handsome-agency-20541
11/04/2024, 3:45 PM/oauth2/auth?response_type=code
flow in my app. I have a recently authenticated Ory session, and I’m passing max_age=10000
to /oauth2/auth
, yet I’m always forced to re-authenticate (“Confirm it’s you” screen).
Are there any options or settings that I have to use to bypass re-authentication?brief-egg-61061
11/04/2024, 3:45 PMbrief-egg-61061
11/04/2024, 3:46 PMmax_age
parameter you're passing. You can configure this in the Ory Console or using the Ory CLI. [Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan) 3. Privileged sessions: If you're performing actions that require a privileged session, make sure the privileged session duration is set appropriately. [Privileged sessions configuration](https://www.ory.sh/docs/kratos/session-management/session-lifespan#configuration) 4. Cookie settings: Check your session cookie settings, especially the persistent
flag. If set to false
, the cookie might be deleted when the browser is closed. [Session cookie max-age](https://www.ory.sh/docs/kratos/session-management/session-lifespan#session-cookie-max-age) 5. CSRF issues: Ensure you're not running into any CSRF-related problems, which can cause authentication issues. [OAuth2 CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf#ory-oauth2) If none of these solve your issue, you might want to check your OAuth2 configuration, especially the access token lifespan: ory patch oauth2-config --project <project-id> --workspace <workspace-id> \ --replace "/ttl/access_token=\"2h\"" \ --format yaml
[Configure token expiration time](https://www.ory.sh/docs/hydra/guides/client-token-expiration) If you're still experiencing issues after checking these settings, it might be worth contacting Ory support for more specific troubleshooting.handsome-agency-20541
11/04/2024, 4:21 PM1. Skipping consentTested both options (“skip consent”, and no-skip client with consent given during the first login). This did not affect re-authentication.
2. Session lifespanChecked. I already have 72h long sessions configured.
3. Privileged sessionsI’m not sure what you mean by “performing actions that require a privileged session”. I’m just calling
/oauth2/auth
code flow 🤷
Regardless, my current privileged session duration is 15min, and I’m getting re-authentication prompt in a shorter timeframe.
4. Cookie settingsI don’t have any cookies of my own at the moment. The only cookies that I have now are on
https://{project-slug}.<http://projects.oryapis.com/|projects.oryapis.com/>
. I assume they’re fine, since the re-authentication flow detects me (shows “You are using: <login>” section).
And I do not even close the browser window in my tests.
5. CSRF issuesSame as 4. I guess this is not relevant to the problem.
check your OAuth2 configuration, especially the access token lifespan:Updated it to 2h. Still getting re-authentication. Now since you mention access tokens, am I expected to use those somehow to make multiple consecutive calls to
/oauth2/auth
work without re-authentication prompt?brief-egg-61061
11/04/2024, 4:21 PMbrief-egg-61061
11/04/2024, 4:21 PMmax_age
parameter. Let's clarify a few points and explore a possible solution: 1. Regarding access tokens: No, you don't need to use access tokens for multiple calls to /oauth2/auth
. The authorization endpoint is typically used to initiate the OAuth2 flow, not for subsequent requests [OAuth2 authorization code flow](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission). 2. The max_age
parameter: When you include max_age=10000
in your /oauth2/auth
request, you're telling the authorization server to re-authenticate the user if their authentication is older than 10000 seconds (about 2.8 hours). This could explain why you're always being prompted to re-authenticate. To potentially bypass re-authentication, you could try the following: 1. Remove the max_age
parameter from your /oauth2/auth
request if you don't need to enforce a specific maximum authentication age. 2. If you need to keep max_age
, try using a larger value that aligns with your session duration (72 hours in your case). 3. You could also try using the id_token_hint
parameter in your authorization request. This parameter can help the authorization server identify a previously authenticated user without necessarily requiring re-authentication. Here's how you might use it: /oauth2/auth?response_type=code&client_id=your_client_id&...&id_token_hint=previously_issued_id_token
The id_token_hint
is an ID Token previously issued by Ory OAuth2 and OpenID Connect. If the user identified by the ID Token is logged in or is logged in by the request, then the Authorization Server should return a positive response without requiring re-authentication [ID Token Hint](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission). Remember, the exact behavior can depend on various factors in your Ory configuration and the specific requirements of your application. If these suggestions don't resolve the issue, you might need to review your entire OAuth2 configuration or contact Ory support for more detailed troubleshooting.handsome-agency-20541
11/04/2024, 4:34 PMyou might need to review your entire OAuth2 configurationI can do
ory get oauth2-config
dump, screening the project-specific entries. Would you be able to review it?brief-egg-61061
11/04/2024, 4:34 PMbrief-egg-61061
11/04/2024, 4:34 PMory get oauth2-config --project <project-id> --workspace <workspace-id> --format yaml > oauth2-config.yaml
This command will export your OAuth2 configuration in YAML format to a file named oauth2-config.yaml
[CLI OAuth2 config export](https://www.ory.sh/docs/guides/cli/oauth2-cli#export-configuration-from-ory-network). Once you have this file, you can share the contents (after removing any sensitive information) and I'd be happy to review it. This will allow me to provide more specific advice based on your actual configuration. Remember to redact any sensitive information such as client secrets, project IDs, or any other data you consider private before sharing the configuration. If you prefer not to share the entire configuration, you could also focus on specific parts that might be relevant to the authentication issue, such as the ttl
settings, urls
, or any custom configurations you've made. Let me know when you have the configuration ready, and I'll be glad to take a look and provide further assistance.handsome-agency-20541
11/04/2024, 4:42 PMbrief-egg-61061
11/04/2024, 4:42 PMhandsome-agency-20541
11/04/2024, 4:42 PMclients:
http:
disallow_private_ip_ranges: true
dev: true
hsm:
enabled: false
oauth2:
client_credentials:
default_grant_allowed_scope: false
exclude_not_before_claim: false
expose_internal_errors: true
grant:
jwt:
iat_optional: false
jti_optional: false
max_ttl: 720h0m0s
hashers:
algorithm: pbkdf2
pbkdf2:
iterations: 10000
pkce:
enforced: false
enforced_for_public_clients: false
session:
encrypt_at_rest: true
oidc:
dynamic_client_registration:
enabled: false
subject_identifiers: {}
serve:
admin:
cors:
allow_credentials: true
allowed_headers:
- Accept
- Content-Type
- Content-Length
- Accept-Language
- Content-Language
- Authorization
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
- CONNECT
- HEAD
- OPTIONS
- TRACE
debug: false
enabled: false
exposed_headers:
- Cache-Control
- Expires
- Last-Modified
- Pragma
- Content-Length
- Content-Language
- Content-Type
max_age: 0
tls:
enabled: false
cookies:
domain: <http://projectslug.projects.oryapis.com|projectslug.projects.oryapis.com>
names:
consent_csrf: ory_oauth2_consent_csrf_projectslug
login_csrf: ory_oauth2_login_csrf_projectslug
session_csrf: ory_oauth2_session_csrf_projectslug
same_site_legacy_workaround: false
same_site_mode: Lax
secure: true
public:
cors:
allow_credentials: true
allowed_headers:
- Accept
- Content-Type
- Content-Length
- Accept-Language
- Content-Language
- Authorization
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
- CONNECT
- HEAD
- OPTIONS
- TRACE
debug: false
enabled: false
exposed_headers:
- Cache-Control
- Expires
- Last-Modified
- Pragma
- Content-Length
- Content-Language
- Content-Type
max_age: 0
tls:
enabled: false
tls:
enabled: false
strategies:
access_token: opaque
jwt: {}
scope: wildcard
ttl:
access_token: 2h0m0s
auth_code: 30m0s
id_token: 1h0m0s
login_consent_request: 30m0s
refresh_token: 720h0m0s
urls:
consent: /ui/consent
error: /ui/error
login: /ui/login
logout: /ui/logout
post_logout_redirect: /oauth2/fallbacks/logout/callback
registration: /ui/registration
self:
admin: <https://projectslug.projects.oryapis.com/admin>
issuer: <https://projectslug.projects.oryapis.com>
public: <https://projectslug.projects.oryapis.com>
webfinger:
jwks: {}
oidc_discovery:
auth_url: <https://projectslug.projects.oryapis.com/oauth2/auth>
jwks_url: <https://projectslug.projects.oryapis.com/.well-known/jwks.json>
token_url: <https://projectslug.projects.oryapis.com/oauth2/token>
userinfo_url: <https://projectslug.projects.oryapis.com/userinfo>
brief-egg-61061
11/04/2024, 4:42 PMbrief-egg-61061
11/04/2024, 4:43 PMyaml ttl: access_token: 2h0m0s auth_code: 30m0s id_token: 1h0m0s login_consent_request: 30m0s refresh_token: 720h0m0s
These settings seem appropriate and shouldn't cause frequent re-authentication [Configure token expiration time](https://www.ory.sh/docs/hydra/guides/client-token-expiration). 2. PKCE (Proof Key for Code Exchange): yaml pkce: enforced: false enforced_for_public_clients: false
PKCE is not enforced, which is fine for your use case but doesn't explain the re-authentication issue. 3. Cookies: yaml serve: cookies: domain: <http://projectslug.projects.oryapis.com|projectslug.projects.oryapis.com> same_site_mode: Lax secure: true
Your cookie settings look correct, using the appropriate domain and security settings. 4. URLs: yaml urls: login: /ui/login consent: /ui/consent
These are the default UI endpoints for login and consent. Based on this configuration, there doesn't seem to be any obvious setting that would cause constant re-authentication. However, here are a few suggestions: 1. Check the prompt
parameter: Ensure you're not accidentally including prompt=login
in your /oauth2/auth
requests, as this would force re-authentication [OAuth2 authorization code flow](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission). 2. Verify client settings: The configuration you provided is the global OAuth2 settings. Check the specific settings for your OAuth2 client, especially the token_endpoint_auth_method
and allowed grant types. 3. Monitor token issuance: Use the Ory CLI or API to check if new tokens are being issued each time or if the same tokens are being reused. 4. Check for any custom login or consent handlers: If you've implemented custom login or consent handlers, ensure they're not inadvertently triggering re-authentication. If the issue persists after verifying these points, it might be worth enabling debug logging or contacting Ory support for more in-depth troubleshooting, as the configuration itself doesn't reveal any obvious causes for your re-authentication problem.handsome-agency-20541
11/05/2024, 11:57 AM1. Check theConfirmed, I don’t have explicitparameter:prompt
prompt
parameter in the auth query
2. Verify client settings:Here it is (redacted a bit). Disregard
skip_consent: false
, it does not affect the result.
client_id: UUID
client_name: no-auto-consent local test
client_secret_expires_at: 0
client_uri: ""
created_at: 2024-11-04T14:32:48Z
grant_types:
- refresh_token
- authorization_code
jwks: {}
logo_uri: ""
metadata: {}
owner: ""
policy_uri: ""
redirect_uris:
- <https://some-host/oidc/callback>
response_types:
- code
scope: openid offline_access email profile
skip_consent: false
skip_logout_consent: false
subject_type: public
token_endpoint_auth_method: client_secret_basic
tos_uri: ""
updated_at: 2024-11-04T14:32:47.600387Z
userinfo_signed_response_alg: none
AdditionalProperties: {}
3. Monitor token issuance:Clarify this bit, please.
4. Check for any custom login or consent handlers:I don’t have any custom handlers.
brief-egg-61061
11/05/2024, 11:58 AMbrief-egg-61061
11/05/2024, 11:58 AMprompt
parameter: Good, that's not the issue then. 2. Client settings: The client configuration you've shared looks correct for your use case. The grant_types
and response_types
are appropriate for the authorization code flow you're using. 3. Monitoring token issuance: To clarify this point, we want to check if new tokens are being issued each time you make a request or if the same tokens are being reused. You can do this by: a. Using the Ory CLI to list OAuth2 consent sessions: ory list oauth2-consent-sessions --project <your-project-id>
[List OAuth2 consent sessions](https://www.ory.sh/docs/guides/cli/oauth2-cli#list-oauth2-consent-sessions) b. Or, you can use the Ory API to get information about a specific OAuth2 consent session: GET /admin/oauth2/auth/sessions/consent?subject=<user-id>
[Get OAuth2 consent session](https://www.ory.sh/docs/reference/api#operation/getOAuth2ConsentSessions) By monitoring these, you can see if new consent sessions (and thus new tokens) are being created for each authentication attempt. 4. Custom handlers: Good, that eliminates another potential source of the issue. Given this information, let's consider a few more possibilities: 1. Session handling: Are you properly storing and reusing the session token (usually stored in a cookie) between requests? If the session is not being maintained, it could lead to repeated authentication prompts. 2. ID Token handling: Are you using the id_token_hint
parameter in your authorization requests? This can help reduce re-authentication prompts: /oauth2/auth?response_type=code&client_id=your_client_id&...&id_token_hint=previously_issued_id_token
[ID Token Hint](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission) 3. Check the Ory logs: You can use the Ory CLI to fetch logs, which might provide more insight into what's happening during the authentication process: ory get log-stream --project <your-project-id>
[Get log stream](https://www.ory.sh/docs/guides/cli/log-cli#get-log-stream) 4. Verify the max_age
parameter: If you're still using the max_age
parameter, ensure it's set to a value that aligns with your expected session duration. If after checking these points you're still experiencing issues, it might be helpful to capture the full HTTP request and response cycle (headers and body) for a few authentication attempts. This could reveal any unexpected behaviors or parameters that are causing the re-authentication prompts. Remember to redact any sensitive information before sharing.handsome-agency-20541
11/05/2024, 12:08 PM1. Session handling: Are you properly storing and reusing the session token (usually stored in a cookie) between requests?That’s the thing, I’m not talking about storing sessions on my end. I’m talking about Ory network knowing a user session (as seen in “You are using: <some login>” section in the login page), but still asking to re-authenticate. To put it differently – I expect to get a single-sign-on user experience, where, once a user has logged in, they can use OIDC multiple times, and from different OIDC clients if needed, without having to re-authenticate every time.
brief-egg-61061
11/05/2024, 12:08 PMbrief-egg-61061
11/05/2024, 12:09 PMyaml selfservice: flows: settings: privileged_session_max_age: 15m
Try increasing this value if it's set too low [Privileged sessions configuration](https://www.ory.sh/docs/kratos/session-management/session-lifespan#configuration). 3. OAuth2 Client Configuration: Ensure that your OAuth2 clients are configured to use the same Ory project for authentication. This should be the case if you're using the same project slug for all clients. 4. Consent Skipping: For a seamless SSO experience, you might want to enable consent skipping for your trusted clients. This can be done in the Ory Console or when creating the OAuth2 client [Skipping consent for trusted clients](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#skipping-consent-for-trusted-clients). 5. Browser Behavior: Ensure that your browser isn't blocking or clearing cookies from the Ory domain between requests. If you've verified all these points and are still experiencing issues, it might be worth contacting Ory support directly. They would have access to more detailed logs and configuration details specific to your project, which could help identify any underlying issues preventing the expected SSO behavior.handsome-agency-20541
11/05/2024, 12:21 PM/oauth2/auth?response_type=code
without any parameters that force re-authentication, yet Ory Network presents me with “Confirm it’s you” UI, while I expect a single-sign-on user experience – logging in just once in a reasonable timespan.handsome-agency-20541
11/05/2024, 5:09 PMhome_region: eu-central
, but I had an older ory
CLI version yesterday 🤷
Will attach the diff to the thread just in case someone decides to take a look. IDs are redacted, but I can provide those if needed.handsome-agency-20541
11/05/2024, 5:10 PM