Hi all I m trying to debug my oathkeeper cookie session auth Ory Community #talk-oathkeeper

Hi all, I’m trying to debug my oathkeeper cookie_s...

prehistoric-knife-48976

06/30/2023, 4:44 AM

Hi all, I’m trying to debug my oathkeeper cookie_session authenticator. I think there may be some sort of issue with the session information and how it’s passed. When I log in, a cookie is set with the format ory_session_<project slug without dashes>. I believe that the check_session_url should be https://{project_slug}.projects.oryapis.com/sessions/whoami, but in the api docs, it specifies the format of the headers a little differently than what seems to get set after a successful login. It lists X-Session-Token and ory_session cookie as needing to be in the headers, but if that’s the case, why doesn’t ory set the session information with that cookie name in the first place? Any help would be much appreciated.

shy-beach-55709

06/30/2023, 12:44 PM

Could you share the access rules and how the cookie session authenticator y configured?

prehistoric-knife-48976

06/30/2023, 2:26 PM

Here is the relevant section to my global config file:

prehistoric-knife-48976

06/30/2023, 2:27 PM

Copy code

authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest
  cookie_session:
    enabled: true
    config:
      check_session_url: https://<project-slug>.<http://projects.oryapis.com/sessions/whoami|projects.oryapis.com/sessions/whoami>

prehistoric-knife-48976

06/30/2023, 2:27 PM

And here is the defined rule:

Copy code

{
  "authenticators": [
    {
      "forward_http_headers": [
        "X-Forwarded-For",
        "Authorization",
        "Cookie"
      ],
      "handler": "cookie_session"
    }
  ],
  "id": "customer",
  "match": {
    "methods": [
      "POST",
      "GET"
    ],
    "url": "<https://localhost/api/v1/user/><[0-9a-zA-Z-]{20,40}>/customer"
  },
  "mutators": [
    {
      "handler": "noop"
    }
  ],
  "version": "v0.36.0-beta.4"
}

shy-beach-55709

06/30/2023, 2:36 PM

It looks like you're facing the same issue as described here: https://stackoverflow.com/questions/74549389/ory-kratos-oathkeeper-trino-starburst

prehistoric-knife-48976

06/30/2023, 4:14 PM

It looks like the stack overflow question you forwarded is regarding the mutator adding a jwt to the request. My question is revolving around the cookie for the session token. I’ve been trying to test the /sessions/whoami endpoint before I worry about adding the mutator for the jwt.

prehistoric-knife-48976

06/30/2023, 4:19 PM

The response I’m getting is this:

Copy code

{"error":{"code":401,"status":"Unauthorized","message":"Access credentials are invalid"}}↵

Which leads me to believe that there is something wrong with the cookies or the headers based on this snippet of the API docs:

Copy code

This endpoint authenticates users by checking:

if the Cookie HTTP header was set containing an Ory Kratos Session Cookie; if the Authorization: bearer <ory-session-token> HTTP header was set with a valid Ory Kratos Session Token; if the X-Session-Token HTTP header was set with a valid Ory Kratos Session Token.

If none of these headers are set or the cooke or token are invalid, the endpoint returns a HTTP 401 status code.

I’ve tried using all three of these methods (Authorization header with bearer token, naming the cookie ory_kratos_session, and including an X-Session-Token header with the token), but all return the 401 unauthorized.

prehistoric-knife-48976

06/30/2023, 5:23 PM

Ok, update, after adding preserve_path: true to the config, it’s now working correctly.

22 Views

Open in Slack

Previous Next