browser_return_url
or if specified 
login.after.default_browser_return_url
.
c
That's what I interpreted the 
default_browser_return_url
to mean as well.. that it could be overridden by the oauth2 redirect_uri. However that's not the behaviour I'm seeing. If you look at the screenshot you can see that I specify the 
<https://oauth.pstmn.io/callback>
redirect_uri in the hydra authorize endpoint call, which correctly sends me to the kratos login screen. However kratos login just takes me back to the kratos ui welcome screen if successful (which happens to be what I set as the 
default_browser_return_url
. I would expect instead to be redirected to 
<https://oauth.pstmn.io/callback>
So I'm wondering what I need to do to get Kratos to redirect to the proper redirect_uri?
FWIW I have tried this in the browser as well (independant of any postman quirks) and I see the same behavior
p
Do you see any error logs in kratos / hydra? something like the url couldn't be redirected to etc.?
cause afaik kratos should always return you to the provider after completing an oauth2 flow.
and the client's redirect uri should be called
c
May have been that I broke kratos with my latest config change. I see 401 on the user auth. Will fix and see if I can still repo.
p
yeah so the session doesn't exist after sign in?
if there is no session, then it might be that it's falling back to the default_browser_return_url
c
Seems likely. I don't know if this was happening before I broke sessions though. Will confirm.
Ok I fixed the sessions but it's still happening. Do I need to allow a user to log in via oidc or can they use that flow by default? I see in the user session that the password authentication mechanism is used
What was breaking the auth was 
cookie.same_site: None
. But once I fixed that it still doesn't seem to work. Should the "return_to" parameter in the login/browser call be empty?
a
@curved-ram-6189 don't quote me on this because i'm still learning the ropes with these products, but i think maybe you should be putting oidc above password in the config, or possibly not even including password as an option if you're using oidc. so:
Copy code
selfservice:
          methods:
            oidc:
              enabled: true
            password:
              enabled: true
              config:
                haveibeenpwned_enabled: false
have you tried that yet?
c
I haven't yet, no. But I assumed password needed to be enabled in order to register
The problem at the moment still seems to be sessions. When I log in through the kratos-selfservice-ui-node, the session appears in the big black box, but when I call the kratos get sessions api, the "identity" field is null in all sessions
Yeah if I disable password auth the login form doesn't show up on the selfservice ui, so I assume that's a no-go
a
i see. ok.
c
So for some reason I'm seeing that something (likely the ui??) is calling self-service/*logout*/browser right after self-service/login/browser. I don't have MFA enabled, so is that normal?
Copy code
time=2023-06-12T19:33:57Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br accept-language:en-GB,en-US;q=0.9,en;q=0.8 cookie:[ory_hydra_login_csrf_dev_1258758061=MTY4NjU5ODQzN3xSRGNhQ0Ruc2Z1cDBNbDhueVQ1TFhWSjJXeWlvb3BOSUt5bmE4RnVJc0pIOF9NLUgyRTlDcFkzdHptR1JtM3lwS0hUeEJldHc3bE45S053MmNTSGE2dTgwSTB3WUxVdUZ2Sm81YzR5eDdHbkpGN0pzT2V1cHo1bXQxdkNERWc9PXzcMygTZ9ZkVHc1v75jOdQO9C1TcRE2swo-r7ukny7Jfw==] sec-ch-ua:"Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"Linux" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:none sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 x-forwarded-for:142.177.68.42 x-forwarded-host:<http://domain.com|domain.com> x-forwarded-port:443 x-forwarded-proto:https x-forwarded-scheme:https x-real-ip:142.177.68.42 x-request-id:80a5c6a6da7258d9fcd8ea90972deb3f x-scheme:https] host:<http://domain.com|domain.com> method:GET path:/self-service/login/browser query:aal=&refresh=&return_to= remote:10.0.31.193:52586 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:text/html; charset=utf-8 location:<https://domain.com/kratos/ui/login?flow=41447c32-4369-4bc1-a4be-2c04c03cba23> set-cookie:[csrf_token_cdc523be6ce53703e2c61dcec65282dc84d9c5323e86a28b466c961bca11b066=9exMF12lL2EtWJE6Ndgl7sAIbbCzG6hNqnRPfb0IMjo=; Path=/; Max-Age=31536000; HttpOnly; SameSite=Lax] vary:Origin] size:122 status:303 text_status:See Other took:3.729402ms]
time=2023-06-12T19:33:57Z level=info msg=started handling request http_request=map[headers:map[accept:application/json, text/plain, */* connection:close cookie:[ory_hydra_login_csrf_dev_1258758061=MTY4NjU5ODQzN3xSRGNhQ0Ruc2Z1cDBNbDhueVQ1TFhWSjJXeWlvb3BOSUt5bmE4RnVJc0pIOF9NLUgyRTlDcFkzdHptR1JtM3lwS0hUeEJldHc3bE45S053MmNTSGE2dTgwSTB3WUxVdUZ2Sm81YzR5eDdHbkpGN0pzT2V1cHo1bXQxdkNERWc9PXzcMygTZ9ZkVHc1v75jOdQO9C1TcRE2swo-r7ukny7Jfw==; csrf_token_cdc523be6ce53703e2c61dcec65282dc84d9c5323e86a28b466c961bca11b066=9exMF12lL2EtWJE6Ndgl7sAIbbCzG6hNqnRPfb0IMjo=] user-agent:axios/0.21.4] host:kratos-public method:GET path:/self-service/logout/browser query:<nil> remote:10.0.31.158:45426 scheme:http]
time=2023-06-12T19:33:57Z level=info msg=An error occurred while handling a request audience=application error=map[debug: message:request does not have a valid authentication session reason:No active session was found in this request. stack_trace:
<http://github.com/ory/kratos/session.(*ManagerHTTP).FetchFromRequest|github.com/ory/kratos/session.(*ManagerHTTP).FetchFromRequest>
	/project/session/manager_http.go:208
<http://github.com/ory/kratos/selfservice/flow/logout.(*Handler).createBrowserLogoutFlow|github.com/ory/kratos/selfservice/flow/logout.(*Handler).createBrowserLogoutFlow>
	/project/selfservice/flow/logout/handler.go:128
<http://github.com/ory/kratos/x.NoCacheHandle.func1|github.com/ory/kratos/x.NoCacheHandle.func1>
	/project/x/nocache.go:21
<http://github.com/ory/kratos/x.NoCacheHandle.func1|github.com/ory/kratos/x.NoCacheHandle.func1>
	/project/x/nocache.go:21
<http://github.com/julienschmidt/httprouter.(*Router).ServeHTTP|github.com/julienschmidt/httprouter.(*Router).ServeHTTP>
	/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387
<http://github.com/ory/nosurf.(*CSRFHandler).handleSuccess|github.com/ory/nosurf.(*CSRFHandler).handleSuccess>
	/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:234
<http://github.com/ory/nosurf.(*CSRFHandler).ServeHTTP|github.com/ory/nosurf.(*CSRFHandler).ServeHTTP>
	/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:191
<http://github.com/urfave/negroni.Wrap.func1|github.com/urfave/negroni.Wrap.func1>
	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46
<http://github.com/urfave/negroni.HandlerFunc.ServeHTTP|github.com/urfave/negroni.HandlerFunc.ServeHTTP>
	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29
<http://github.com/urfave/negroni.middleware.ServeHTTP|github.com/urfave/negroni.middleware.ServeHTTP>
	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
<http://github.com/ory/kratos/x.glob..func1|github.com/ory/kratos/x.glob..func1>
	/project/x/clean_url.go:15
<http://github.com/urfave/negroni.HandlerFunc.ServeHTTP|github.com/urfave/negroni.HandlerFunc.ServeHTTP>
	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29
<http://github.com/urfave/negroni.middleware.ServeHTTP|github.com/urfave/negroni.middleware.ServeHTTP>
	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2109
<http://github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1|github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1>
	/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:284
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2109
<http://github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1|github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1>
	/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:142
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2109
<http://github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1|github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1>
	/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:92
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2109
<http://github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2|github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2>
	/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:104
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2109
<http://github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1|github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1>
	/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:234
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2109
<http://github.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1|github.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1>
	/go/pkg/mod/github.com/ory/x@v0.0.551/prometheusx/metrics.go:115
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2109
<http://github.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP|github.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP>
	/go/pkg/mod/github.com/ory/x@v0.0.551/prometheusx/middleware.go:41
<http://github.com/urfave/negroni.middleware.ServeHTTP|github.com/urfave/negroni.middleware.ServeHTTP>
	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
<http://github.com/ory/x/metricsx.(*Service).ServeHTTP|github.com/ory/x/metricsx.(*Service).ServeHTTP>
	/go/pkg/mod/github.com/ory/x@v0.0.551/metricsx/middleware.go:259
<http://github.com/urfave/negroni.middleware.ServeHTTP|github.com/urfave/negroni.middleware.ServeHTTP>
	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
<http://github.com/ory/kratos/x.HTTPLoaderContextMiddleware.func1|github.com/ory/kratos/x.HTTPLoaderContextMiddleware.func1>
	/project/x/httploadermiddleware.go:23
<http://github.com/urfave/negroni.HandlerFunc.ServeHTTP|github.com/urfave/negroni.HandlerFunc.ServeHTTP>
	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29 status:Unauthorized status_code:401] http_request=map[headers:map[accept:application/json, text/plain, */* connection:close cookie:[ory_hydra_login_csrf_dev_1258758061=MTY4NjU5ODQzN3xSRGNhQ0Ruc2Z1cDBNbDhueVQ1TFhWSjJXeWlvb3BOSUt5bmE4RnVJc0pIOF9NLUgyRTlDcFkzdHptR1JtM3lwS0hUeEJldHc3bE45S053MmNTSGE2dTgwSTB3WUxVdUZ2Sm81YzR5eDdHbkpGN0pzT2V1cHo1bXQxdkNERWc9PXzcMygTZ9ZkVHc1v75jOdQO9C1TcRE2swo-r7ukny7Jfw==; csrf_token_cdc523be6ce53703e2c61dcec65282dc84d9c5323e86a28b466c961bca11b066=9exMF12lL2EtWJE6Ndgl7sAIbbCzG6hNqnRPfb0IMjo=] user-agent:axios/0.21.4] host:kratos-public method:GET path:/self-service/logout/browser query:<nil> remote:10.0.31.158:45426 scheme:http] http_response=map[status_code:401] service_name=Ory Kratos service_version=v0.13.0
time=2023-06-12T19:33:57Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json, text/plain, */* connection:close cookie:[ory_hydra_login_csrf_dev_1258758061=MTY4NjU5ODQzN3xSRGNhQ0Ruc2Z1cDBNbDhueVQ1TFhWSjJXeWlvb3BOSUt5bmE4RnVJc0pIOF9NLUgyRTlDcFkzdHptR1JtM3lwS0hUeEJldHc3bE45S053MmNTSGE2dTgwSTB3WUxVdUZ2Sm81YzR5eDdHbkpGN0pzT2V1cHo1bXQxdkNERWc9PXzcMygTZ9ZkVHc1v75jOdQO9C1TcRE2swo-r7ukny7Jfw==; csrf_token_cdc523be6ce53703e2c61dcec65282dc84d9c5323e86a28b466c961bca11b066=9exMF12lL2EtWJE6Ndgl7sAIbbCzG6hNqnRPfb0IMjo=] user-agent:axios/0.21.4] host:kratos-public method:GET path:/self-service/logout/browser query:<nil> remote:10.0.31.158:45426 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json vary:Origin] size:192 status:401 text_status:Unauthorized took:556.45µs]
@proud-plumber-24205 This issue seems to be similar to what I see as well. https://github.com/ory/kratos/issues/2624
I tried implementing the hydra consent ui (example-idp helm chart) and pointing hydra consent url at that.. but no dice.
p
it shouldn't matter if you are using a password method or oidc to sign in with. regarding the error of logout being called, that's just the logic of the ui in this case, it's not required to do immediately, but essentially what is required with the logout api is to create the logout request to set csrf cookies and then finalize the logout on a user action, such as a logout button. So this initial call is just to create the logout flow so that the second call succeeds. maybe try it out on the Ory Network with a developer project. the project comes with Hydra and Kratos already pre-configured. You can then verify the behavior. If all goes well, kratos will redirect the browser to the callback url configured for that specific oauth2 client.
c
So I managed to get a redirection to the consent screen, but only after building kratos from master and kratos-selfservice-ui-node from the 
Joragu:feat/kratos-hydra-integration
. It seems the reference UI doesn't properly propagate the redirect uri: https://github.com/ory/kratos-selfservice-ui-node/pull/257. Still trying to figure out if redirecting to the consent screen is correct behavior, since there are no buttons or anything on the screen to accept consent and proceed to the redirect-uri
Finally managed to get this working! I just pulled master of the 
kratos-selfservice-ui-node
this morning, rebuilt, fixed the issue with the helm chart and it works! I can get a token!
Thanks for all your help!
a
glad you got it working. i guess the example needs to be updated with the code that was merged in the above referenced PR. @magnificent-energy-493 @delightful-noon-48365
d
@curved-ram-6189 glad my example and code help and work for you! Yes @adorable-scooter-1570 the example should be refactor using the image instead of the code as present. I will do it when the next version of kratos-selfservice-ui-node is available. @magnificent-energy-493 or @high-optician-2097 do you have any information about the next release for the kratos-selfservice-ui-node project ?
c
The only issue I see with the latest code currently is the ory image is borked on the consent screen. May be a me-issue thoguh
234 Views
Open in Slack
PreviousNext
Powered by