quick-addition-90714
09/27/2024, 10:01 PMbrief-egg-61061
09/27/2024, 10:01 PMbrief-egg-61061
09/27/2024, 10:01 PMcsrf_token
with the hidden
attribute. An example of mapping the UI nodes for CSRF protection is provided in the [source](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#cross-site-request-forgery-errors). Also, it's important to note that Ory and your UI must be hosted on the same top-level domain. You can't host Ory and your UI on separate top-level domains ([source](https://www.ory.sh/docs/kratos/self-service/flows/user-login#initialize-login-flow)). If you're still encountering issues, you might want to check out the [Ory Identities documentation](https://www.ory.sh/docs/troubleshooting/csrf) for general CSRF troubleshooting, and [this document](https://www.ory.sh/docs/kratos/debug/csrf) for CSRF troubleshooting specific to self-hosted Ory Kratos Identity Server instances ([source](https://www.ory.sh/docs/troubleshooting/csrf#further-reading)).quick-addition-90714
09/27/2024, 10:03 PMquick-addition-90714
09/27/2024, 10:03 PMbrief-egg-61061
09/27/2024, 10:03 PMbrief-egg-61061
09/27/2024, 10:04 PMcsrf_token
is added. Ory Kratos compares the value of this input to the value set in the anti-CSRF cookie. If the values match, the request is allowed ([source](https://www.ory.sh/docs/kratos/concepts/security#defenses-against-cross-site-request-forgery)). In the context of Ory Hydra, it's important to note that Hydra is primarily responsible for OAuth 2.0 and OpenID Connect flows, while Kratos handles identity management and self-service flows, including login and registration.quick-addition-90714
09/27/2024, 10:05 PMbrief-egg-61061
09/27/2024, 10:05 PMbrief-egg-61061
09/27/2024, 10:06 PM/oauth2/auth
endpoint of Ory Hydra, an OAuth 2.0 Authorization Code flow is initiated. Here's a brief overview of what happens: 1. The client (your application) redirects the user to the /oauth2/auth
endpoint of Ory Hydra with specific query parameters like client_id
, redirect_uri
, scope
, response_type
, and state
. 2. Ory Hydra checks if the client is authorized to perform the request. If the client is not authorized, an error is returned. 3. If the client is authorized, Ory Hydra initiates the User Login and Consent flow. This involves redirecting the user to the login and consent apps, which are typically handled by Ory Kratos in a combined Ory setup. 4. The user logs in (if not already logged in) and gives consent to the requested scopes. 5. After successful login and consent, Ory Hydra issues an authorization code and redirects the user back to the redirect_uri
provided by the client, with the authorization code and the original state
parameter in the query string. 6. The client exchanges the authorization code for an access token and optionally a refresh token at the /oauth2/token
endpoint of Ory Hydra. 7. The client can now use the access token to access the protected resources on behalf of the user. For more details, you can refer to the [Ory Hydra documentation](https://www.ory.sh/docs/hydra/5min-tutorial) and the [OAuth 2.0 security overview](https://www.ory.sh/docs/hydra/security-architecture).quick-addition-90714
09/28/2024, 11:05 AMbrief-egg-61061
09/28/2024, 11:05 AMbrief-egg-61061
09/28/2024, 11:06 AMcsrf_token
. Ory Kratos then compares the CSRF token in the request body with the CSRF token in the cookie. If they match, the request is allowed. If they don't match, the request is rejected to prevent potential CSRF attacks. For more details, you can refer to the [Ory Kratos documentation on CSRF](https://www.ory.sh/docs/kratos/concepts/security#defenses-against-cross-site-request-forgery).quick-addition-90714
09/28/2024, 11:06 AMquick-addition-90714
09/28/2024, 11:06 AMbrief-egg-61061
09/28/2024, 11:06 AMbrief-egg-61061
09/28/2024, 11:07 AM127.0.0.1
or localhost
consistently across your configuration, as they are considered separate domains ([source](https://www.ory.sh/docs/kratos/debug/csrf#mixing-up-127001-and-localhost)).