Hello everybody! I am using Kratos SDK with my .NET app and I try to make APIs and test them in swagger. I am facing issue where I can not really understand where do I get the csrf_token attribute that needs to be in "KratosUpdateLoginFlowWithPasswordMethod" and I am getting 403 forbidden security_csrf_violation. I suppose that the code flow will look something like this: "Configuration config = new Configuration(); config.BasePath = "<base_path>"; var frontendApi = new FrontendApi(config); var loginflow = frontendApi.CreateBrowserLoginFlow(); var flowId = loginflow.Id; KratosUpdateLoginFlowWithPasswordMethod method = new("token", request.Email, "password", request.Password); var updateLoginFlowBody = new KratosUpdateLoginFlowBody(method); KratosSuccessfulNativeLogin result = frontendApi.UpdateLoginFlow(flowId, updateLoginFlowBody); var session = result.Session;" .. any ideas if I am doing it right and where can I get the token? I will be thankful for any help!

Hello @blue-alarm-98979 The CSRF token (Cross-Site Request Forgery token) is a security measure used by Ory Kratos to prevent CSRF attacks. When you initiate a login flow, the CSRF token is included in the response from the server. In your case, you can get the CSRF token from the

loginflow

object that you get from the

CreateBrowserLoginFlow()

method. The CSRF token is located in the

loginflow.Ui.Nodes

list. You need to find the node with the

Name

attribute set to

"csrf_token"

and get its

Value

attribute. Here is an example of how you can get the CSRF token:

Configuration config = new Configuration();
config.BasePath = "<base_path>";
var frontendApi = new FrontendApi(config);
var loginflow = frontendApi.CreateBrowserLoginFlow();
var flowId = loginflow.Id;

// Find the CSRF token
string csrfToken = null;
foreach (var node in loginflow.Ui.Nodes)
{
    if (node.Name == "csrf_token")
    {
        csrfToken = node.Value;
        break;
    }
}

if (csrfToken == null)
{
    throw new Exception("CSRF token not found in login flow");
}

KratosUpdateLoginFlowWithPasswordMethod method = new(csrfToken, request.Email, "password", request.Password);
var updateLoginFlowBody = new KratosUpdateLoginFlowBody(method);
KratosSuccessfulNativeLogin result = frontendApi.UpdateLoginFlow(flowId, updateLoginFlowBody);
var session = result.Session;

Big thanks for your response @magnificent-energy-493 ! While I was debugging I have found it there but I was not able to receive it. I tried something like this "var token = loginflow.Ui.Nodes[0].Attributes.ActualInstance.Value;" when I saw that token was at first index, but I was not able to retrieve neither Name nor Value. And sadly, it also goes with your solution, as I am getting "Error CS1061 'KratosUiNode' does not contain a definition for 'Name' and no accessible extension method 'Name' accepting a first argument of type 'KratosUiNode' could be found (are you missing a using directive or an assembly reference?)"

Great you found the solution! Since you already looked for it, do you think we can add this to the docs somewhere to make it clearer for the next guy? Sadly our community Slack eats all messages after 90 days - we do have an archive here though: https://archive.ory.sh/

@magnificent-energy-493 definitely! however, now I am passing it to updateLoginFlow and still getting the same error and I really do not know why since it is the same csfr_token that I have found from createLoginFlow method 😕

Hey @blue-alarm-98979 Did you take a look at the CSRF troubleshooting? https://www.ory.sh/docs/troubleshooting/csrf might be something we missed