https://www.ory.sh/ logo
Join Slack
Powered by
I am using the .NET SDK for Kratos. CSRF cookies i...
# talk-kratos
p
I am using the .NET SDK for Kratos. CSRF cookies is verified fine when I GetRegistrationFlow() but fails when I try to POST to the endpoint with my password identity details ?!
m
This call https://www.ory.sh/docs/reference/api#tag/frontend/operation/updateRegistrationFlow fails? Do you have an error/details? I am not a .NET user but this works fine in my node app.
p
Correct
Do you send the csrf token in the body or do you send the client cookies?
If I send the cookies that I got from the /self-service/registration/browser endpoint can I omit csrf_token in the application/json body?
m
You need both the cookie and CSRF token, see this also https://www.ory.sh/docs/troubleshooting/csrf#accessing-apis-from-a-server-side-application (should apply the same to .NET)
When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header sent by the client to your server here. This ensures that CSRF and session cookies are respected.
p
haha this express or something code is difficult for me to read since I have never used it before. So how does the csrf token looke like?
Sir how do I obtain the csrf token from the cookie?
I am all good now figured it out
m
It is something like csrf_token_71654947218a79362a883f5440167e1aa00b15…. Just send this along together with the cookie on the request. This explains the whole CSRF thing: https://www.ory.sh/docs/kratos/concepts/security#defenses-against-cross-site-request-forgery
sorry forgot the send the reply 🤦
p
Thank you very much for your time. I got it to work
2 Views
Open in Slack
PreviousNext
Powered by