Hello everyone, Experiencing a CSRF issue with a ...
# talk-kratos
f
Hello everyone, Experiencing a CSRF issue with a few users using a Self hosted Kratos/Oathkeeper setup. Our application is at
<http://app.bar.com|app.bar.com>
and our authentication ui is
<http://auth.bar.com|auth.bar.com>
, everything works as expected for 95% of my users. However we have a case where a user can login normally but the moment they logout and kratos redirect to /login we get a CSRF error on the flow id and a
This page isn't working ERR_TOO_MANY_REDIRECTS
error on the browser. Looking on the client I can see that there was 2 csrf_ tokens attached and kratos is grabbing the wrong one. On GitHub https://github.com/ory/kratos/pull/2122 and https://github.com/ory/kratos/issues/3316 is identical to the issue I am facing. When the user logs out, they are routed to
<http://auth.bar.com/login?flow=|auth.bar.com/login?flow=><flow-id>
then the CSRF issue happens and routes the user to
<http://auth.bar.com/.ory/kratos/public/self-service/login/browser?aal=&refresh=&return_to=|auth.bar.com/.ory/kratos/public/self-service/login/browser?aal=&refresh=&return_to=>
then the browser error appears and the cookies are present as shown in the attached screenshots. We’ve cleared the cache and cookies but the issue persists in regular browser mode but while in incognito the issues does not happen. Please let me know if you require any additional details.