Hello. We're having major issues with session extension and I'm getting desperate, so I'm asking yet again. From the js client (which is configured with

edgeConfig

, as in the NextJS example) I'm using

.adminExtendSession(sessionId)

and the service always returns

403 Forbidden:

{
  "id": "security_csrf_violation",
  "code": 403,
  "status": "Forbidden",
  "request": "bac7d4f7-084b-449d-bdcd-9f3065a13838",
  "reason": "Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.",
  "details": {
    "docs": "<https://www.ory.sh/kratos/docs/debug/csrf>",
    "hint": "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
    "reject_reason": "The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
  },
  "message": "the request was rejected to protect you from Cross-Site-Request-Forgery"
}

I have asked this before here and was told that the route isn't even protected so that error makes no sense. I cleared my cookies, tried from incognito, tried from a different domain, had many other people try, doesn't matter. It just won't work. We've checked cors, enabled all methods, we use the

adminDeleteIdentity

route regularly and that one works, but extend does not. The docs feature an example curl command - using curl returns the same exact error. I am at the end of my rope with this and would like some help. 😞 @high-optician-2097

Hi Ronny - super sorry about the experience here. We'll try to reproduce this and get back to you!

Hi @white-article-28775 Sorry for the bad experience, let's see if we can resolve the issue quickly 🙂 Are you using an Ory Cloud project here or self-hosting Kratos? From what I can tell, you are reusing the client pointing to the public Kratos endpoint. There might be some problem on our side that CSRF checks aren't removed when Kratos redirects the call to our Admin endpoints. Have you tried calling the Kratos Admin endpoint directly? Have you tried to use the API directly in something like Postman? https://www.ory.sh/docs/reference/api#operation/adminExtendSession Are you sure you are doing a

PATCH

request and not a

GET

or

POST

when testing with

cURL

? Some of the commands on the documentation might be incomplete, do you have an exact reference from where you copied the command? Also CSRF errors are browser based errors, do they also happen on curl, or do you get a different error there?

@proud-plumber-24205 This is self-hosted Kratos. Since we are using the SDK, it only takes one url, so we are using the public one. But indeed my understanding is that public takes the admin requests as well and redirects them. Again, for reference, we use

adminDeleteIdentity

and it works as expected. cURL was definitely right, but also sent the request to public. One devops guy actually tried sending a cURL directly to the admin service and that one worked! But it's not something we can do using the SDK since all requests go to the same place. The error form cURL is the same exact CSRF error.

This might then be a bug when the public endpoint redirects you to the admin endpoint. What you could do is create 2 clients, one public and another admin. This might resolve the issue for now

2 FE clients? Wouldn't that cause an issue by virtue of the request being different from what the service expects to get? I assumed the public API does something before redirecting

No you can have two clients configured with their respective endpoints (admin and public). The admin SDK should in any case always be used on the server-side and never on the client (since the admin endpoint should not be exposed to the internet). Then when doing admin api calls you use the admin client.

Ok, I'll try that ASAP just to get it working... but if it's not supposed to be exposed, then what do we do here now? Can't leave it with two clients. Could this be a bug in our config?

You need to setup a firewall on the server running Kratos to only allow e.g. certain IPs or run the nextjs app on the same server as Kratos, essentially calling Kratos on localhost.

We're actually moving to static so we can't really do that, we'd have to allow all requests from anywhere...

That's a security risk, since the Admin API can create, delete identities, revoke session or extend them. Are you securing the Admin API with a reverse proxy and at least some form of authentication? Yes just a new

V0alpha2Api

https://github.com/ory/kratos-selfservice-ui-react-nextjs/blob/master/pkg/sdk/index.ts

Yeah I meant how would I create a second one that uses a different url? Since all this does is direct requests to

/api/.ory/

for the api handler, and it's the api handler that reads the url from env

You don't need the Ory proxy when you are self-hosting Kratos, so you can safely remove the

/api/.ory

handler and then configure the

V0alpha2Api

yourself to point it to your Kratos URL

so somethine like

export const ory = new V0alpha2Api(new Configuration({
    basePath: '<https://ory-url>',
    baseOptions: {
        withCredentials: true
    }
}));

?

That’s great to hear. I will still look into the initial issue.

Thank you.

I looked into the issue. The root cause is, that the

adminDeleteIdentity

path is not ignored by the CSRF handler when redirecting from the public API. The related lines are here: https://github.com/ory/kratos/blob/master/session/handler.go#L79-L81 There, the path

/sessions/*/extend

needs to be added. Feel free to open a PR.