https://www.ory.sh/ logo
Join Slack
Powered by
Hi We are currently in the process of implementin...
# ory-network
b
Hi We are currently in the process of implementing a login flow in our Android App using the OpenID’s AppAuth-Android library (https://github.com/openid/AppAuth-Android) and have successfully set up signing in through Google Social SignIn; however, an issue comes up once the Google Flow has completed: 
{"type":1,"code":1008,"error":"request_forbidden","errorDescription":"The request is not allowed. No CSRF value available in the session cookie."}
Has someone here experience with this error response?
s
are you using the native flows and APIs everywhere?
and where exactly do you get the error? so what api endpoint?
b
We are using AppAuth-Android, which simply opens an Android WebView. The entire flow is executed within the WebView, similar to Browser Apps/SPAs, I suppose. The native part of the app is only notified when the OAuth Flow in the WebView is completed.
s
and you get that error in the web view or when exchanging the code for the session?
b
The ory backend calls the redirectUri with an error response: 
<OUT_REDIRECT_URI>/?error=request_forbidden&error_description=The+request+is+not+allowed.+No+CSRF+value+available+in+the+session+cookie.&state=FUhHWgSY_l38BpmzE4m9mg
. This error is then passend on from the webview to the native code where the error is logged.
s
OK what exactly is your setup? Are you using Ory OAuth2 with Ory Identities, and then use google social for login to Ory Identities?
And you initialize the OAuth2 flow with the Ory APIs?
b
We are using Ory OAuth2 with Ory Identities, correct. But we are not using the Ory APIs.
We work with the App Auth Client directly. Alle we do there is configuring their Oauth Client, like this:
Copy code
AuthorizationRequest.Builder(
            ORY_CLIENT_ID,
            ResponseTypeValues.CODE,
            CLIENT_REDIRECT_URI
        )
            .setScopes("openid", "offline")
            .build()
The client is also initialized via 
<OUR_PROJECT_URL>/.well-known/openid-configuration
s
at which point in this flow do you get the error? because the redirects happen as follows, right? 1. app without auth code 2. web view initializing oauth2 flow with Ory 3. web view initializing login with Ory Identities 4. web view initializing login with Google 5. web view completing login with Google 6. web view completing login with Ory identities 7. web view completing login with Ory OAuth2 8. app with auth code
b
We can’t really find out the exact point since AppAuth-Android does not provide much insights. However the google sign-in definitely works. I believe the error occurs after 5 and before 8 since we never get an auth code.
Do you have any suggestions/best practices on how to integrate Ory in iOS/Android Apps? We are not attached to AppAuth and would use anything that works.
s
for oauth2 always use some tested and proven library, never implement it yourself
but when you execute the steps, don't you know where it fails?
do you use the Ory account experience, or do you have a custom ui (for the Ory Identities part)
I can at least confirm that the error is thrown by Hydra (Ory OAuth2) on the authorization request
b
Thanks! We’ll try to find an alternative to AppAuth. One that hopefully gives us more insight and control.
Turns out the problem was that we were fetching the open-id configuration from 
<project-slug>.<http://projects.oryapis.com/.well-known/openid-configuration|projects.oryapis.com/.well-known/openid-configuration>
instead of 
<our_custom_domain>/.well-known/openid-configuration
. The weird thing is that the issuer of the idToken we receive is still 
<project-slug>.<http://projects.oryapis.com|projects.oryapis.com>
instead of 
our_custom_domain
as specified in 
openid-configuration
. This trips up the client-side IdToken validation since the issuers do not match. We managed to work around this, but I guess this is not intended.
s
Can you open an issue in https://github.com/ory/network/issues/ with all the details? 🙏
👍 1
6 Views
Open in Slack
PreviousNext
Powered by